Microsoft Entra Internet Access (part of Global Secure Access) is Microsoft’s identity-aware Secure Web Gateway (SWG). It lets you inspect and control all internet/SaaS traffic using Conditional Access context (user, device, risk) and centralized, Zero Trust policies—without hair-pinning traffic through legacy VPNs or on-prem appliances.
What you’ll build
- Forward internet traffic from enrolled devices to GSA (Microsoft edge network)
- Enforce web content filtering, threat intelligence blocking, and tenant restrictions v2 for SaaS
- Deliver policies per user/group via Conditional Access (Universal CA)
- Preserve the original source IP in Entra logs (Source IP Restoration) for location/risk policies and CAE
- Monitor via GSA Dashboard, Traffic logs, and Deployment logs
Prerequisites (Licensing, roles, devices)
Licensing
- Internet Access requires Microsoft Entra Internet Access (standalone or included in Entra Suite) and an Entra ID base (P1/P2) license.
Admin roles
- Global Secure Access Administrator to configure GSA; Conditional Access Administrator to create CA policies. Follow least-privilege guidance.
Supported endpoints
- Windows 10/11 x64 (or Windows 11 Arm64), Entra joined or hybrid joined (not “registered” only). Windows 365 is supported. macOS, Android, and iOS clients are also available.
Known client caveats
(Recommended) Also enable Microsoft traffic so Microsoft traffic uses the optimal path and you avoid precedence conflicts.
In my case i will assign Internet access profile to all the users
In this example, I’ll demonstrate how to block AI-related websites and media streaming websites using Web Category filtering, and additionally, block WhatsApp Web by targeting its FQDN.
- Disable Secure DNS (DoH/DoT/DNSSEC) in browsers; prefer IPv4; and avoid DNS-over-TCP via browser DNS client. These are current limitations.
- The platform assumes standard ports for HTTP/S traffic (ports 80 and 443).
Setting Up Global Secure Access for Internet Access
In the Microsoft Entra admin center, navigate to Global Secure Access from the left-hand menu. This serves as the unified hub for managing both Internet Access and Private Access.
For more details, you can check out my earlier blogs covering Private Access and client configuration:
Step 1 Deploy the GSA connectivity client
The Global Secure Access (GSA) client captures traffic locally and forwards it based on your configured traffic-forwarding profiles.
Windows (Manual or Intune Deployment)
- In the Microsoft Entra admin center, go to Global Secure Access > Connect > Client download.
- Download the Windows installer.
- Install it manually (requires local admin rights) or deploy it silently through Intune.
Other Platforms
- Android/iOS: The client is packaged within Microsoft Defender for Endpoint (MDE). You can deploy and configure it using Intune.
- macOS: Follow the official deployment guide here:
In our case we installed the client manually
The GSA Client has been successfully installed on my Windows 11 device and is now showing as connected to both Entra and Microsoft 365 (since the Microsoft 365 traffic profile is already enabled in my tenant).
After installing the GSA Client, you need to ensure that IPv4 is configured as the default protocol by updating the Windows Registry, and also disable QUIC in your browsers.
Configure IPv4 as Default via Registry
Open the Registry Editor: Press Windows + R, type regedit, and hit Enter. If prompted by User Account Control, click Yes.
Navigate to the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
Create a new DWORD (32-bit) Value:
Right-click on Parameters → New → DWORD (32-bit) Value. Name the new entry:
DisabledComponents
Set the value: Double-click DisabledComponents and set its value to: ffffffff (Hexadecimal).
Disable QUIC in Browsers
Google Chrome
Open Chrome and go to chrome://flags.
In the Search flags box, type quic. Locate Experimental QUIC protocol.
From the dropdown, select Disabled. Relaunch Chrome for the changes to apply.
Microsoft Edge
Open Edge and go to edge://flags. In the Search flags box, type quic. Locate Experimental QUIC protocol. From the dropdown, select Disabled. Relaunch Edge to complete the update.
