You dont have javascript enabled! Please enable it! Step-by-Step – Microsoft Entra Internet Access - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Step-by-Step – Microsoft Entra Internet Access

11 Min. Read

Microsoft Entra Global Secure Access is a state-of-the-art platform that enables secure and efficient access to resources across organizations. It serves as a gateway allowing users to connect to corporate applications, data, and services, regardless of location.

Early summer of 2023, Microsoft unveiled a range of enhanced Security Service Edge (SSE) features as a Microsoft Entra technology suite component. Among these developments, Microsoft introduced the public preview of two novel secure remote access technologies, namely Microsoft Entra Internet Access and Microsoft Entra Private Access.

In this comprehensive guide, we will guide you step-by-step on how to test and evaluate Microsoft’s secure web gateway solution, Microsoft Entra Internet Access!

Microsoft Entra Internet Access

Microsoft Entra Internet Access is a novel cloud-based solution known as Secure Web Gateway (SWG) that aims to safeguard users against potential threats found on the public Internet. Its features comprise web content filtering, malware inspection, TLS inspection, and more. Furthermore, Entra Internet Access protects Microsoft 365 applications, allowing the enforcement of Azure Conditional Access policies for Internet traffic.

With the addition of network conditions to Azure Conditional Access, the solution can fortify against attacks by mandating access from specific trusted or compliant networks.

Initially when Microsoft introduced its Security Service Edge (SSE) solution, Microsoft Entra Internet Access was exclusively available for Microsoft 365 scenarios. The good news is that Microsoft announced that support for Internet traffic and other SaaS applications are available now in public preview.

Global Secure Access - Microsoft Entra Internet Access
Global Secure Access – Microsoft Entra Internet Access

Global Secure Access Internet Access now integrates a Secure Web Gateway (SWG) into the Microsoft universe and with that, you can:

🕵️‍♂️Monitor and control – HTTP and HTTPS traffic from devices with GSA client installed (more on this below).

🔒Secure access – To SaaS apps on the Internet with web content filtering policies using web categories or fully qualified domain names (FQDN) (more on this below).

Related: Understanding Microsoft Entra Global Secure Access.

Let’s look at how to evaluate and configure Web Content Filtering using Microsoft’s secure web gateway solution, Microsoft Entra Internet Access!

Prerequisites

To follow this guide, you need to have the following:

1) Entra ID Tenant with minimum Microsoft Entra ID Premium P1 license. If needed, you can purchase licenses or get trial licenses.

  • One user with at least a Global Secure Access Administrator Role, Application Administrator, and Security Administrator to configure Microsoft Security Service Edge features.
  • At least one user or group to function as the client test user registered with MFA in your tenant.

2) One Windows Client device to test web content filtering with the following:

  • Windows 10/11 64-bit version.
  • Microsoft Entra ID joined or hybrid joined (Not registered device).
  • Internet-connected and no corporate net access or VPN.
  • Local Admin privilege (required to install Global Secure Access agent).
  • Prefer IPv4 over IPv6 (more on this below).
  • Disable DNS over HTTPS (Secure DNS) (more on this below).

3) Disable HTTP/3 (QUIC) Protocol in browsers on user devices. At the moment, Microsoft recommends disabling the QUIC protocol in the browser because UDP traffic isn’t supported in the current preview (this might change in the not-too-distant future). QUIC is a relatively new HTTP/3 standard where TLS can run over UDP port 443. This innovation aims to enhance web performance, security, and reliability by leveraging QUIC’s capabilities, which operate over UDP while incorporating encryption features similar to TLS. To disable the HTTP/3 protocol on the client device, complete the following steps in the relevant browser that you are planning to use:

  • Google Chrome: In the browser address bar, type “chrome://flags“. Disable the “Experimental QUIC protocol” option, and select Disabled.
  • Microsoft Edge: In the browser address bar, type “edge://flags“. Disable the “Experimental QUIC protocol” option, and select Disabled.
  • Mozilla Firefox: In the browser address bar, type “about:config“. Disable the “network.http.http3.enable” option, toggle to false.
  • Opera: In the browser address bar, type “opera://flags/#enable-quic“. From the “Experimental QUIC protocol” drop-down list, select Disabled.
Disable HTTP/3 (QUIC) Protocol in Edge Browser
Disable HTTP/3 (QUIC) Protocol in Edge Browser

