使用 Microsoft Graph API 配置Microsoft Entra Internet 访问

2025-06-27

Microsoft Entra Internet 访问为软件即服务提供以标识为中心的安全 Web 网关 (SWG) 解决方案， (SaaS) 应用程序和其他 Internet 流量。管理员使用Microsoft Entra Internet 访问通过一流的安全控制和流量日志可见性来保护用户、设备和数据免受 Internet 的广泛威胁。 Microsoft的 SWG 与 Microsoft Entra ID 条件访问深度集成，以标识为中心，使 IT 管理员可以轻松地在一个引擎中管理其组织的策略。

本教程介绍如何使用 Microsoft Graph 网络访问 API 以编程方式配置Microsoft Entra Internet 访问。你：

创建 Web 内容筛选策略以允许或阻止对给定目标的访问。
通过筛选配置文件容器（也称为安全配置文件）使 Web 内容筛选策略与条件访问策略保持一致。

重要

本教程中的某些 API作使用 beta 终结点。

先决条件

若要完成本教程，需要：

具有Microsoft Entra 套件许可证的Microsoft Entra租户。
具有受支持管理员角色的帐户的 API 客户端，例如 Graph 资源管理器。以下Microsoft Entra角色是本教程中作的最低特权：
- 全局安全访问管理员，用于配置 Web 内容筛选策略和筛选配置文件。
- 用于配置条件访问策略的条件访问管理员。
委派权限： NetworkAccess.Read.All、 NetworkAccess.ReadWrite.All 和 Policy.ReadWrite.ConditionalAccess
要分配给条件访问策略的测试用户。
全局安全访问 (GSA) 部署到组织的设备的客户端。

步骤 1：启用 Internet 访问流量转发

在配置Microsoft Entra Internet 访问筛选策略之前，请先将全局安全访问 (GSA) 客户端部署到组织的设备。然后，通过启用 Internet 访问转发配置文件，开始将流量转发到 GSA 边缘位置。

步骤 1.1：检索 Internet 访问流量转发配置文件

记录配置文件的 ID，以便稍后在本教程中使用。

请求

GET https://graph.microsoft.com/beta/networkAccess/forwardingProfiles?$filter=trafficForwardingType eq 'internet'


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.NetworkAccess.ForwardingProfiles.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "trafficForwardingType eq 'internet'";
});



mgc-beta network-access forwarding-profiles list --filter "trafficForwardingType eq 'internet'"



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphnetworkaccess "github.com/microsoftgraph/msgraph-beta-sdk-go/networkaccess"
	  //other-imports
)


requestFilter := "trafficForwardingType eq 'internet'"

requestParameters := &graphnetworkaccess.NetworkAccessForwardingProfilesRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
}
configuration := &graphnetworkaccess.NetworkAccessForwardingProfilesRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
forwardingProfiles, err := graphClient.NetworkAccess().ForwardingProfiles().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.models.networkaccess.ForwardingProfileCollectionResponse result = graphClient.networkAccess().forwardingProfiles().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "trafficForwardingType eq 'internet'";
});


const options = {
	authProvider,
};

const client = Client.init(options);

let forwardingProfiles = await client.api('/networkAccess/forwardingProfiles')
	.version('beta')
	.filter('trafficForwardingType eq \'internet\'')
	.get();


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\NetworkAccess\ForwardingProfiles\ForwardingProfilesRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new ForwardingProfilesRequestBuilderGetRequestConfiguration();
$queryParameters = ForwardingProfilesRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "trafficForwardingType eq 'internet'";
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->networkAccess()->forwardingProfiles()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Beta.NetworkAccess

Get-MgBetaNetworkAccessForwardingProfile -Filter "trafficForwardingType eq 'internet'"


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.network_access.forwarding_profiles.forwarding_profiles_request_builder import ForwardingProfilesRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ForwardingProfilesRequestBuilder.ForwardingProfilesRequestBuilderGetQueryParameters(
		filter = "trafficForwardingType eq 'internet'",
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.network_access.forwarding_profiles.get(request_configuration = request_configuration)

