Introduction
Microsoft Entra Internet Access is a sophisticated addition to the Global Secure Access suite, integrating seamlessly with Microsoft's ecosystem to offer robust Secure Web Gateway (SWG) capabilities. The feature focuses on monitoring and controlling web traffic from devices equipped with the GSA client, ensuring secure access to SaaS applications via comprehensive web content filtering policies. This initiative aims to enhance internet security and accessibility for organizations, paving the way for a safer digital environment.
Specific prerequisites must be fulfilled to effectively deploy Microsoft Entra Internet Access, including assigning the Global Secure Access Administrator role and configuring an Entra-joined Windows device. Following these preliminary steps, the process entails enabling the GSA for the tenant, activating the Internet Access Profile, and crafting security profiles alongside web content filter rules. The installation of the Global Secure Access Client on designated devices is a critical step, ensuring seamless integration and functionality.
Step 1. Before proceeding with the configuration, ensure that you have.
- Assigned the Global Secure Access Administrator role to the appropriate personnel.
- An Entra-joined Windows device for testing purposes.
![Global Secure Access Administrator]()
Step 2. Log in to the Microsoft Entra portal (https://entra.microsoft.com/)
![Microsoft Entra portal]()
Step 3. Navigate to the GSA section.
![GSA section]()
Step 4. Select the option to Activate GSA for your tenant. This step is critical to activating GSA's features and capabilities within your environment.
![Activate GSA]()
![Activating GSA's features]()
Tenant onboarding has been completed successfully. You can begin using the product.
![Tenant onboarding]()
Step 5. Go to the GSA configuration section, click on the "Connect" subsection, then select "Traffic forwarding".
![GSA configuration]()
Step 6. Enable the Internet Access feature at the tenant level. This action allows GSA to begin monitoring and controlling web traffic.
![Internet Access feature]()
![Traffic forwarding]()
Step 7. In the Entra portal, navigate to the GSA section; under Secure, Select "Web Content Filtering policies" to click on "Create policy". These profiles will later be linked to Conditional Access policies.
![Create policy]()
Step 8. Name the Web Content Filtering policy that aligns with the targeted content and desired action. For instance, if you're setting up Policy 1 to restrict access to social media platforms, a suitable name could be "Restrict - Social Media".
Proceed to determine the desired Action for the web content policy. You have two primary options.
- Allow: This option permits access to the designated web content.
- Block: This option denies access to the specified web content.
Since the objective is restricting access to Social Media, opt for the "Block" Action then click on Next.
![Block]()
Navigate to the "Policy Rules" tab, then select the "Add Rule" option.
![Add rule]()
In the popup window, assign a relevant and descriptive name to the rule. For instance, let's label it " Restrict - Social Media" since this rule pertains to content associated with social networking.
Given our selection of the "webCategory" destination type, the next step is to examine and choose appropriate pre-defined web categories. In this instance, we searched for "social" and selected the "Social Networking" web category from the results. This choice aligns best with our specific needs and objectives. Then click on Add.
![Social Networking]()
![Create web content]()
In the "Review" tab, carefully examine the configured web content filtering policy. Once satisfied with the settings, click "Create policy" to finalize the process.
![Review]()
Now that we have established all the requisite Web Content Filtering policies, we can transition to the next phase, Creating Security Profiles.
![Web Content Filtering policies]()
Step 9. In the Microsoft Entra portal, locate Global Secure Access, expand the "Secure" section, and select "Security profiles". Within the Security profiles page, initiate the creation process by clicking on "Create profile" to define our initial profile.
![Security profile]()
Next, decide on the profile's activation status. Since we intend to utilize this policy later, we will opt for "enabled."
Subsequently, a priority level for the Security Profile should be established, considering the recommended approach outlined at the beginning of this section. Remember that this priority applies to the entire Security Profile. Then click on Next.
![Next]()
Proceed to the "Link policies" tab, then select "Link a policy" to continue.
![Link policy]()
In this section, you have the choice to either create a new Web Content Filtering policy if needed or select an existing one that has already been defined. Since we have already configured our Web Content Filtering policies, we will opt for the "Existing policy."
![Existing policy]()
In the fly-out window pane, utilize the "Policy name" dropdown menu to select an existing Web Content Filtering policy we previously defined. Aligning with our earlier intentions for this Security Profile, let's choose " Restrict - Social Media".
Subsequently, define a priority for the Web Filtering rule within this profile, ensuring alignment with the best practices outlined at the beginning of this section. It's crucial to note that this priority is distinct from the one assigned at the Security Profile level and applies solely to the rules within this profile, especially if there are multiple rules.