If you plan to tunnel the Exchange Online traffic, you should also disable the QUIC protocol (443 UDP). You can disable this protocol triggering clients to fall back to HTTPS (443 TCP) with the following Windows Firewall rule. The list of IPv4 addresses is based on the Office 365 URLs and IP address ranges and the IPv4 block used by the Global Secure Access Client.

New-NetFirewallRule -DisplayName "Block QUIC for Exchange Online" -Direction Outbound -Action Block -Protocol UDP -RemoteAddress 13.107.6.152/31,13.107.18.10/31,13.107.128.0/22,23.103.160.0/20,40.96.0.0/13,40.104.0.0/15,52.96.0.0/14,131.253.33.215/32,132.245.0.0/16,150.171.32.0/22,204.79.197.215/32,6.6.0.0/16 -RemotePort 443

4) Download and install the Global Secure Access (GSA) agent on the client device (more on this below).

At the time of this writing, the Global Secure Access for Web content filtering is in public preview (❗️preview means that no support and potential costs can come up, once the feature goes GA, so be careful!).

Assuming you have all the prerequisites in place, take the following steps:

Configure Global Secure Access Web Content Filtering

In this section, we will go through all the required steps that you need to configure, so you can enable Web Content Filtering using the Microsoft Entra Internet Access part of Microsoft Entra Global Secure Access (GSA).

These are the key steps to enable and deploy Microsoft Entra Internet Access:

Step 1: Enable Global Secure Access

The first step is simple, if this is a brand new Tenant, then make sure that you enabled Global Secure Access.

1) Go to https://entra.microsoft.com and then browse to get started with Global Secure Access.

2) Alternatively, you can browse directly to the following URL (https://entra.microsoft.com/#view/Microsoft_Azure_Network_Access/Welcome.ReactView) and activate Global Secure Access in your tenant.

Get started with Global Secure Access
Get started with Global Secure Access

Global Secure Access is Microsoft’s Security Service Edge, which is a centralized location in the Microsoft Entra admin center. This location enables you to manage and configure various features. Additionally, most settings and features apply to both Microsoft Entra Private Access and Microsoft Entra Internet Access. However, some features are specific to one of these. In this example, we are focusing on Microsoft Entra Internet Access (Web content filtering).

Related: Step-by-Step – Evaluate Microsoft Entra Private Access.

Step 2: Enable Traffic Forwarding

The next step is to enable traffic forwarding or traffic acquisition profiles.

1) Go to https://entra.microsoft.com and then browse to Global Secure Access (Preview).

2) Next, go to Connect and then select Traffic Forwarding.

Traffic forwarding profiles enabled administrators to select which traffic should be acquired and forwarded to Global Secure Access. Once you select one of these options (Microsoft 365 access profile, Private access profile, and Internet access profile), the forwarding profiles are assigned to any device in the tenant that is running the Global Secure Access client.

3) For the context of this example, select and enable the Internet access profile. By doing this, it tells the Global Secure Access (GSA) clients that it should start acquiring traffic that is for Internet access.

Enable Traffic forwarding for Internet access profile
Enable Traffic forwarding for Internet access profile

Step 3: Download and Install the GSA Client

The next step is to download and install the GSA client on Windows 10/11.

1) Go to https://entra.microsoft.com and then browse to Global Secure Access (Preview).

2) Next, go to Connect and then select Client Download.

3) Select Download Client under Windows, you can download it directly from the following URL (https://aka.ms/GlobalSecureAccess-windows). At the time of this writing, the GSA Windows client is at version 1.7.376.1214. As a side note, you can also get early access to Android, iOS, and MacOS GSA clients. At the time of writing, Internet Access does not work for iOS, MacOS, and Android, it’s focused on Windows Clients.