响应

HTTP/1.1 200 OK
Content-type: application/json

{
  "trafficForwardingType": "internet",
  "priority": 2,
  "id": "bbbbbbbb-1111-2222-3333-cccccccccccc",
  "name": "Internet traffic forwarding profile",
  "description": "Default traffic forwarding profile for Internet traffic acquisition. Assign the profile to client or branch offices to acquire Internet traffic for Zero Trust Network Access.Internet traffic forwarding profile will exclude all endpoints defined in Microsoft 365 traffic forwarding profile.",
  "state": "enabled",
  "version": "1.0.0",
  "lastModifiedDateTime": "2025-01-14T13:11:57.9295327Z",
  "associations": [],
  "servicePrincipal": {
    "appId": "00001111-aaaa-2222-bbbb-3333cccc4444",
    "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"
  }
}

步骤 1.2：启用 Internet 访问转发配置文件的状态

请求返回 204 No Content 响应。

请求

PATCH https://graph.microsoft.com/beta/networkAccess/forwardingProfiles/bbbbbbbb-1111-2222-3333-cccccccccccc
Content-type: application/json

{
  "state": "enabled"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models.Networkaccess;

var requestBody = new ForwardingProfile
{
	State = Status.Enabled,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.NetworkAccess.ForwardingProfiles["{forwardingProfile-id}"].PatchAsync(requestBody);



mgc-beta network-access forwarding-profiles patch --forwarding-profile-id {forwardingProfile-id} --body '{\
  "state": "enabled"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodelsnetworkaccess "github.com/microsoftgraph/msgraph-beta-sdk-go/models/networkaccess"
	  //other-imports
)

requestBody := graphmodelsnetworkaccess.NewForwardingProfile()
state := graphmodels.ENABLED_STATUS 
requestBody.SetState(&state) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
forwardingProfiles, err := graphClient.NetworkAccess().ForwardingProfiles().ByForwardingProfileId("forwardingProfile-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.beta.models.networkaccess.ForwardingProfile forwardingProfile = new com.microsoft.graph.beta.models.networkaccess.ForwardingProfile();
forwardingProfile.setState(com.microsoft.graph.beta.models.networkaccess.Status.Enabled);
com.microsoft.graph.models.networkaccess.ForwardingProfile result = graphClient.networkAccess().forwardingProfiles().byForwardingProfileId("{forwardingProfile-id}").patch(forwardingProfile);


const options = {
	authProvider,
};

const client = Client.init(options);

const forwardingProfile = {
  state: 'enabled'
};

await client.api('/networkAccess/forwardingProfiles/bbbbbbbb-1111-2222-3333-cccccccccccc')
	.version('beta')
	.update(forwardingProfile);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\ForwardingProfile;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\Status;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ForwardingProfile();
$requestBody->setState(new Status('enabled'));

$result = $graphServiceClient->networkAccess()->forwardingProfiles()->byForwardingProfileId('forwardingProfile-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.NetworkAccess

$params = @{
	state = "enabled"
}

Update-MgBetaNetworkAccessForwardingProfile -ForwardingProfileId $forwardingProfileId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.networkaccess.forwarding_profile import ForwardingProfile
from msgraph_beta.generated.models.status import Status
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ForwardingProfile(
	state = Status.Enabled,
)

result = await graph_client.network_access.forwarding_profiles.by_forwarding_profile_id('forwardingProfile-id').patch(request_body)

步骤 2：创建 Web 内容筛选策略和安全配置文件

若要在 Microsoft Entra Internet 访问中配置策略，首先需要创建一个筛选策略，该策略是管理对目标（如 Web 类别和完全限定域名）的访问的规则集合， (FQDN) 。例如，可以使用阻止访问人工智能类别和单个 FQDN 的规则创建筛选策略。然后，将筛选策略组织到可以使用条件访问策略作为目标的安全配置文件中。

步骤 2.1：创建 Web 内容筛选策略

在此示例中，你将创建一个筛选策略，其中包含阻止访问的“人工智能”类别和 FQDN 的规则 bing.com。创建此策略后，请记下用于在筛选配置文件中链接的筛选策略 ID。

请求

POST https://graph.microsoft.com/beta/networkaccess/filteringPolicies
Content-type: application/json