Step 2 Enable traffic forwarding for Internet Access
Go to Global Secure Access > Connect > Traffic forwarding. Under Internet Access, enable the profile.
Bypass logic & precedence note:
If you bypass a destination in the Microsoft profile, that traffic won’t be acquired by the Internet Access profile either. Bypassed Microsoft traffic exits natively.
Custom bypasses:
Use Internet Access > View policies > Custom Bypass to exclude specific FQDNs/IPs/ports when needed.
With Global Secure Access (GSA) traffic forwarding, you can assign a traffic forwarding profile to specific users or groups. This assignment helps limit the rollout to a defined scope, allowing you to enable the feature gradually and in a controlled manner.
If a traffic forwarding profile is already enabled, by default it applies to all users.
If you’re enabling a profile for the first time, it starts with zero users assigned.
The User and group assignments setting provides flexibility to safely roll out the feature to a smaller group before expanding it tenant-wide.
Notes on User Identity and Group Assignment
Keep the following considerations in mind when assigning users and groups:
- Traffic profiles are fetched for the Microsoft Entra user logged into the device, not the user logged into the GSA client.
- If no Entra user is logged in, the traffic profile is only fetched if the profile is set to apply to all users. (For example, if you log in as a local admin, you’re included as part of “all users.”)
- Multiple simultaneous logins on the same device are not supported.
- Group assignments are supported for Security groups and Microsoft 365 groups where the SecurityEnabled property is set to True.
- Nested groups are not supported. Users must be direct members of the assigned group to receive the profile.
Step 3 Create Web Content Filtering policy (block/allow categories & FQDNs)
One of the key introductory features of Microsoft Entra Internet Access for all apps is Web Content Filtering. This capability gives you granular control over web access by filtering based on categories or Fully Qualified Domain Names (FQDNs). By blocking access to known inappropriate, malicious, or unsafe sites, you help safeguard users and their devices ,whether they’re working remotely or inside the corporate network.
When traffic flows through Microsoft’s Secure Service Edge (SSE), Entra Internet Access enforces security in two ways:
For unencrypted HTTP traffic, filtering is performed using the URL.
For encrypted HTTPS traffic (TLS), filtering relies on the Server Name Indication (SNI).
Web content filtering is applied through filtering policies, which are organized into security profiles. These profiles can then be linked with Conditional Access policies, enabling you to enforce protection in a policy-driven, contextual way.
To configure Web Content Filtering Policy Go to Global Secure Access > Secure > Web content filtering policies > Create policy.
In the Rules section, create a New Rule. Provide a descriptive Rule Name, then set the Destination Type to Web Category. From the available categories, select Artificial Intelligence and Streaming Media & Download, and then click Add.
Next, let’s create a rule using an FQDN by specifying whatsapp.com as the destination.
Click Next,
Create a security profile
Security profiles act as containers for grouping multiple filtering policies. These profiles can then be linked to Microsoft Entra Conditional Access policies, making them user- and context-aware.
- A single security profile can include multiple filtering policies.
- A single security profile can also be linked to multiple Conditional Access policies.
This allows you to enforce web content filtering in a flexible, policy-driven way.
How Security Profiles Work
Policy grouping: Security profiles allow you to bundle multiple filtering rules and deliver them through Conditional Access.
Example: To block all news websites except msn.com for user anil@acmebh.com, you would:
- Create two web filtering policies (block all news, allow msn.com).
- Add them into a single security profile.
- Link that profile to a Conditional Access policy assigned to anil@acmebh.com.
Policy priority: Within a security profile, policies are processed in order of their priority numbers (100 is highest, 65,000 is lowest). This works similarly to traditional firewall rules.
- Best practice: Leave spacing of about 100 between priorities to give room for future adjustments.
- Multiple profiles: If multiple Conditional Access policies apply to a user, the associated security profiles are processed in priority order.
The Baseline Security Profile
Even if you don’t explicitly link a security profile to a Conditional Access policy, the baseline security profile always applies.
- It enforces policy at the lowest priority in the stack.
