YouTube Transcript:
Deep Dive on Microsoft Entra Internet Access

Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.

Video Transcript

Video Summary

Summary

Core Theme

Microsoft Entra Internet Access is a new public preview solution that acts as a Secure Web Gateway, protecting users from malicious or unwanted internet content by routing traffic through the Entra edge for inspection and policy enforcement.

Mind Map

Click to expand

Click to explore the full interactive mind map • Zoom, pan, and navigate

hey everyone in this video I want to

talk about the Microsoft entra Internet

access solution I mentioned it in a

previous video when I talked about the

security service edge but it was in

private preview at the time I couldn't

show a l about it well now time of

recording its public preview so I can

finally talk about it so if I think

about what is this solution actually doing

doing

well we have the

internet and the internet is full of

wonderful places

we have all of these great wonderful

things there to bring us joy and

happiness and

productivity but there's also another

side to the internet there's a side to

the internet where it's not there are

these bad sad things decided to bring us

great misery and sadness and trying and

trick the users it's all gray and it's

horrible and so ultimately our goal when

we think about this solution is okay

there's the internet what I want to do

user sitting at their

machine I want to provide protection

from that I want to provide protection

on them clicking a link just looking at

some website and it goes to a bad site

maybe it's a fishing email with a link

hidden in it maybe it's a QR code that

is tricking them but I want to stop them

going to these bad sites or maybe it's

not even a bad site it's from a certain

corporate machine a certain environment

I don't want them leveraging or I need

some control around it because hey we

educate our users and ideally we would

protect them in the first place if it's

email we have Solutions in our email to

never see those links those QR codes in

the first place but nothing's perfect

things do get through and so if we think

well what is this actual

solution what we're focusing on here is

this entra internet access and what it's

really providing me if I think about the

all up is it's a secure web Gateway so

if that is the internet what we're now

access and the goal would be I'm focused

on yes I'm focused on the general

internet so just

general sites but it might also be those

sites that are for example SAS

Federated remember our

key goal if possible is if we think well

I have my

entra tenant so we've got our

it it's using our ENT tenant for its

authentication it then becomes a known

application to ENT I can then apply very

very granular conditional access

policies to it so this is my preference

but maybe I I can't do that maybe it

doesn't Federate maybe I didn't want to

for some reason and so now I can think

about well it's just general internet

sites it's non-federated SAS and I want

to provide protection for them so now

that that path for the client would be

well instead of the path going hey

directly out to the internet well now

now what's going to happen is that path

is going to go to this Edge and then go

through and at this Edge it's supposed

to be a magnifying glass I can't really

draw but the edge we can make decisions

on do we allow it or do we block that

traffic so this is what it's going to

provide anything on the client doesn't

have to be the web browser anything that

wants to talk to the internet is

actually going to go to the entra edge

it will be in inspected based on rules

we're going to create which will control

if it's allowed or blocked so this is

the whole point of the solution now I do

want to stress I'm talking about the

Microsoft entra Internet access there is

a separate set of Technologies leveraged

for Microsoft 365 traffic Microsoft 365

has its own capabilities and there are

some extra special things built into

entra around controlling that they can

go into detail about hey stopping data

exfiltration and a whole set of other

things so I'm not talking about that I'm

going to talk about just the basic entra

internet access solution

today okay so how do I actually get

going with this

solution as I talked about it's going to

now send that traffic over here to that

enter enter

Edge and I can think of I'm going to

create these rules that will allow me to

Maybe group based on a category so

there's going to be a lot of well-known

categories built in there's going to be

fully qualified domain names I can

leverage and there's other things coming

on the road map and what I want to do is

really talk about these whole set of

capabilities in a lot more

detail so what's the step

one step one is well I need the

client to know hey internet traffic I

want to send it to this entra Internet

access Edge

solution so we have to get the client so

step one is to go ahead and install the

client so if we jump over to the portal

second now I'm using the entra

portal so it's that entra

microsoft.com and I'm going down to my

Global secure access

area and then from here I'm going to my

download and it's going to show me the

client now notice there are Android and

iOS and other things are coming out

today at time of recording the internet

access does not work for the iOS the

Android it's really focused on that

Windows client so I would go ahead and

download this client now once I've

download to the client I go ahead and

install that client and I install the

client using all of the regular me

I could install the client using Group