{
  "name": "AI and Bing",
  "policyRules": [
    {
      "@odata.type": "#microsoft.graph.networkaccess.webCategoryFilteringRule",
      "name": "AI",
      "ruleType": "webCategory",
      "destinations": [
        {
          "@odata.type": "#microsoft.graph.networkaccess.webCategory",
          "name": "ArtificialIntelligence"
        }
      ]
    },
    {
      "@odata.type": "#microsoft.graph.networkaccess.fqdnFilteringRule",
      "name": "bing FQDNs",
      "ruleType": "fqdn",
      "destinations": [
        {
          "@odata.type": "#microsoft.graph.networkaccess.fqdn",
          "value": "bing.com"
        },
        {
          "@odata.type": "#microsoft.graph.networkaccess.fqdn",
          "value": "*.bing.com"
        }
      ]
    }
  ],
  "action": "block"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models.Networkaccess;

var requestBody = new FilteringPolicy
{
	Name = "AI and Bing",
	PolicyRules = new List<PolicyRule>
	{
		new WebCategoryFilteringRule
		{
			OdataType = "#microsoft.graph.networkaccess.webCategoryFilteringRule",
			Name = "AI",
			RuleType = NetworkDestinationType.WebCategory,
			Destinations = new List<RuleDestination>
			{
				new WebCategory
				{
					OdataType = "#microsoft.graph.networkaccess.webCategory",
					Name = "ArtificialIntelligence",
				},
			},
		},
		new FqdnFilteringRule
		{
			OdataType = "#microsoft.graph.networkaccess.fqdnFilteringRule",
			Name = "bing FQDNs",
			RuleType = NetworkDestinationType.Fqdn,
			Destinations = new List<RuleDestination>
			{
				new Fqdn
				{
					OdataType = "#microsoft.graph.networkaccess.fqdn",
					Value = "bing.com",
				},
				new Fqdn
				{
					OdataType = "#microsoft.graph.networkaccess.fqdn",
					Value = "*.bing.com",
				},
			},
		},
	},
	Action = FilteringPolicyAction.Block,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.NetworkAccess.FilteringPolicies.PostAsync(requestBody);



mgc-beta network-access filtering-policies create --body '{\
  "name": "AI and Bing",\
  "policyRules": [\
    {\
      "@odata.type": "#microsoft.graph.networkaccess.webCategoryFilteringRule",\
      "name": "AI",\
      "ruleType": "webCategory",\
      "destinations": [\
        {\
          "@odata.type": "#microsoft.graph.networkaccess.webCategory",\
          "name": "ArtificialIntelligence"\
        }\
      ]\
    },\
    {\
      "@odata.type": "#microsoft.graph.networkaccess.fqdnFilteringRule",\
      "name": "bing FQDNs",\
      "ruleType": "fqdn",\
      "destinations": [\
        {\
          "@odata.type": "#microsoft.graph.networkaccess.fqdn",\
          "value": "bing.com"\
        },\
        {\
          "@odata.type": "#microsoft.graph.networkaccess.fqdn",\
          "value": "*.bing.com"\
        }\
      ]\
    }\
  ],\
  "action": "block"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodelsnetworkaccess "github.com/microsoftgraph/msgraph-beta-sdk-go/models/networkaccess"
	  //other-imports
)

requestBody := graphmodelsnetworkaccess.NewFilteringPolicy()
name := "AI and Bing"
requestBody.SetName(&name) 


policyRule := graphmodelsnetworkaccess.NewWebCategoryFilteringRule()
name := "AI"
policyRule.SetName(&name) 
ruleType := graphmodels.WEBCATEGORY_NETWORKDESTINATIONTYPE 
policyRule.SetRuleType(&ruleType) 


ruleDestination := graphmodelsnetworkaccess.NewWebCategory()
name := "ArtificialIntelligence"
ruleDestination.SetName(&name) 

destinations := []graphmodelsnetworkaccess.RuleDestinationable {
	ruleDestination,
}
policyRule.SetDestinations(destinations)
policyRule1 := graphmodelsnetworkaccess.NewFqdnFilteringRule()
name := "bing FQDNs"
policyRule1.SetName(&name) 
ruleType := graphmodels.FQDN_NETWORKDESTINATIONTYPE 
policyRule1.SetRuleType(&ruleType) 


ruleDestination := graphmodelsnetworkaccess.NewFqdn()
value := "bing.com"
ruleDestination.SetValue(&value) 
ruleDestination1 := graphmodelsnetworkaccess.NewFqdn()
value := "*.bing.com"
ruleDestination1.SetValue(&value) 

destinations := []graphmodelsnetworkaccess.RuleDestinationable {
	ruleDestination,
	ruleDestination1,
}
policyRule1.SetDestinations(destinations)

