YouTube Transcript:
Secure Web Access with Entra Internet Access

Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.

Video Transcript

Video Summary

Summary

Core Theme

This video demonstrates how to configure web content filtering using Microsoft Entra Internet Access, a cloud-based security gateway that integrates with Entra Conditional Access to protect users and devices accessing internet resources.

Mind Map

Click to expand

Click to explore the full interactive mind map • Zoom, pan, and navigate

in this video we configure web content

filters with entra internet [Music]

access hello everyone I'm Travis and

this is calos entra internet access is

part of The entra Suite it provides a

conditional access integrated secure web

Gateway used to safeguard users and

devices in this video we take a look at

what it is and how to deploy it before

that please like subscribe and share

with a friend click the Bell icon for

notifications of new content and check

out my courses on Azure virtual Desktop

Windows 365 with InTune management

hybrid identities with Windows 80 and

entry ID and my latest course a

beginners guide to the a900 available at

udemy.com the links are below and thank

you channel members your support is

appreciated back to it what is entra

internet access what problems does it

solve and how do we deploy it these are

all the questions I'll try to answer in

this video let's start with what it is

entra internet access is an identity

Centric web security Gateway for

software as a service applications and

other internet traffic it provides a

hosted web content filter that

integrates with conditional access and

supports the zero trust framework entra

internet access routes traffic through

the global secure access client security

controls are performed once internet

traffic reaches the Microsoft network

internet connections including Microsoft

365 traffic are optimized by routing

through the Microsoft Edge Network in a

traditional Network users connect to a

private Network behind a firewall or

some other security device those devices

control what the users have access to if

we need to extend that functionality to

remote users we deploy VPN solution that

routes the traffic through the private

Network out the firewall that

traditional model may not work well when

users access company resources available

on the internet with private and

company-owned devices we can't always

deploy a VPN to those devices if we

could foreseen all traffic through the

private Network could use up a lot of

bandwidth CPU on the security equipment

and increase latency on those user

connections these are the problems entra

internet access addresses we can put

content filtering controls in place

without forcing connections back to the

private Network let's use Windows 365 as

an example to filter web traffic we need

to deploy a private Network that

requires an Azure subscription Azure

virtual networking and other Azure

Resources with entra internet access we

can deploy the global secure access

client to that endpoint and configure

all the policies from the Azure portal

no Azure resources are required content

filtering is an important functionality

of firewalls and security gateways

Microsoft Defender for endpoints and

Azure firewall have this functionality

built in as well so why not just use one

of those entra internet access aims to

provide valid categories to every

endpoint on the internet while the

fender has a smaller list of categories

leading to more manual configurations

and as your firewall still requires Ires

the Azure infrastructure to support it

entra internet access also has policy

integration with entra conditional

access policy enforcement is at the

cloud Edge and it supports many device

platforms so how do we deploy and manage

it the first step to configuring entra

internet access is to enable traffic

forwarding in the global secure access

client there are two traffic forwarding

profiles will enable coming up the

internet access profile and the

Microsoft traffic profile the internet

access profile file specifies the

traffic that gets assigned to the global

secure access client and then tunnel to

the Microsoft Edge Network for

evaluation we can add a bypass in the

internet access policy use that to

Define IP addresses or fully qualified

domain names that won't get pass to the

global secure access client for

evaluation the other profile is the

Microsoft traffic profile with this

enabled all Microsoft 365 traffic is

assigned to the global secure access

client and routed to the Microsoft Edge

Network once we have the traffic

forwarding profiles in place we can

configure the content filters web

content policies include lists of

allowed or denied rules that apply to

web categories or fully qualified domain

names those policies are added to a

security profile the security profile is

then added to a conditional access

policy we can assign the policy to all

users a group of users or a specific

user let's look at the requirements

before we jump into the demo entra

internet access requires a entra P1 or

P2 license and is an add-on to those

licenses it comes with the entra suite

or as a standalone product the endpoint

must have the global secure access

client installed that's available for

Windows 10 or 11 Android iOS and Mac OS

it does not support the Windows 10 or

Windows 11 multi-user OS it only

supports the single user OS in the demo

coming up we configure entra internet

access web content filtering the example

uses an entra hybrid join client with

the global secure access client

installed for testing an entra ID join

