Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept

The Microsoft identity-centric Security Service Edge solution converges network and identity access controls so you can secure access to any app or resource from any location, device, or identity. It enables and orchestrates access policy management for employees, business partners, and digital workloads. You can monitor and adjust user access continuously in real time if permissions or risk levels change for private apps, SaaS apps, and Microsoft 365 endpoints.

Protecting enterprise users and managed devices from malicious internet traffic and malware infection concerns all companies. Use Microsoft Entra Internet Access Secure Web Gateway functionality to block traffic based on web categories, and a fully qualified domain name (FQDN), by integrating with Microsoft Entra Conditional Access.

The guidance in this article helps you to deploy Microsoft Entra Internet Access (Preview) as a proof-of-concept in your production or test environment. It includes setup and configuring web content filtering. You can review prerequisites in the Microsoft's Security Service Edge Solution Deployment Guide Introduction, which includes how to scope your configuration and testing for specific test users and groups.

Deploy and test Microsoft Entra Internet Access

Complete the Configure initial product steps. Learn to enable the Microsoft Entra Internet Access traffic forwarding profile and install the Global Secure Access Client on a test device. For these sample PoC scenarios, you need one test group with one test user as a member.

Sample PoC scenario: Create a baseline policy applying to all internet access traffic routed through the service

Microsoft Internet Access has features to configure a security profile with a priority of 65,000 that applies to all traffic without linking to a Conditional Access policy. Complete the following tasks to create this baseline policy to block an FQDN:

Create a web filtering policy

  1. In the Microsoft Entra admin center, go to Global Secure Access (Preview) > Secure > Web content filtering policies > Create policy > Configure Global Secure Access content filtering.

    Screenshot of Global Secure Access Secure Web content filtering policies.

  2. On Create a web content filtering policy > Basics, provide the following details.

    • Name: Baseline Internet Access block rule.
    • Description: Add a description.
    • Action: Block.

    Screenshot of Global Secure Access, Web content filtering policies, Create a web content filtering policy, Basics for baseline policy.

  3. Select Next.

  4. On Create a web content filtering policy > Policy Rules, select Add Rule.

    Screenshot of Global Secure Access, Create a web content filtering policy, Policy Rules for baseline policy.

  5. In the Add Rule dialog box, provide the following details.

    • Name: Baseline blocked web categories.
    • Destination type: webCategory.
    • Search: Select a few risky categories, confirm they are in the Selected items list.

    Screenshot of Global Secure Access, Create a web content filtering policy, Add Rule for baseline policy.

  6. Select Add.

  7. On Create a web content filtering policy > Policy Rules, confirm your selections.

    Screenshot of Global Secure Access, Create a web content filtering policy, Review for baseline policy.

  8. Select Next.

  9. On Create a web content filtering policy > Review, confirm your policy configuration.

  10. Select Create policy.

    Screenshot of Global Secure Access, Security profiles, Review tab for baseline policy.

  11. To confirm policy creation, view it in the Manage web content filtering policies list.

Create a security policy profile

  1. In the Microsoft Entra admin center, go to Global Secure Access (Preview) > Secure > Security profiles. Select Create profile.

    Screenshot of Global Secure Access, Security profiles.

  2. On Create a profile > Basics, provide the following details.

    • Profile name: Baseline Internet Access Block Profile.
    • Description: Add a description.
    • State: enabled.
    • Priority: 65000.

    Screenshot of Global Secure Access, Security profiles, Basics for baseline policy.

  3. Select Next.

  4. On Create a profile > Link policies, select Link a policy. Select Existing policy.

    • In the Link a policy dialog box, select Policy name and select Baseline Internet Access block rule.
    • Priority: 100.
    • State: Enabled.
  5. Select Add.

  6. On Create a profile > Link policies, confirm Baseline Internet Access Block Rule is in the list.

  7. Select Next.

  8. On Create a profile > Review, confirm your profile configuration.

    Screenshot of Global Secure Access, Security profiles, Review for baseline policy.

  9. Select Create a profile.

Attempt to access blocked sites

  1. Sign in to the test device where you installed the global secure access (GSA) agent.

  2. In the system tray, right-click Global Secure Access Client. Select Advanced Diagnostics.

    Screenshot of Global Secure Access System Tray options, Advanced diagnostics.