policyRules := []graphmodelsnetworkaccess.PolicyRuleable {
	policyRule,
	policyRule1,
}
requestBody.SetPolicyRules(policyRules)
action := graphmodels.BLOCK_FILTERINGPOLICYACTION 
requestBody.SetAction(&action) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
filteringPolicies, err := graphClient.NetworkAccess().FilteringPolicies().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.beta.models.networkaccess.FilteringPolicy filteringPolicy = new com.microsoft.graph.beta.models.networkaccess.FilteringPolicy();
filteringPolicy.setName("AI and Bing");
LinkedList<com.microsoft.graph.beta.models.networkaccess.PolicyRule> policyRules = new LinkedList<com.microsoft.graph.beta.models.networkaccess.PolicyRule>();
com.microsoft.graph.beta.models.networkaccess.WebCategoryFilteringRule policyRule = new com.microsoft.graph.beta.models.networkaccess.WebCategoryFilteringRule();
policyRule.setOdataType("#microsoft.graph.networkaccess.webCategoryFilteringRule");
policyRule.setName("AI");
policyRule.setRuleType(com.microsoft.graph.beta.models.networkaccess.NetworkDestinationType.WebCategory);
LinkedList<com.microsoft.graph.beta.models.networkaccess.RuleDestination> destinations = new LinkedList<com.microsoft.graph.beta.models.networkaccess.RuleDestination>();
com.microsoft.graph.beta.models.networkaccess.WebCategory ruleDestination = new com.microsoft.graph.beta.models.networkaccess.WebCategory();
ruleDestination.setOdataType("#microsoft.graph.networkaccess.webCategory");
ruleDestination.setName("ArtificialIntelligence");
destinations.add(ruleDestination);
policyRule.setDestinations(destinations);
policyRules.add(policyRule);
com.microsoft.graph.beta.models.networkaccess.FqdnFilteringRule policyRule1 = new com.microsoft.graph.beta.models.networkaccess.FqdnFilteringRule();
policyRule1.setOdataType("#microsoft.graph.networkaccess.fqdnFilteringRule");
policyRule1.setName("bing FQDNs");
policyRule1.setRuleType(com.microsoft.graph.beta.models.networkaccess.NetworkDestinationType.Fqdn);
LinkedList<com.microsoft.graph.beta.models.networkaccess.RuleDestination> destinations1 = new LinkedList<com.microsoft.graph.beta.models.networkaccess.RuleDestination>();
com.microsoft.graph.beta.models.networkaccess.Fqdn ruleDestination1 = new com.microsoft.graph.beta.models.networkaccess.Fqdn();
ruleDestination1.setOdataType("#microsoft.graph.networkaccess.fqdn");
ruleDestination1.setValue("bing.com");
destinations1.add(ruleDestination1);
com.microsoft.graph.beta.models.networkaccess.Fqdn ruleDestination2 = new com.microsoft.graph.beta.models.networkaccess.Fqdn();
ruleDestination2.setOdataType("#microsoft.graph.networkaccess.fqdn");
ruleDestination2.setValue("*.bing.com");
destinations1.add(ruleDestination2);
policyRule1.setDestinations(destinations1);
policyRules.add(policyRule1);
filteringPolicy.setPolicyRules(policyRules);
filteringPolicy.setAction(com.microsoft.graph.beta.models.networkaccess.FilteringPolicyAction.Block);
com.microsoft.graph.models.networkaccess.FilteringPolicy result = graphClient.networkAccess().filteringPolicies().post(filteringPolicy);


const options = {
	authProvider,
};

const client = Client.init(options);

const filteringPolicy = {
  name: 'AI and Bing',
  policyRules: [
    {
      '@odata.type': '#microsoft.graph.networkaccess.webCategoryFilteringRule',
      name: 'AI',
      ruleType: 'webCategory',
      destinations: [
        {
          '@odata.type': '#microsoft.graph.networkaccess.webCategory',
          name: 'ArtificialIntelligence'
        }
      ]
    },
    {
      '@odata.type': '#microsoft.graph.networkaccess.fqdnFilteringRule',
      name: 'bing FQDNs',
      ruleType: 'fqdn',
      destinations: [
        {
          '@odata.type': '#microsoft.graph.networkaccess.fqdn',
          value: 'bing.com'
        },
        {
          '@odata.type': '#microsoft.graph.networkaccess.fqdn',
          value: '*.bing.com'
        }
      ]
    }
  ],
  action: 'block'
};