Download GSA Client for Windows
Download GSA Client for Windows

4) Copy the GSA client to your Windows 10/11 machine and then install it, you need to agree to the license terms and conditions (you also need to have a local admin privilege to install the agent).

Install the Global Secure Access Client
Install the Global Secure Access Client

5) Once the GSA client is installed on your machine, you can open the Global Secure Access Client Advanced diagnostics console. The agent will turn to green once is connected. At the time of this writing, the Advanced diagnostics console on the client machine would be accessible with admin permissions only. We could also log out and log in as a different user, we can pause, resume, restart, and collect logs for troubleshooting purposes.

If you click on the “Health check” tab, you can verify all the health checks performed by the Global Secure Access client. All should be in a green state. In this example, IPv4 shows that is not preferred.

Global Secure Access Client - Health Check
Global Secure Access Client – Health Check

Microsoft recommends preferring IPv4 over IPv6 because the GSA doesn’t acquire IPv6 traffic at the moment. So, if the client application is communicating over IPv6, that traffic will not be acquired by the client agent and will not go through the Security Service Edge (SSE) service, and will therefore not have tags applied to it.

To do so, you could run the following PowerShell command on the client machine to disable IPv6 using a registry key. You can also unbinding (disabling) IPv6 in the UI (ncpa.cpl) under the NIC properties, however, Microsoft is recommending the registry key way to the kind of generalized to prefer IPv4 over IPv6.

# Prefer IPv4 over IPv6 with 0x20, disable  IPv6 with 0xff, revert to default with 0x00. 
# This change takes effect after rebooting the client machine. 
$setIpv6Value = 0x20
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" -Name "DisabledComponents" -Type DWord -Value $setIpv6Value

So, what that means is, that when the client does DNS resolution and gets an IPv4 and an IPv6 address back, it will prefer the IPv4 address first. This is the most stable way to do it because if you just disabled IPv6 and you were dealing with a web you were trying to connect to that only had an IPv6 address, then that would break. So preferring IPv4 over IPv6 by using the registry key, that means in most cases it’s going to use IPv4, but if it is a pure IPv6 site then it will still work. You can read more about this in this article (Guidance for configuring IPv6 in Windows for advanced users).

The next setting that you need to disable, is browser-based secure DNS lookup. You must disable DNS over HTTPS (Secure DNS) to tunnel network traffic based on the rules of the fully qualified domain names (FQDNs) in the Internet traffic forwarding profile. To disable browser-based secure DNS lookup using a registry key, you could run the following PowerShell command provided by Microsoft for the relevant browser (Edge/Chrome) that you are planning to use:

function CreateIfNotExists
{
    param($Path)
    if (-NOT (Test-Path $Path))
    {
        New-Item -Path $Path -Force | Out-Null
    }
}

$disableBuiltInDNS = 0x00

# This disables browser based secure DNS lookup for the Microsoft Edge browser:
CreateIfNotExists "HKLM:\SOFTWARE\Policies\Microsoft"
CreateIfNotExists "HKLM:\SOFTWARE\Policies\Microsoft\Edge"

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" -Name "DnsOverHttpsMode" -Value "off"

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" -Name "BuiltInDnsClientEnabled" -Type DWord -Value $disableBuiltInDNS

# This disables browser based secure DNS lookup for the Google Chrome browser:
CreateIfNotExists "HKLM:\SOFTWARE\Policies\Google"
CreateIfNotExists "HKLM:\SOFTWARE\Policies\Google\Chrome"

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Name "DnsOverHttpsMode" -Value "off"

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Name "BuiltInDnsClientEnabled" -Type DWord -Value $disableBuiltInDNS

Once you disable IPv6 and prefer IPv4, as well as disable DNS over HTTPS (Secure DNS), you can Refresh the Health check tab and verify that all is green now.

Global Secure Access Client - Refresh Health Check
Global Secure Access Client – Refresh Health Check

You could also verify the “Forwarding profile” tab to see which traffic forwarding profile is enabled (Microsoft 365, Private access, and Internet access).