  3. In the Global Secure Access Client - Advanced Diagnostics dialog box, select Traffic.

  4. On Network traffic, select Start collecting.

    Screenshot of Global Secure Access Client, Advanced diagnostics, Traffic, Network traffic, Start collecting.

  5. To confirm blocked access, attempt to open the FQDN you blocked. It can take up to 20 minutes for the policy to apply to your client device.

Stop the agent and confirm restored access

  1. On Network traffic, select Stop collecting.

  2. Scroll to observe the traffic related to opening the FQDN, and associated data.

    Screenshot of Network traffic for FQDN.

  3. On your test device > System Tray >, expand options > right-click Global Secure Access client. Select Pause.

    Screenshot of Global Secure Access System Tray options, Pause.

  4. After the confirmation notification appears, open the previously blocked site to confirm restored access.

View activity in the traffic log

  1. In the Microsoft Entra admin center > Global Secure Access (Preview) > Monitor, select Traffic logs. If needed, select Add filter. Filter when User principal name contains testuser and Action set to Block.

  2. Observe the entries for your target FQDN that show traffic as blocked and then allowed. There may be a delay of up to 20 minutes for entries to appear in the log.

    Screenshot of Global Secure Access, Monitor, Traffic logs for baseline policy.

Sample PoC scenario: Block a group from accessing websites based on category

Use Microsoft Entra Internet Access to block or allow access to internet sites based on category. These areas include gambling, alcohol, and tobacco sites. Manually managing blocklists isn't required. Complete the following tasks to configure Microsoft Entra Internet Access to block alcohol and tobacco sites for your test user.

Create a web filtering policy

  1. In the Microsoft Entra admin center, go to Global Secure Access (Preview) > Secure > Web content filtering policies > Create policy > Configure Global Secure Access content filtering.

    Screenshot of Global Secure Access, Secure, Web content filtering policies.

  2. On Create a web content filtering policy > Basics, provide the following details.

    • Name: Blocking Alcohol and Tobacco.
    • Description: Add a description.
    • Action: Block.
  3. Select Next.

  4. On Create a web content filtering policy > Policy Rules, select Add Rule.

  5. In the Add Rule dialog box, provide the following details.

    • Name: Alcohol and Tobacco.
    • Destination type: webCategory.
    • Search: Alcohol.
    • Select Alcohol and Tobacco.
  6. Select Add.

  7. On Create a web content filtering policy > Policy Rules, select Next.

  8. On Create a web content filtering policy > Review, confirm your policy configuration.

    Screenshot of Global Secure Access, Security profiles, Create a profile, Web content filtering policies, Review for category policy.

  9. Select Create policy.

  10. To confirm policy creation, view it in the Manage web content filtering policies list.

    Screenshot of Global Secure Access, Security profiles, Web content filtering policies for category.

Create a security policy profile

  1. In the Microsoft Entra admin center, go to Global Secure Access (Preview) > Secure > Security profiles. Select Create profile.

    Screenshot of Global Secure Access, Security profiles.

  2. On Create a profile > Basics, provide the following details.

    • Profile name: Internet Access Profile.
    • Description: Add a description.
    • State: enabled.
    • Priority: 1000.
  3. Select Next.

  4. On Create a profile > Link policies, select Link a policy.

  5. Select Existing policy.

  6. In the Link a policy dialog box, provide the following details.

    • Policy name: Blocking Alcohol and Tobacco.
    • Priority: 1000.
    • State: Enabled.
  7. Select Add.

  8. On Create a profile > Link policies, confirm Blocking Alcohol and Tobacco in list.

  9. Select Next.

  10. On Create a profile > Review, confirm your profile configuration.

    Screenshot of Global Secure Access, Security profiles, Review for category policy.

  11. Select Create a profile.

Create a Conditional Access policy

  1. In the Microsoft Entra admin center, go to Protection > Conditional Access. Select Create new policy.

  2. In the New Conditional Access Policy dialog box, configure the following details.

    • Name: Internet Access Policy.
    • Users or workload identities: Specific users included.
    • What does this policy apply to? Users and groups.
    • Include > Select users and groups > Select Users and groups.
  3. Select your test group > click Select.

    Screenshot of Conditional Access, New Conditional Access policy for Internet Access Policy.