Finally, designate an "Enabled" state for the rule. Then click on Add.
![Add]()
![Create a profile]()
Once the Security Profile has defined all necessary content, click "Next" to advance to the "Review" tab.
![Review tab]()
In the "Review" tab, carefully review the configured Security Profile. Once you are satisfied with the settings, click "Create policy" to finalize the process.
![Configured Security]()
Having configured the Security Profiles for our use case, we can proceed to the next section on Conditional Access.
![Security profiles]()
Step 10: In the Microsoft Entra portal, go to "Protection" and select "Conditional Access". Inside the Conditional Access interface, initiate the policy creation process by clicking on "Create new policy" to define our initial policy.
![Protection]()
In the new Conditional Access policy wizard, begin by providing a descriptive name for the policy, such as "Dev-Team Web Filtering - Restrict Social Media".
Next, under the "Users" section, narrow down the policy's scope to an Entra ID security group containing only members of the Dev Team.
![Dev team]()
![Select users]()
![New]()
In the "Target resources" section, choose the "Global Secure Access" resource, and then select the "Internet traffic" profile underneath.
![Target resources]()
![Global Secure Access]()
In the "Session" section, find the option labeled "Use Global Secure Access security profile", and proceed to select the Security Profile that should be deployed/scoped within this policy. For this scenario, since we are still targeting the Dev Team, choose the " UK—Dev-Team" Security profile that we defined previously. Then click on Select
![Session]()
Lastly, review the configured Conditional Access policy. Once satisfied with the content, enable it, and then click "Create" to finalize the setup.
![Create to finalize the setup]()
Now that we have set up the required Conditional Access policies, we can move forward to the next section.
![Required Conditional Access policies]()
Demonstration
Installing the Global Secure Access client on Entra-joined Windows Device.
Step 11. To begin, in the Microsoft Entra portal, find the Global Secure Access client for Windows. Navigate to Global Secure Access, then expand "Connect" and select "Client download". On the Client download page, locate the "Windows 10/11" section and download the client by clicking on it.
![Windows 10/11]()
Step 12. Once the download is complete, open the downloaded file to begin the installation process. Follow the on-screen instructions to install the Global Secure Access client on your Windows client machine.
![Global Secure Access client]()
Execute the GlobalSecureAccessClient.exe setup file. Agree to the software license terms.
![Software license terms]()
![Access client]()
![Processing]()
Upon installation completion, users will see a prompt to log in with their M365 or Entra ID credentials. If their device is joined to Entra ID, their credentials will already be there, so they just need to click their account. This login step happens only the first time after installation.
![M365]()
Consider opening the Global Secure Access Client and navigating the Health check screen. Confirm that Tunneling succeeded Internet Access is displayed as "Yes."
![Yes]()
Verify that the client has successfully connected to the Global Secure Access client by checking the overview interface.
![Overview interface]()
Just look at the Quick Access tray to double-check if the installation was successful. If you see the client icon there and it's running, the installation worked.
![Quick access]()
To test internet access, simply try accessing a blocked website. If it is blocked, you will see a connection reset and will not be able to access the site. This means users will not be able to access Social Media sites.
![To test internet access]()
![Error]()
Global Secure Access client Reporting Logs
Step 13. In the "Advanced diagnostics" section of the Global Secure Access client, go to the "Traffic" tab to see an overview of all recent traffic that has passed through the client endpoint. You can review the data, collect it, and export it to a CSV file.
\![CSV file]()
In the Microsoft Entra ID portal, go to Global Secure Access, then click "Monitor" and select "Traffic logs." Here, we can see all the traffic passing through Global Secure Access for the connected endpoints and the actions taken. We can review and export this data to CSV or JSON files.
![Monitor]()
Conclusions
Deploying Global Secure Access with Microsoft Entra ID for internet access provides robust security measures and streamlined management capabilities. By leveraging Microsoft Entra ID, organizations can ensure seamless authentication and access control for their users across various endpoints.
Through the Global Secure Access solution, administrators gain granular control over internet traffic, allowing them to enforce policies tailored to their organization's needs. Whether restricting access to certain websites or monitoring user activity, Global Secure Access offers comprehensive visibility and control. The integration of Microsoft Entra ID enhances the user experience by simplifying the authentication process. With single sign-on capabilities and seamless integration with Microsoft services, users can access resources securely without unnecessary friction.
Following these steps, you can successfully configure and deploy Global Secure Access within your organization, enhancing internet security and access control. Review and update your configurations regularly to adapt to evolving security threats and organizational needs.