await client.api('/networkaccess/filteringPolicies')
	.version('beta')
	.post(filteringPolicy);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\FilteringPolicy;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\PolicyRule;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\WebCategoryFilteringRule;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\NetworkDestinationType;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\RuleDestination;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\WebCategory;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\FqdnFilteringRule;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\Fqdn;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\FilteringPolicyAction;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new FilteringPolicy();
$requestBody->setName('AI and Bing');
$policyRulesPolicyRule1 = new WebCategoryFilteringRule();
$policyRulesPolicyRule1->setOdataType('#microsoft.graph.networkaccess.webCategoryFilteringRule');
$policyRulesPolicyRule1->setName('AI');
$policyRulesPolicyRule1->setRuleType(new NetworkDestinationType('webCategory'));
$destinationsRuleDestination1 = new WebCategory();
$destinationsRuleDestination1->setOdataType('#microsoft.graph.networkaccess.webCategory');
$destinationsRuleDestination1->setName('ArtificialIntelligence');
$destinationsArray []= $destinationsRuleDestination1;
$policyRulesPolicyRule1->setDestinations($destinationsArray);

$policyRulesArray []= $policyRulesPolicyRule1;
$policyRulesPolicyRule2 = new FqdnFilteringRule();
$policyRulesPolicyRule2->setOdataType('#microsoft.graph.networkaccess.fqdnFilteringRule');
$policyRulesPolicyRule2->setName('bing FQDNs');
$policyRulesPolicyRule2->setRuleType(new NetworkDestinationType('fqdn'));
$destinationsRuleDestination1 = new Fqdn();
$destinationsRuleDestination1->setOdataType('#microsoft.graph.networkaccess.fqdn');
$destinationsRuleDestination1->setValue('bing.com');
$destinationsArray []= $destinationsRuleDestination1;
$destinationsRuleDestination2 = new Fqdn();
$destinationsRuleDestination2->setOdataType('#microsoft.graph.networkaccess.fqdn');
$destinationsRuleDestination2->setValue('*.bing.com');
$destinationsArray []= $destinationsRuleDestination2;
$policyRulesPolicyRule2->setDestinations($destinationsArray);

$policyRulesArray []= $policyRulesPolicyRule2;
$requestBody->setPolicyRules($policyRulesArray);

$requestBody->setAction(new FilteringPolicyAction('block'));

$result = $graphServiceClient->networkAccess()->filteringPolicies()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.NetworkAccess

$params = @{
	name = "AI and Bing"
	policyRules = @(
		@{
			"@odata.type" = "#microsoft.graph.networkaccess.webCategoryFilteringRule"
			name = "AI"
			ruleType = "webCategory"
			destinations = @(
				@{
					"@odata.type" = "#microsoft.graph.networkaccess.webCategory"
					name = "ArtificialIntelligence"
				}
			)
		}
		@{
			"@odata.type" = "#microsoft.graph.networkaccess.fqdnFilteringRule"
			name = "bing FQDNs"
			ruleType = "fqdn"
			destinations = @(
				@{
					"@odata.type" = "#microsoft.graph.networkaccess.fqdn"
					value = "bing.com"
				}
				@{
					"@odata.type" = "#microsoft.graph.networkaccess.fqdn"
					value = "*.bing.com"
				}
			)
		}
	)
	action = "block"
}

New-MgBetaNetworkAccessFilteringPolicy -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.networkaccess.filtering_policy import FilteringPolicy
from msgraph_beta.generated.models.networkaccess.policy_rule import PolicyRule
from msgraph_beta.generated.models.networkaccess.web_category_filtering_rule import WebCategoryFilteringRule
from msgraph_beta.generated.models.network_destination_type import NetworkDestinationType
from msgraph_beta.generated.models.networkaccess.rule_destination import RuleDestination
from msgraph_beta.generated.models.networkaccess.web_category import WebCategory
from msgraph_beta.generated.models.networkaccess.fqdn_filtering_rule import FqdnFilteringRule
from msgraph_beta.generated.models.networkaccess.fqdn import Fqdn
from msgraph_beta.generated.models.filtering_policy_action import FilteringPolicyAction
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = FilteringPolicy(
	name = "AI and Bing",
	policy_rules = [
		WebCategoryFilteringRule(
			odata_type = "#microsoft.graph.networkaccess.webCategoryFilteringRule",
			name = "AI",
			rule_type = NetworkDestinationType.WebCategory,
			destinations = [
				WebCategory(
					odata_type = "#microsoft.graph.networkaccess.webCategory",
					name = "ArtificialIntelligence",
				),
			],
		),
		FqdnFilteringRule(
			odata_type = "#microsoft.graph.networkaccess.fqdnFilteringRule",
			name = "bing FQDNs",
			rule_type = NetworkDestinationType.Fqdn,
			destinations = [
				Fqdn(
					odata_type = "#microsoft.graph.networkaccess.fqdn",
					value = "bing.com",
				),
				Fqdn(
					odata_type = "#microsoft.graph.networkaccess.fqdn",
					value = "*.bing.com",
				),
			],
		),
	],
	action = FilteringPolicyAction.Block,
)

result = await graph_client.network_access.filtering_policies.post(request_body)