  4. Target resources.

    • Select what this policy applies to > Global Secure Access (Preview).
    • Select the traffic profiles this policy applies to > Internet traffic.

    Screenshot of Conditional Access, New Conditional Access policy for Internet Access Policy, Target resources.

  5. Leave the Grant control at default to grant access so that your defined security profile defines block functionality.

  6. In the Session dialog box, select Use Global Secure Access security profile.

  7. Select Internet Access Profile.

    Screenshot of Conditional Access, New Conditional Access policy for Internet Access Policy, Session.

  8. In Conditional Access Overview > Enable policy, select On. Select Create.

Attempt to access blocked sites

  1. Sign in to your test device where you installed the GSA agent.

  2. In the system tray, right-click Global Secure Access Client. Select Advanced Diagnostics.

    Screenshot of Global Secure Access System Tray options, Advanced diagnostics.

  3. In the Global Secure Access Client - Advanced Diagnostics dialog box, select Traffic.

  4. On Network traffic, select Start collecting.

    Screenshot of Global Secure Access Client, Advanced diagnostics, Traffic, Network traffic, Start collecting.

  5. Attempt to open an alcohol or tobacco site to confirm blocked access. You should see DeniedTraffic for http websites and a Can't reach this page notification for https websites. It can take up to 20 minutes for the policy to apply to your client device.

Stop the agent and confirm restored access

  1. On Network traffic, select Stop collecting.

  2. Scroll to observe the traffic related to opening the FQDN and associated data. Note the Internet Access in the Channel columns. Conditional Access policies are written as claims to your token that have a one-hour lifetime. It can take up to one hour for new Conditional Access policies to apply to your client device. Because changes propagate across Microsoft Entra, it can take up to 20 minutes for web-filtering policy and security-profile changes to apply to your client device.

    Screenshot of Global Secure Access - Advanced diagnostic, Network traffic.

  3. On your test device > System Tray >, expand options > right-click Global Secure Access client. Select Pause.

    Screenshot of Global Secure Access System Tray options, Pause.

  4. After confirmation notification appears, open the previously blocked site to confirm restored access. Functionality to access the GSA client menu is administratively controllable when the product moves to General Availability.

View activity in the traffic log

  1. In the Microsoft Entra admin center > Global Secure Access (Preview) > Monitor, select Traffic logs.

  2. If needed, select Add filter. Filter when User principal name contains testuser and Action set to Block.

  3. Observe the entries for your target FQDN that show traffic as blocked and then allowed. There can be a delay of up to 20 minutes for entries to appear in the log.

    Screenshot of Global Secure Access, Monitor, Traffic logs for category.

Sample PoC scenario: Block a group from accessing websites based on FQDN

In some cases, it's necessary to block specific websites rather than using broad web categories. Complete the following tasks to block access to the site based on FQDN. Ensure you include relevant fully qualified domain names (FQDNs) in use by the site that you want to block.

Create a web filtering policy

  1. In the Microsoft Entra admin center, go to Global Secure Access (Preview) > Secure > Web content filtering policies > Create policy > Configure Global Secure Access content filtering.

    Screenshot of Global Secure Access, Secure, Web content filtering policies.

  2. On Create a web content filtering policy > Basics, provide the following details.

    • Name: Blocking test FQDN.
    • Description: Add a description.
    • Action: Block.
  3. Select Next.

  4. On Create a web content filtering policy > Policy Rules, select Add Rule.

  5. In the Add Rule dialog box, provide the following details.

    • Name: Enter the name, such as Block test FQDN.
    • Destination type: FQDN.
    • Destination: enter the test FQDN in the format *.domainname.com or domainname.com.
  6. Select Add.

  7. On Create a web content filtering policy > Policy Rules, confirm your selections.

  8. Select Next.

  9. On Create a web content filtering policy > Review, confirm your policy configuration.

    Screenshot of Global Secure Access, Security profiles, Create a profile, Web content filtering policies, Review for block FQDN policy.

  10. Select Create policy.

  11. To confirm policy creation, view it in the Manage web content filtering policies list.

Create a security policy profile

  1. In the Microsoft Entra admin center, go to Global Secure Access (Preview) > Secure > Security profiles. Select Create profile.

    Screenshot of Global Secure Access, Security profiles.