Global Secure Access Client - Forwarding profile
Global Secure Access Client – Forwarding profile

Please note that you don’t need to install the Global Secure Access client and configure it manually on each client device. You can make use of Microsoft Intune or Group Policy to automate this process. Today, the GSA clients don’t automatically update, we would need to go and get the new version and deploy it with the updated version with Intune or the Group Policy, the whole update experience will change in the future.

Step 4: Create a Web Content Filtering Policy

In the next step, we must create a web content filtering policy.

1) Go to https://entra.microsoft.com and then browse to Global Secure Access (Preview).

2) Next, go to Secure and then select Web content filtering policies (https://entra.microsoft.com/#view/Microsoft_Azure_Network_Access/WebFilteringPolicy.ReactView).

3) Click “+ Create policy“, then give it a Name and Description. Leave the Action to default “Block“, then click Next > to continue.

Create a Web Content Filtering Policy
Create a Web Content Filtering Policy

4) On the Policy Rules tab, click “+ Add Rule“. Give the rule a Name and for the Destination type, you can choose to Block/Allow based on WebCategory or FQDN. In this example, we will use WebCategory and block “Alcohol And Tobacco” websites. You can add more web categories as needed (such as Business, Entertainment, Education, and more), and then click Add.

Add Policy Rule
Add Policy Rule

5) Click Next > to Review your policy and then click Create policy.

Create policy
Create policy

Step 5: Create a Security Profile

Next, we have to create a security profile.

1) Within the Microsoft Entra admin center portal, under Global Secure Access (Preview), go to Secure and then select Security profiles (https://entra.microsoft.com/#view/Microsoft_Azure_Network_Access/FilteringPolicyProfiles.ReactView).

2) Next, select “+ Create profile“, then give it a Profile name and Description. Leave the State set to default “Enabled“, and set the Priority number. Priority refers to the ordering of this Security profile among other Security profiles. Please note that a Security profile of Priority 65,000 applies to all Internet traffic, including Remote Network traffic, and does NOT need to be linked to a Conditional Access policy to take effect. The priority must be unique, we cannot have the same priority as the one we’ve used already, and the priority number must be greater than > 100.

Click Next > to continue.

Create a security profile
Create a security profile

3) Then we need to link the policy rule that we created in the previous step. Click “+ Link a policy” and then select “Existing policy“. You can also create a new policy from here. In this example, we select the “GSA Web Filtering Policy” that we created above, and we’ll link it with Priority 100.

You can link more policies to the same security profile, for example, we could Allow “LinkedIn” with Priority 100, Block “Social and Entertainment” sites with Priority 200, and Block “YouTube” with Priority 300. The policy with the lowest number indicating its priority will always be given precedence over policies with higher numbers. Then we have to enable it of course, and then click Add.

Link a policy
Link a policy

4) Click Next > to Review your profile and then click Create a profile.

Create a profile
Create a profile

So, we first create the web content filtering policy, then we add it to our security profile and then we have to go and apply the security profile, and that is done by conditional access.

Step 6: Create a Conditional Access Policy

In the last step, we need to activate the Internet Access security profiles, to do that, we need to create a Conditional Access policy and link the security profile (that holds the effective configuration).

1) Go to Conditional Access | Policies blade under Protection.

2) Click “+ New Policy” and then give it a descriptive Name.

3) For the “Users“, select your target user(s) and group(s).

4) For the “Target resources“, select what this policy applies to Global Secure Access (Preview), and then select the Internet traffic profile that this policy applies to as shown in the figure below.

New Conditional Access Policy
New Conditional Access Policy

5) Next, select Session controls, then go to the bottom, select “Use Global Secure Access security profile” and choose the security profile that we created in the previous step as shown in the figure below, then click Select. Last, select On to enable the Conditional Access policy and click Create.

As a side note, you should keep the default Grant controls to “Grant access” and not to “Block access”, the security profile will take care of allowing or denying the sites. The Grant control action will apply to the whole Internet access.