client would work as well let's jump

into the entra admin portal to get

started here we are in the entra admin

Center we'll start by enabling internet

traffic forwarding with the internet

access traffic forwarding policy this

policy routes traffic through the global

secure access client this is how we can

control internet access even if the user

is not inside the organization's Network

go to Global secure access content then traffic

forwarding we have three profiles we

have the Microsoft traffic profile this

applies to all Microsoft traffic we have

a private access profile that works

similar to a VPN I have a couple other

videos that dig into that the link is

below and internet access this policy

applies to all internet traffic except

the Microsoft traffic that traffic uses

the Microsoft traffic profile click view

under internet access

policies the custom bypass policy is

where we Define Network locations and

fully qualified domain names that are

excluded from the profile so

destinations that should not apply to

the policy like VPN endpoints internal

IP addresses or known trusted

IPS default bypass is predefined traffic

that bypasses the

profile next is Microsoft traffic bypass

this is a list of Microsoft traffic that

the internet access profile

bypasses and finally is the policy for

default acquired traffic this is all

traffic that is acquired or applies to

the internet traffic policy it's a wild

card or catch off or any internet

traffic it's set to all HTTP and https

traffic we can only modify one custom

bypass we would use the custom bypass to

add traffic we want excluded from the

internet access profile traffic is a

evaluated from the top down once traffic

matches the policy the processing stops

let's add a site to the bypass from

Custom bypass We'll add a

rule we can select a fully qualified

domain name IP address subnet or range

of IP addresses notice as well you can

use wildc cards in the fully qualified

domain name for this example we'll use www.ipchicken.com

we'll save

we'll add another Rule and for this one

client 10.0.0.0

sl24 and save now any traffic going to

that site or subnet will hit the custom

bypass Rule and not get pass through the

global secure client let's close next

we'll assign a user or group to the

traffic forwarding profile click view

under users and group

assignment if we add a user a group the

profile will apply to those users when

they log into the device if we choose

everyone it will apply to everyone

logged into the device local admins for

example let's add a

group we'll go to add users in

groups click none selected that will

pull up the window where we can select

we'll search for an add the test group

in this example it's called test

group we'll

select assign

and close add users and groups now that

we have the assignment on the profile

let's enable it from traffic forwarding

we'll simply enable the internet access

profile we'll get a message that we

should enable the Microsoft traffic

profile as well let's select the option

to also enable

that let's take a look at the Microsoft traffic

traffic

policies with this profile enabled entra

internet access acquires exchange Skype

and teams SharePoint and Microsoft

online traffic we can

close we also get a message that there

are no users selected let's go to view

user and group assignments and here

again we'll add our

group We'll add users in groups select

none selected find the test group again

in this example the test group is test

group we'll select and assign and we can

close user in groups that looks better

next let's log into an entra ID or entra

hybrid joined workstation to verify the

profile here we are logged into a

computer that's entra hybrid joined this

would also work with a computer that's

entra ID joined I logged into this

computer with a user that's a member of

the test group we added to the internet

access and Microsoft traffic forwarding

profile this computer also has the

global secure access client for windows

installed you can get that client from

client download under connect in the

entra portal or you can download it

directly from

aka.ms Global secure access hph Windows

the client requires elevated privileges

to install you should also restart the

client computer after you install the

client once restarted go to the global

secure access client and verify it's

connected we'll right click on the

global secure access client and select Advanced

Advanced

Diagnostics viewing Advanced Diagnostics

from Advanced Diagnostics go to health

check make sure all checks are

successful if not there's a link on the

health check page with more information

for this example I had to set ipv4 as

preferred on the client and disable

quick and Edge also I had to start Edge

as an admin to disable quick go to

forwarding profile it shows the

forwarding profiles applied at the

bottom we have Microsoft 365 and

internet access access rules associated

with the profiles if you don't see both

you may have to wait a few minutes and

even restart the client for those

changes to apply if we view the internet access

access

rules at the top are the bypass rules we

created for ipchicken.com as well as the

subnet we added let's go to

traffic we're going to verify the rule

is working let's start collecting

traffic information and open a web

browser and try to access a site on that

we'll go to an IP address on that subnet 10.1.0

do1 there's no site at this IP address

it's going to fail we're just generating

chicken and that works we can close this

and go back to Advanced

Diagnostics we'll stop collecting and

remove the action equals tunnel and if