  2. On Create a profile > Basics, provide the following details.

    • Profile name: Block FQDNs Internet Access Profile.
    • Description: Add a description.
    • State: enabled. *Priority: 2000.
  3. Select Next.

  4. On Create a profile > Link policies, select Link a policy.

  5. Select Existing policy.

  6. In the Link a policy dialog box, provide the following details.

    • Policy name: Blocking test FQDN.
    • Priority: 100.
    • State: Enabled.
  7. Select Add.

  8. On the Link policies tab, confirm Blocking test FQDN in list.

  9. Select Next.

  10. On the Review tab, confirm your profile configuration.

    Screenshot of Global Secure Access, Security profiles, Review for block FQDN policy.

  11. Select Create a profile.

Create a Conditional Access policy

  1. In the Microsoft Entra admin center, go to Protection > Conditional Access. Select Create new policy.

  2. In the New Conditional Access Policy dialog box, configure the following.

    • Name: FQDN Internet Access Policy.
    • Users or workload identities: Specific users included.
    • What does this policy apply to? Users and groups.
    • Include > Select users and groups > Select Users and groups.
    • Select your test group. Click Select.

    Screenshot of Conditional Access, New Conditional Access policy to block FQDN Internet Access Policy.

  3. Target resources > Select what this policy applies to > Global Secure Access (Preview).

  4. Select the traffic profiles this policy applies to > Internet traffic.

    Screenshot of Conditional Access, New Conditional Access policy to block FQDN Internet Access Policy, Target resources.

  5. In the Session dialog box, select Block FQDNs Internet Access Profile. Select Internet Access Profile.

  6. In Conditional Access Overview > Enable policy, select On. Select Create.

    Screenshot of Conditional Access, New Conditional Access policy to block FQDN Internet Access Policy, Session.

Attempt to access blocked sites

  1. Sign in to your test device where you installed the GSA agent.

  2. In the System Tray, right-click Global Secure Access Client. Select Advanced Diagnostics.

    Screenshot of Global Secure Access System Tray options, Advanced diagnostics.

  3. In the Global Secure Access Client - Advanced Diagnostics dialog box, select Traffic.

  4. On Network traffic, select Start collecting.

    Screenshot of Global Secure Access Client, Advanced diagnostics, Traffic, Network traffic, Start collecting.

  5. Attempt to open the FQDN you configured to confirm blocked access. You should see Access Denied for http websites and Can't reach this page notification for https websites. It can take up to 20 minutes for the policy to apply to your client device.

Stop the agent and confirm restored access

  1. On Network traffic, select Stop collecting.

  2. Scroll to observe the traffic related to opening the FQDN, and associated data.

    Screenshot of Global Secure Access - Advanced diagnostic, Network traffic to block FQDN Internet Access.

  3. On your test device > System Tray >, expand options > right-click Global Secure Access client. Select Pause.

    Screenshot of Global Secure Access System Tray options, Pause.

  4. After the confirmation notification appears, open the previously blocked site to confirm restored access.

View activity in the traffic log

  1. In the Microsoft Entra admin center > Global Secure Access (Preview) > Monitor, select Traffic logs.
  2. If needed, select Add filter. Filter when User principal name contains testuser and Action set to Block.
  3. Observe the entries for your target FQDN that show traffic as blocked and then allowed. There can be a delay of up to 20 minutes for entries to appear in the log.

Sample PoC scenario: Allow a user to access a blocked website

In some cases, you might have users that require access to blocked sites for groups in which the user is a member. Complete the following tasks to override a block configured for your test group, so the test user can access the blocked site.

Create a web filtering policy

  1. In the Microsoft Entra admin center, go to Global Secure Access (Preview) > Secure > Web content filtering policies > Create policy > Configure Global Secure Access content filtering.

    Screenshot of Global Secure Access, Secure, Web content filtering policies.

  2. On Create a web content filtering policy > Basics, provide the following details.

    • Name: Allow test FQDN.
    • Description: Add a description.
    • Action: Allow.
  3. Select Next.

  4. On Create a web content filtering policy > Policy Rules, select Add Rule.

  5. In the Add Rule dialog box, provide the following details. Select Add.

    • Name: Enter a name, such as Allow FQDN Override.
    • Destination type: FQDN.
    • Destination: enter the FQDN in the format *.domainname.com or domain.com. Select Add.
  6. On Create a web content filtering policy > Policy Rules, confirm your selections.