- It acts as a catch-all for all Internet Access traffic routed through the service.
Importantly, it still executes even if another Conditional Access policy links to a different profile.
Creating and Linking a Security Profile
In the Microsoft Entra admin center, go to Global Secure Access > Secure > Security profiles.
Select Create profile. Enter a name and description, then click Next.
Choose Link a policy, then select Existing policy.
From the list, pick the web content filtering policy you previously created and click Add.
Select Next,
Step 4 Create and Link a Conditional Access Policy
To deliver your security profile to end users or groups, you use a Conditional Access (CA) policy. Conditional Access acts as the delivery mechanism that makes Internet Access policies user- and context-aware. By linking security profiles through Session controls, you can enforce filtering based on user identity and access context.
Steps to create a Conditional Access policy:
In the Microsoft Entra admin center, go to Entra ID > Conditional Access.
Select Create new policy. Provide a name for the policy and assign it to a user or group.
Under Target resources, choose All internet resources with Global Secure Access.
Navigate to Session > Use Global Secure Access security profile, and select the security profile you created earlier. Click Select to confirm.
In the Enable policy section, set the toggle to On. Finally, click Create to save and activate the policy.
Step 5 Verify GSA policy enforcement
Now, let’s verify the policy status by attempting to access a few AI-related websites as well as WhatsApp Web to observe the results.
Chat GPT Access blocked
When traffic reaches Microsoft’s Secure Service Edge, Entra Internet Access enforces controls using the URL for HTTP traffic and the SNI (Server Name Indication) for HTTPS traffic.
To test:
Use a Windows device with the Global Secure Access client installed and signed in with an Internet traffic acquisition profile.
Verify the client’s forwarding profile via Advanced Diagnostics and confirm traffic flows are being captured.
Browse to allowed and blocked sites, then review results in Global Secure Access > Monitor > Traffic logs.
Currently, blocked traffic shows as a plain text error for HTTP and a “Connection Reset” error for HTTPS.
Note: Web content filtering changes in Global Secure Access usually apply within 5 minutes, while updates made through Conditional Access can take up to one hour to take effect.
This example shows how Microsoft Entra Internet Access handles traffic when web content filtering policies are applied.
The diagram below illustrates how these policies either block or allow access to internet resources.
GSA Internet Access Flow
- The Global Secure Access client connects to Microsoft’s Security Service Edge (SSE).
- The client redirects to Microsoft Entra ID for authentication and authorization.
- The user and device authenticate—seamlessly if a valid Primary Refresh Token (PRT) exists.
- Once authenticated, Conditional Access evaluates Internet Access rules and attaches the relevant security profiles to the token, enforcing authorization policies.
- Microsoft Entra ID presents the token to the SSE for validation.
- A tunnel is established between the client and SSE.
- User traffic is acquired and routed through the Internet Access tunnel.
- The SSE evaluates security policies in the access token, processing them by priority order. Policy evaluation stops once a matching web content filtering rule is found.
- The SSE enforces the matched policy.
- If the policy = Block → HTTP traffic returns an error, HTTPS traffic shows a connection reset.
- If the policy = Allow → traffic is forwarded to the intended destination.
Operating tips (waves, exceptions, coexistence)
- Roll out in waves (pilot → early adopters → broad). Microsoft’s deployment guides outline a pragmatic plan.
- Bypasses: Put true exceptions in Custom Bypass. Remember: Microsoft-profile bypasses supersede Internet Access.
- Client hardening: Use the registry key to prevent non-admins disabling the client. Track active devices in the Dashboard
Conclusion
Microsoft Entra Global Secure Access – Internet Access provides a modern, cloud-native approach to securing internet and SaaS traffic. With identity-aware controls, web content filtering, and seamless integration with Conditional Access, it strengthens security while improving user experience , without relying on legacy VPNs or proxies.
In my upcoming blogs, I’ll dive deeper into TLS inspection policies, Threat Protection policies, and Threat Intelligence policies to help you get the most out of Entra GSA. Stay tuned!
0 Comments