响应

HTTP/1.1 201 Created
Content-type: application/json

{
  "id": "cccccccc-2222-3333-4444-dddddddddddd",
  "name": "AI and Bing",
  "description": null,
  "version": "1.0.0",
  "lastModifiedDateTime": "2025-02-05T18:10:28.9760687Z",
  "createdDateTime": "2025-02-05T18:10:27Z",
  "action": "block"
}

步骤 2.2：编辑或更新 Web 内容筛选策略

创建筛选策略后，可以编程方式编辑或更新它。可以通过发送 POST 请求或使用 PATCH 请求更新现有规则中的目标，向策略添加新规则。其中任一更改都允许你根据组织的需求更改（例如阻止更多类别或域或修改现有规则）来调整筛选策略。

在此示例中，使用 PATCH 请求将目标添加到步骤 2.1 中创建的规则。

请求

POST https://graph.microsoft.com/beta/networkaccess/filteringPolicies('cccccccc-2222-3333-4444-dddddddddddd')/policyRules('<policyRuleId>')
Content-type: application/json

{
  "@odata.type": "#microsoft.graph.networkaccess.fqdnFilteringRule",
  "destinations": [
    {
      "@odata.type": "#microsoft.graph.networkaccess.fqdn",
      "value": "bing.com"
    },
    {
      "@odata.type": "#microsoft.graph.networkaccess.fqdn",
      "value": "*.bing.com"
    },
    {
      "@odata.type": "#microsoft.graph.networkaccess.fqdn",
      "value": "bing.co.uk"
    }
  ]
}

Snippet not available

Snippet not available

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

const policyRule = {
  '@odata.type': '#microsoft.graph.networkaccess.fqdnFilteringRule',
  destinations: [
    {
      '@odata.type': '#microsoft.graph.networkaccess.fqdn',
      value: 'bing.com'
    },
    {
      '@odata.type': '#microsoft.graph.networkaccess.fqdn',
      value: '*.bing.com'
    },
    {
      '@odata.type': '#microsoft.graph.networkaccess.fqdn',
      value: 'bing.co.uk'
    }
  ]
};

await client.api('/networkaccess/filteringPolicies('cccccccc-2222-3333-4444-dddddddddddd')/policyRules('<policyRuleId>')')
	.version('beta')
	.post(policyRule);

Snippet not available

Snippet not available

Snippet not available

响应

HTTP/1.1 201 Created
Content-type: application/json

{
  "@odata.type": "#microsoft.graph.networkaccess.fqdnFilteringRule",
  "id": "cccccccc-2222-3333-4444-dddddddddddd",
  "name": "bing FQDNs",
  "ruleType": "fqdn",
  "destinations": [
    {
        "@odata.type": "#microsoft.graph.networkaccess.fqdn",
        "value": "google.co.uk"
    },
    {
        "@odata.type": "#microsoft.graph.networkaccess.fqdn",
        "value": "google.com"
    },
    {
        "@odata.type": "#microsoft.graph.networkaccess.fqdn",
        "value": "bing.com"
    }
  ]
}

步骤 2.3：创建筛选配置文件或安全配置文件

创建筛选或安全配置文件来保存策略，并将其作为条件访问会话控制的目标。创建配置文件后，请记下筛选配置文件 ID，以便在条件访问策略中稍后使用。

请求

POST https://graph.microsoft.com/beta/networkaccess/filteringProfiles
Content-type: application/json