Create New Conditional Access Policy
Create a New Conditional Access Policy

Now we are ready to test and verify the Internet Access and web content filtering for our users.

Test and Verify Web Content Filtering

Next, switch to the Windows Client machine and then open the Global Secure Access Client Advanced diagnostics from the taskbar, so we can see if we are acquiring traffic first. This is always a good practice to start with. As mentioned earlier, the diagnostics console on the client machine would be accessible with admin permissions only.

GSA Advanced diagnostics
GSA Advanced diagnostics

Under the Hostname acquisition tab, you should see the following “internet.edgediagnostic.globalsecureaccess.microsoft.com“. As a best practice, we should check and start collecting the Hostname acquisition and network Traffic first because if it’s not acquired, we know we’re looking at a traffic acquisition problem. If it is acquired, then we can rule out any of the IPv6 and QUIC protocol considerations and then we look into what’s happening in the Security Service Edge (SSE) service. So it’s a very distinct point of troubleshooting.

Global Secure Access Client - Advanced diagnostics
Global Secure Access Client – Advanced diagnostics

Next, open your favorite browser and browse to the web category that you blocked. In this example, we blocked “Alcohol And Tobacco” websites, so if we try to browse the “www.bacardi.com” alcohol site, we will see that the traffic is denied. Bingo!!!

If you are accessing a site over HTTP, you will see a “DeniedTraffic” message as the one below, however, for HTTPS sites, you will see the following message “Hmmm… can’t reach this page“. So, today you will see a different response on whether it is HTTPS or HTTP because it impacts what it’s allowed to do. At this time, it is not possible to personalize the notification message for blockages.

Denied Web Category Internet Traffic
Denied Web Category Internet Traffic

We can verify that the Global Secure Access Client acquired the traffic under the Hostname acquisition FQDN for “www.bacardi.com” And “www.marlboro.com” websites that we just browsed.

Global Secure Access Client - Hostname acquisition
Global Secure Access Client – Hostname acquisition

Network Access Traffic Monitoring

To monitor the Traffic logs, we can see the events at Microsoft Entra > Globa Secure Access > Monitor > Traffic logs blade. Make sure to add a filter, such as Action equals to Block. The “Source IP” column has been intentionally obscured for obvious reasons.

Traffic logs monitoring
Traffic logs monitoring

If you want to have a look at the logs and apply KQL (custom queries), you need to ensure that the “NetworkAccessTrafficLogs” get forwarded to a Log Analytics workspace. You can enable this at Microsoft Entra > Identity > Monitoring & health > Diagnostics settings > then add a diagnostics setting (or edit an existing one).

Send "NetworkAccessTrafficLogs" to the Log Analytics workspace
Send “NetworkAccessTrafficLogs” to the Log Analytics workspace

Next, you can navigate to your Log Analytics Workspace > Logs and search the data on the “NetworkAccessTraffic” table.

With the following Kusto Query Language (KQL) query, you can analyze all traffic on the Internet traffic profile, which was “Blocked” — it groups the URLs, so you can identify which have the highest impact.

NetworkAccessTraffic
| where TrafficType == "internet" and Action == "Block"
| summarize count() by DestinationFqdn
NetworkAccessTraffic Logs
NetworkAccessTraffic Logs

There you have it. Happy Web Content Filtering using Microsoft Entra Internet Access!

In Conclusion

In this comprehensive guide, we showed you how to test and evaluate Microsoft’s secure web gateway solution, Microsoft Entra Internet Access by configuring Web Content Filtering to block web category websites, the same would apply to filter FQDNs with wildcards and custom domains.

Microsoft Entra Internet Access is a Secure Web Gateway (SWG) solution that aims to safeguard users against potential threats found on the public Internet. Its features comprise web content filtering, malware inspection, TLS inspection, and more. Furthermore, Entra Internet Access protects Microsoft 365 applications, allowing the enforcement of Azure Conditional Access policies for Internet traffic.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Mastering Kubernetes Helm: Step-by-Step Guide

Running MongoDB on AWS: A Practical Guide

Next

Let us know what you think, or ask a question...