  7. Select Next.

  8. On Create a web content filtering policy > Review, confirm your policy configuration.

    Screenshot of Global Secure Access, Security profiles, Create a profile, Web content filtering policies, Review for allow blocked policy.

  9. Select Create policy.

  10. To confirm policy creation, view it in the Manage web content filtering policies list.

Create a security policy profile

  1. In the Microsoft Entra admin center, go to Global Secure Access (Preview) > Secure > Security profiles. Select Create profile.

    Screenshot of Global Secure Access, Security profiles.](media/sse-deployment-guide-internet-access/security-profiles-expanded.png#lightbox)

  2. On Create a profile > Basics, provide the following details.

    • Profile name: Allow FQDNs Internet Access Profile.
    • Description: Add a description.
    • State: enabled.
    • Priority: 500.
  3. Select Next.

  4. On Create a profile > Link policies, select Link a policy.

  5. Select Existing policy.

  6. In the Link a policy dialog box, provide the following details.

    • Policy name: Allow test FQDN.
    • Priority: 100.
    • State: Enabled.
  7. Select Add.

  8. On Create a profile > Link policies, confirm Allow test FQDN in list.

  9. Select Next.

  10. On the Review tab, confirm your profile configuration.

    Screenshot of Global Secure Access, Security profiles, Review for allow blocked policy.

  11. Select Create a profile.

Create a Conditional Access policy

  1. In the Microsoft Entra admin center, go to Protection > Conditional Access. Select Create new policy.

  2. In the New Conditional Access Policy dialog box, configure the following.

    • Name: FQDN Exception Override IA Policy.
    • Users or workload identities: Specific users included.
    • What does this policy apply to? Users and groups.
    • Include > Select users and groups > Select Users and groups.
    • Select your test group. Click Select.

    Screenshot of Conditional Access, New Conditional Access policy to allow blocked Internet Access Policy.

  3. Target resources > Select what this policy applies to > Global Secure Access (Preview).

  4. Select the traffic profiles this policy applies to > Internet traffic.

    Screenshot of Conditional Access, New Conditional Access policy to allow blocked Internet Access Policy, Target resources.

  5. Session > select Use Global Secure Access security profile, select Allow FQDNs Internet Access Profile. Click Select.

  6. In Conditional Access Overview > Enable policy, select On. Select Create.

    Screenshot of Conditional Access, New Conditional Access policy to allow blocked Internet Access Policy, Session.

Attempt to access blocked sites

  1. Sign in to your test device where you installed the GSA agent.

  2. In the System Tray, right-click Global Secure Access Client. Select Advanced Diagnostics.

    Screenshot of Global Secure Access System Tray options, Advanced diagnostics

  3. In the Global Secure Access Client - Advanced Diagnostics dialog box, select Traffic.

  4. On Network traffic, select Start collecting.

    Screenshot of Global Secure Access Client, Advanced diagnostics, Traffic, Network traffic, Start collecting.

  5. To confirm access for this specific user, attempt to open the FQDN that you configured as an exception. It can take up to 20 minutes for the policy to apply to your client device.

Stop the agent and confirm restored access

  1. On Network traffic, select Stop collecting.
  2. Scroll to observe the traffic related to opening the FQDN.

View activity in the traffic log

  1. In the Microsoft Entra admin center > Global Secure Access (Preview) > Monitor, select Traffic logs. If needed, select Add filter. Filter when User principal name contains testuser and Action set to Block.

  2. Observe the entries for your target FQDN that show traffic as blocked and then allowed. There can be a delay of up to 20 minutes for entries to appear in the log.

    Screenshot of Global Secure Access - Advanced diagnostic, Network traffic to allow blocked Internet Access.

Terms of Use

Your use of the Microsoft Entra Private Access and Microsoft Entra Internet Access preview experiences and features is governed by the preview online service terms and conditions of the agreement(s) under which you obtained the services. Previews may be subject to reduced or different security, compliance, and privacy commitments, as further explained in the Universal License Terms for Online Services and the Microsoft Products and Services Data Protection Addendum (“DPA”), and any other notices provided with the Preview.

Next steps