{
  "name": "Security Profile for UserA",
  "state": "enabled",
  "priority": 100,
  "policies": []
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models.Networkaccess;

var requestBody = new FilteringProfile
{
	Name = "Security Profile for UserA",
	State = Status.Enabled,
	Priority = 100L,
	Policies = new List<PolicyLink>
	{
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.NetworkAccess.FilteringProfiles.PostAsync(requestBody);



mgc-beta network-access filtering-profiles create --body '{\
  "name": "Security Profile for UserA",\
  "state": "enabled",\
  "priority": 100,\
  "policies": []\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodelsnetworkaccess "github.com/microsoftgraph/msgraph-beta-sdk-go/models/networkaccess"
	  //other-imports
)

requestBody := graphmodelsnetworkaccess.NewFilteringProfile()
name := "Security Profile for UserA"
requestBody.SetName(&name) 
state := graphmodels.ENABLED_STATUS 
requestBody.SetState(&state) 
priority := int64(100)
requestBody.SetPriority(&priority) 
policies := []graphmodelsnetworkaccess.PolicyLinkable {

}
requestBody.SetPolicies(policies)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
filteringProfiles, err := graphClient.NetworkAccess().FilteringProfiles().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.beta.models.networkaccess.FilteringProfile filteringProfile = new com.microsoft.graph.beta.models.networkaccess.FilteringProfile();
filteringProfile.setName("Security Profile for UserA");
filteringProfile.setState(com.microsoft.graph.beta.models.networkaccess.Status.Enabled);
filteringProfile.setPriority(100L);
LinkedList<com.microsoft.graph.beta.models.networkaccess.PolicyLink> policies = new LinkedList<com.microsoft.graph.beta.models.networkaccess.PolicyLink>();
filteringProfile.setPolicies(policies);
com.microsoft.graph.models.networkaccess.FilteringProfile result = graphClient.networkAccess().filteringProfiles().post(filteringProfile);


const options = {
	authProvider,
};

const client = Client.init(options);

const filteringProfile = {
  name: 'Security Profile for UserA',
  state: 'enabled',
  priority: 100,
  policies: []
};

await client.api('/networkaccess/filteringProfiles')
	.version('beta')
	.post(filteringProfile);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\FilteringProfile;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\Status;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\PolicyLink;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new FilteringProfile();
$requestBody->setName('Security Profile for UserA');
$requestBody->setState(new Status('enabled'));
$requestBody->setPriority(100);
$requestBody->setPolicies([	]);

$result = $graphServiceClient->networkAccess()->filteringProfiles()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.NetworkAccess

$params = @{
	name = "Security Profile for UserA"
	state = "enabled"
	priority = 100
	policies = @(
	)
}

New-MgBetaNetworkAccessFilteringProfile -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.networkaccess.filtering_profile import FilteringProfile
from msgraph_beta.generated.models.status import Status
from msgraph_beta.generated.models.networkaccess.policy_link import PolicyLink
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = FilteringProfile(
	name = "Security Profile for UserA",
	state = Status.Enabled,
	priority = 100,
	policies = [
	],
)

result = await graph_client.network_access.filtering_profiles.post(request_body)

响应

HTTP/1.1 201 Created
Content-type: application/json

{
  "priority": 100,
  "createdDateTime": "2025-02-05T18:27:31Z",
  "id": "dddddddd-3333-4444-5555-eeeeeeeeeeee",
  "name": "Security Profile for UserA",
  "description": null,
  "state": "enabled",
  "version": "1.0.0",
  "lastModifiedDateTime": "2025-02-05T18:27:31.660891Z"
}

步骤 2.4：将筛选策略链接到筛选配置文件或安全配置文件

请求

POST https://graph.microsoft.com/beta/networkaccess/filteringProfiles/dddddddd-3333-4444-5555-eeeeeeeeeeee/policies
Content-type: application/json

{
  "priority": 100,
    "state": "enabled",
    "@odata.type": "#microsoft.graph.networkaccess.filteringPolicyLink",
    "loggingState": "enabled",
    "policy": {
        "id": "cccccccc-2222-3333-4444-dddddddddddd",
        "@odata.type": "#microsoft.graph.networkaccess.filteringPolicy"
}

Snippet not available



mgc-beta network-access filtering-profiles policies create --filtering-profile-id {filteringProfile-id} --body '{\
  "priority": 100,\
    "state": "enabled",\
    "@odata.type": "#microsoft.graph.networkaccess.filteringPolicyLink",\
    "loggingState": "enabled",\
    "policy": {\
        "id": "cccccccc-2222-3333-4444-dddddddddddd",\
        "@odata.type": "#microsoft.graph.networkaccess.filteringPolicy"\
}\
'