we search within the traffic we can see

our attempt to go to the 10.1.0 do1 and

if we scroll

bypass and we also have the fully

qualified domain name for IP

chicken and if we scroll

over that is also

bypassed that means the client and the

bypass rules are working next let's see

if we have any Microsoft 365 traffic

channel the operator is

equal and the value is Microsoft 365 we'll

we'll

apply and we do have

some if we scroll

over that's set to Tunnel this shows all

the traffic specified in the Microsoft

profile is tunneled for optimal routing

to the Microsoft security service edge

Network now that we know the client is

working let's close the client and move

on to configuring the web content

filter before we move on to creating the

web content filter let's open up a web

browser Edge for this example let's test

a couple websites a company may want to

block with content filters and I'm going

to keep this viewer friendly as well

vape.com and that works and let's try guns.com

we can get to that site as well now

let's enable the web content filter and

see if we can block these sites we'll

close the web browser and let's go back

to the entra portal from the entra

portal we'll go to Global secure access

secure web content filtering

policy under web content filtering

policies there's a default policy that

websites we can close that

and create a policy give it a name block

access for this

example you can add a description and

we'll leave the action to block go next

to policy

rules and we'll add a rule give this a

categories notice we have the option for

web categories or a fully qualified

domain name we could use that to create

a policy for specific websites we don't

want blocked leave it set to web

category and we'll add alcohol and

weapons on the right of the categories

there's a slider where you can view all

of the different categories available

we're just using two for this example

we'll click add next to review and

policy that creates the policy now we

need to create a security profile let's

go to security

profiles and create a

profile give it a name web profile for this

this

example you can add a description we'll

leave this enabled you can also set a

priority it goes up to 65,000 leave some

room between each profile so you can

insert one later if you need to we'll go

next to link policies and we can use an existing

existing

policy we'll select the one we just

created and add next go to review and

create and create the

profile that creates the profile that

includes the web content filtering

policy now that we have the profile we

need to link that to a conditional

access policy from the entra admin

Center go to Identity protection and conditional

conditional

access we're going to create a new

conditional access

policy give it a name web access for this

this

example We'll add a group of users for

testing we have the option for none all

users or select user in groups we'll use

select users in groups and find our user

in group at the group we're using for

testing the same one we apply to the

traffic forwarding profiles test group

for this example we'll select go to Target

Target

resources and select all Internet

Resources with global secure access then

go to

session from here here we'll select use

Global secure access security profile

and select the profile we just

created web profile for this example

we'll select and set the policy to on we

want this enabled we'll click create and

that creates the conditional access

policy that uses the security profile we

just created applying a new security

profile can take 60 to 90 minutes and

also changing a web content filter can

take up to an hour the video will pause

here until the changes have taken effect

here we are back logged into the client

with one more thing to do and that is to

test some time has passed and the

profile has applied let's start by

Diagnostics from here we'll go to

traffic and start

collecting next we'll open a web

www.vapes.com

this time the page is blocked we don't

get a message from entra internet access

let's go back to Advanced

Diagnostics and let's apply a filter for

the destination fully qualified domain

it shows the connection is closed and if

we scroll to the right it shows the

channel was internet access so that's

the internet access traffic forwarding

Rule and the action is tunnel meaning

the traffic did pass through the global

secure access client also notice the

destination Port is 443 let's do the

vape.com we'll set it to the fully

vape.com vape.com use destination Port

80 that may explain the difference in

what was displayed when the traffic was

blocked now our web content filtering

policy is in place that is how to

configure the entra internet access web

filter that is how to configure web

content filtering with entra internet

access please don't forget to like And

Click on any text or timestamp to jump to that moment in the video

Most transcripts ready in under 5 seconds

One-Click Copy125+ LanguagesSearch ContentJump to Timestamps

Paste YouTube URL

Enter any YouTube video link to get the full transcript

Most transcripts ready in under 5 seconds

Get Our Chrome Extension

Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.

Add to Chrome — Free

Works with YouTube, Coursera, Udemy and more educational platforms

Get Instant Transcripts: Just Edit the Domain in Your Address Bar!

YouTube

←

→

↻

https://www.youtube.com/watch?v=UF8uR6Z6KLc

YoutubeToText

←

→

↻

https://youtubetotext.net/watch?v=UF8uR6Z6KLc

YouTube TranscriptPreparing your results…

YouTube Transcript:Secure Web Access with Entra Internet Access