How to configure Global Secure Access (preview) web content filtering

Web content filtering empowers you to implement granular Internet access controls for your organization based on website categorization.

Microsoft Entra Internet Access's first Secure Web Gateway (SWG) features include web content filtering based on domain names. Microsoft integrates granular filtering policies with Microsoft Entra ID and Microsoft Entra Conditional Access, which results in filtering policies that are user-aware, context-aware, and easy to manage.

The web filtering feature is currently limited to user- and context-aware Fully Qualified Domain Name (FQDN)-based web category filtering and FQDN filtering.

Prerequisites

• Administrators who interact with Global Secure Access (preview) features must have one or more of the following role assignments depending on the tasks they're performing.
  • The Global Secure Access Administrator role to manage the Global Secure Access preview features.
  • Conditional Access Administrator or Security Administrator to create and interact with Conditional Access policies.
• Complete the Get started with Global Secure Access guide.
• Install the Global Secure Access client on end user devices.
• You must disable Domain Name System (DNS) over HTTPS (Secure DNS) to tunnel network traffic. Use the rules of the fully qualified domain names (FQDNs) in the traffic forwarding profile. For more information, see Configure the DNS client to support DoH.
• Disable built-in DNS client on Chrome and Microsoft Edge.
• User Datagram Protocol (UDP) traffic isn't supported in the current preview. If you plan to tunnel Exchange Online traffic, disable the QUIC protocol (443 UDP). For more information, see Block QUIC when tunneling Exchange Online traffic.
• Review web content filtering concepts. For more information, see web content filtering.

High level steps

There are several steps to configuring web content filtering. Take note of where you need to configure a Conditional Access policy.

1. Enable internet traffic forwarding.
2. Create a web content filtering policy.
3. Create a security profile.
4. Link the security profile to a Conditional Access policy.

Enable internet traffic forwarding

To enable the Microsoft Entra Internet Access forwarding profile to forward user traffic:

1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
2. Browse to Global Secure Access > Connect > Traffic forwarding.
3. Enable the Internet access profile. Internet traffic starts forwarding from all client devices to Microsoft's Security Service Edge (SSE) proxy, where you configure granular security policies.

Create a web content filtering policy

1. Browse to Global Secure Access > Secure > web content filtering policy.
2. Select Create policy.
3. Enter a name and description for the policy and select Next.
4. Select Add rule.
5. Enter a name, select a web category or a valid FQDN, and then select Add.
   • Valid FQDNs in this feature can also include wildcards using the asterisk symbol, *.
6. Select Next to review the policy and then select Create policy.

Create a security profile

Security profiles are a grouping of filtering policies. You can assign, or link, security profiles with Microsoft Entra Conditional Access policies. One security profile can contain multiple filtering policies. And one security profile can be associated with multiple Conditional Access policies.

In this step, you create a security profile to group filtering policies. Then you assign, or link, the security profiles with a Conditional Access policy to make them user or context aware.

Note

To learn more about Microsoft Entra Conditional Access policies, see Building a Conditional Access policy.

1. Browse to Global Secure Access > Secure > Security profiles.
2. Select Create profile.
3. Enter a name and description for the policy and select Next.
4. Select Link a policy and then select Existing policy.
5. Select the web content filtering policy you already created and select Add.
6. Select Next to review the security profile and associated policy.
7. Select Create a profile.
8. Select Refresh to refresh the profiles page and view the new profile.

Create and link Conditional Access policy

Create a Conditional Access policy for end users or groups and deliver your security profile through Conditional Access Session controls. Conditional Access is the delivery mechanism for user and context awareness for Internet Access policies. To learn more about session controls, see Conditional Access: Session.

1. Browse to Identity > Protection > Conditional Access.
2. Select Create new policy.
3. Enter a name and assign a user or group.
4. Select Target resources and Global Secure Access (Preview) from the drop-down menu to set what the policy applies to.
5. Select Internet traffic from the drop-down menu to set the traffic profile this policy applies to.
6. Select Session > Use Global Secure Access security profile and choose a security profile.
7. Select Select.
8. In the Enable policy section, ensure On is selected.
9. Select Create.

Verify end user policy enforcement

Use a Windows device with the Global Secure Access client installed. Sign in as a user that is assigned the Internet traffic acquisition profile. Test that navigating to websites is allowed or restricted as expected.

1. Right-click on the Global Secure Access client icon in the task manager tray and open Advanced Diagnostics > Forwarding profile. Ensure that the Internet access acquisition rules are present. Also, check if the hostname acquisition and flows for the users Internet traffic are being acquired while browsing.

2. Navigate to an allowed site and check if it loads properly.

3. Navigate to a blocked site and confirm the site is blocked.

4. Browse to Global Secure Access > Monitor > Traffic logs to confirm traffic if blocked or allowed appropriately. It takes approximately 15 minutes for new entries to appear.

Note

Configuration changes in the Global Secure Access experience related to web content filtering typically take effect in less than 5 minutes. Configuration changes in Conditional Access related to web content filtering take effect in approximately one hour. Additionally, the current blocking experience for all browsers and processes includes a "Connection Reset" browser error for HTTPS traffic and a "DeniedTraffic" browser error for HTTP traffic.

Known limitations

• End-user notification on blocks, either from the client or the browser, aren't provided.
• Internet traffic acquisition profiles for the client can't be configured.
• The client traffic acquisition policy includes Transmission Control Protocol (TCP) ports 80/443.
• Standard ports for HTTP/S traffic (ports 80 and 443).
• *microsoft.com is currently acquired by the Microsoft 365 access profile.
• IPv6 isn't supported on this platform.
• Hyper-V isn't supported on this platform.
• Remote network connectivity for Internet Access is in development.
• Open Systems Intercommunication (OSI) network layer 3 and 4 filtering isn't supported.
• No captive portal support. Connecting to public WiFi via captive portal access fails because these endpoints are currently acquired by the client.
• Transport Layer Security (TLS) termination is in development.
• No URL path based filtering or URL categorization for HTTP and HTTPS traffic.
• Currently, an admin can create up to 100 web content filtering policies and up to 1,000 rules based on up to 8,000 total FQDNs. Admins can also create up to 256 security profiles.
  • These initial limits are placeholders until more features are added to this platform.

Next steps

• Learn about the traffic dashboard