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

const policyLink = {
  priority: 100,
    state: 'enabled',
    '@odata.type': '#microsoft.graph.networkaccess.filteringPolicyLink',
    loggingState: 'enabled',
    policy: {
        id: 'cccccccc-2222-3333-4444-dddddddddddd',
        '@odata.type': '#microsoft.graph.networkaccess.filteringPolicy'
};

await client.api('/networkaccess/filteringProfiles/dddddddd-3333-4444-5555-eeeeeeeeeeee/policies')
	.version('beta')
	.post(policyLink);

Snippet not available

Snippet not available

Snippet not available

响应

HTTP/1.1 201 Created
Content-type: application/json

{
    "id": "dddddddd-9999-0000-1111-eeeeeeeeeeee",
    "priority": 100,
    "state": "enabled",
    "version": "1.0.0",
    "loggingState": "enabled",
    "lastModifiedDateTime": "2025-02-05T18:31:32Z",
    "createdDateTime": "2025-02-05T18:31:32Z",
    "policy": {
        "@odata.type": "#microsoft.graph.networkaccess.filteringPolicy",
        "id": "cccccccc-2222-3333-4444-dddddddddddd",
        "name": "AI and Bing",
        "description": null,
        "version": "1.0.0",
        "lastModifiedDateTime": "2025-02-05T18:15:17.0759384Z",
        "createdDateTime": "2025-02-05T18:15:16Z",
        "action": "block"
    }
}

步骤 3：链接条件访问策略

若要强制实施筛选配置文件，需要将其链接到条件访问 (CA) 策略。这样做会使筛选配置文件的内容用户和上下文感知。在此步骤中，使用以下设置创建 CA 策略：

面向 ID 为 00aa00aa-bb11-cc22-dd33-44ee44ee44ee 用户，应用“具有全局安全访问的所有 Internet 资源”和 appId5dc48733-b5df-475c-a49b-fa307ef00853。
使用 globalSecureAccessFilteringProfile ID dddddddd-9999-0000-1111-eeeeeeeeeeee配置会话控件。

请求

POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json

{
    "conditions": {
        "applications": {
            "includeApplications": [
                "5dc48733-b5df-475c-a49b-fa307ef00853"
            ]
        },
        "users": {
            "includeUsers": [
                "00aa00aa-bb11-cc22-dd33-44ee44ee44ee"
            ]
        }
    },
    "displayName": "UserA Access to AI and Bing",
    "sessionControls": {
        "globalSecureAccessFilteringProfile": {
            "profileId": "dddddddd-9999-0000-1111-eeeeeeeeeeee",
            "isEnabled": true
        }
    },
    "state": "enabled"
}

响应

HTTP/1.1 201 Created
Content-type: application/json

{
    "id": "9c5fbb22-30ff-4a17-9b83-ea9fbf2912a9",
    "templateId": null,
    "displayName": "UserA Access to AI and Bing",
    "createdDateTime": "2025-02-05T18:58:32.7622998Z",
    "modifiedDateTime": null,
    "state": "enabled",
    "grantControls": null,
    "partialEnablementStrategy": null,
    "conditions": {
        "userRiskLevels": [],
        "signInRiskLevels": [],
        "clientAppTypes": [
            "all"
        ],
        "platforms": null,
        "locations": null,
        "times": null,
        "deviceStates": null,
        "devices": null,
        "clientApplications": null,
        "applications": {
            "includeApplications": [
                "5dc48733-b5df-475c-a49b-fa307ef00853"
            ],
            "excludeApplications": [],
            "includeUserActions": [],
            "includeAuthenticationContextClassReferences": [],
            "applicationFilter": null
        },
        "users": {
            "includeUsers": [
                "00aa00aa-bb11-cc22-dd33-44ee44ee44ee"
            ],
            "excludeUsers": [],
            "includeGroups": [],
            "excludeGroups": [],
            "includeRoles": [],
            "excludeRoles": [],
            "includeGuestsOrExternalUsers": null,
            "excludeGuestsOrExternalUsers": null
        }
    },
    "sessionControls": {
        "disableResilienceDefaults": null,
        "applicationEnforcedRestrictions": null,
        "cloudAppSecurity": null,
        "signInFrequency": null,
        "persistentBrowser": null,
        "continuousAccessEvaluation": null,
        "secureSignInSession": null,
        "globalSecureAccessFilteringProfile": {
            "profileId": "dddddddd-9999-0000-1111-eeeeeeeeeeee",
            "isEnabled": true
        }
    }
}

总结

现在，你已配置阻止人工智能的安全配置文件或筛选配置文件， bing.com 并且对于示例用户，将阻止该用户访问这些站点。

通过