Intro
Today, we delve into the topic of Microsoft Entra Internet Access with a hands-on guide. As we explained in last week’s blog post, Microsoft Entra Global Secure Access will be increasingly taking over many tasks in the future, primarily saving us certain use-cases of web-proxy and VPN-clients. These could potentially be replaced with a single client from Microsoft. This certainly presents certain risks and further increases vendor lock-in, however, it provides us with a one-stop solution that can be centrally managed and controlled.
Prerequisites
What are the requirements to use Entra Internet Access in the company?
- Entra Built-In Role (one of them)
- Global Secure Access Administrator
- Security Administrator
- Global Administrator
- Microsoft Entra ID P1
- Microsoft 365 E3 (Recommended for data traffic forwarding)
- Global Secure Access client (Windows and Android)
- Devices must be either Entra joined or Entra hybrid joined -> Entra registered devices aren’t supported
Activate Global Secure Access (Preview)
The preview feature, Global Secure Access, must first be activated in the tenant before it can be configured. Here are the steps to do so:
- Activate your Entra Role (one of them)
Global Secure Access Administrator
Security Administrator
Global Administrator - Go to https://entra.microsoft.com
- On the left side navigate to Global Secure Access (Preview) -> Get started
- The blue Activate button can be clicked
Note: Tenant onboarding take some minutes
- Tenant onboarding has been completed successfully
Configuration
Microsoft 365 access profile
We start with the first profile configuration, namely Microsoft 365 access profile.With this policy, we ensure that the following services can be used with Microsoft Entra Internet Access without the need to create additional whitelistings/policies:
- Exchange Online
- SharePoint Online and OneDrive for Business
- Microsoft 365 Common and Office Online (only) Microsoft Entra ID and Microsoft Graph)
- To do this, open Global Secure Access (Preview) -> Traffic forwarding on the left-hand side.
- The profile can be activated
You now have the option of viewing the predefined policies within Microsoft 365 and adjusting them in the action if necessary. In the action you have the option of adjusting the preset Forward value with Bypass. Bypass means that Global Secure Access does not filter the defined destination and takes you directly to the final destination without applying any rules.
Internet access profile
In this step, we activate and configure the second profile Internet access profile. In my opinion, this is the much more exciting profile, as this profile is responsible for Internet traffic and you can configure here what should and should not be allowed.
- Go to Global Secure Access (Preview) -> Traffic forwarding
- Navigate to Internet access profile and activate
First Internet access policy
For demonstration purposes, I will show how to create an Internet Access Policy and apply it to the user via Conditional Access Policy.
Web content filtering policies
Together we will create our first web content filtering policy in the Entra admin center.
- Switch to the tab Global Secure Access (Preview) -> Web content filtering policies
- Press Create policy
Note: All websites is a default policy from Microsoft
- Define a name for your policy, in my case Block all websites and Action type
- Add new rule and define the destination FQDN or web category
- Review and create this policy
Security profiles
In order for the newly created web content filtering policy to be applied, a security profile containing this filtering policy is required.
- Go to Global Secure Access (Preview) -> Security profiles
- Create a new security profile
- Define a name, state and priority of this profile
- Link the web content filtering policy to this security profile
- Review and create this security profile
Conditional Access Policy
So that we can now apply our web content filtering policy to a user or group of users, a conditional access policy is required at the end.
- Navigate to Protection -> Conditional Access -> Policies
- Create a new policy
- The following settings must be set:
Users: [All users or Select users and groups]
Target resources: Global Secure Access (Preview) + policy Internet traffic
Conditions: Empty
Grant: Empty
Session: Use Global Secure Access security profile + Choose your security profile
- Here is the final conditional access policy
Global Secure Access Windows Client
In order to use Global Secure Access, the corresponding client must be installed on the Windows device. It is important to note that only64-Bit of Windows 10/11 is currently supported. ARM64 architecture is on the roadmap and will follow later.
- Browse to Global Secure Access (Preview) -> Connect -> Client download
- Select Download Client
- Execute GlobalSecureAccessClient.exe on your Windows 10/11 device
- Sign-in with your Entra ID user account
- Global Secure Access client on your windows device is successfully installed and connected
Demo
Now everything has been set up in the Microsoft Entra admin center and the Global Secure Access client has been installed on the Windows device.
Now we want to see whether all websites are blocked in the browser, in my case Microsoft Edge or not.
Internet websites are successfully blocked on my Windows 11 device.
Important to know: In my lab environment, it sometimes took up to an hour for the policy to become active on the device. As Global Secure Access is generally still in a public preview, this is acceptable for me.
Summary
With the hands-on tutorial about Microsoft Entra Internet Access, you should be able to roll out your first policies to a small group of employees in your environment for initial pilot tests.
Over the next few weeks, I will be discussing further options within the product of Microsoft Global Secure Access in further blog posts, stay tuned.