Policy I could install it using in chune

I could absolutely just manually install

it obviously that's not scalable I'm

going to install this GSA

client and when I install the gsse

client all I'll really see initially is just

this little icon so I'll see it in the

corner my GSA client it will be sitting

okay great so the client is installed

now what now one thing you will ask is

well how does it update today it doesn't

automatically update I would need to go

and get the new version and deploy it

with the updated in tune or the group

policy that will change in the future so

that whole update

experience is there's a road map

obviously I don't ever talk about future

things but that whole experience will

change very much and this client

authenticates so this client will now go

as part of my identity I choose who I

want to authenticate it as so the client will

now go to entra and it's hey I need to

authenticate and just like everything

else it's going to generate me the

token my access token that it will send back

back

because all of the interactions with

that edge are always going to be

authenticated you think zero trust and

verify explicitly it's constantly going

to be using this as part of that

authentication to prove yes I am who I

say I am and as we're going to see it's

used for some other things as well but

it has that

authentication and if we just go and

look super super quickly so let's just

jump over for a

second so this is a machine and let me

just turn off my little logo

for a second so you can actually see all

the detail so down here in the bottom of the

the

screen there's its icon that is the

global secure access client now if I was

it it shows me some basic

status of that

client it's actually doing something

weird it's not overlaying properly but I

can see it's the M365 connected private

connected Internet connected and the version

version

and likewise if I let's close that I can

select Advanced Diagnostics and also I

guess while I was there if we right

click we do see hey I could log out and

resume restart collect logs for

troubleshooting purposes then we have

this Advanced Diagnostics and it's the

Advanced Diagnostics that I've launched

over here like on back on so I don't

forget and we can see basic information

so I can see details about the

forwarding profile my client version and

at this point I'm going to go into more

detail about this but we have the health

check so if you're ever experiencing a

problem it's nice to go through the

health check and it's showing all of the

different steps that it has to go

through checking hey the edges are

reachable proxy everything is looking

good on this particular box so at this

point hey everything is looking good on my

client okay

perfect so how do I actually start

leveraging the

technology because that's just the base

component is there on the OS so that now

when I do a few other things instead of

my internet traffic going directly here

it's going to follow this path I don't

want it going and talking directly to the

the Internet

Internet

so the first real step of the

configuration actually just give

ourselves a lot of space to let's move

all the way over here so we're doing a

whole bunch of configuration right now

in the entry side and then ultimately at

the end you'll see hey it just all comes

together for the client

experience so the first thing I have to

do is say well I want to enable that GSA

client because the GSA client is also

used for things like the Microsoft entry

private access it replaces the Azure ad

at proxy client and it's used for the

internet access so it's this single

client so I have to tell it which bits

of functionality do I want want it to be

enabled for and so I'm going to say hey

of all the different

features I'm going to say yep I want to use

use

internet access so that's my step one I

have to tell the client yes you are

going to do internet access so if we go

and look in our configuration

because there all these different

areas if we look at our traffic

forwarding rule so I'm in that connect traffic

traffic

forwarding I tell it which profiles I'm

enabling so this is I've enabled the

internet access profile and you can see

it says hey it's all traffic except Microsoft

Microsoft

365 so this is that big first step to

start the

configuration and that is now on the

client remember that GSA client if I go

and look at the GSA client what that has

been responsible for is I have

forwarding profiles this tells it which

traffic goes where and we can see well

great there's those Microsoft 365

private access and internet access now

this is in public preview so I'm just

going to caveat what you're about to see

but it tells hey look certain traffic

bypass obviously it doesn't want to send

traffic to its own

Edge via the edge it would get stuck so

it's like don't don't send it to the

edge but everything else is going to

Tunnel now it's got some entries in here

I think for testing purposes

fundamentally but this one is the most

interesting to me good old

Rex so this is the primary rule that is

telling which traffic is tunneled so

today we can see it is is DNS based

again it's public preview my

understanding is IP rules will come as

well so I won't bypass it by doing a an

NS lookup and then just typing in an IP

today it's focused on that DNS name and

I can see it and I can only assume

someone in the UK does some testing and

they really should be being obviously

but you get the

idea um it's now configured this forwarding

forwarding

profile that is telling it well which

traffic should be sent to that edge and

that's the important point now I cannot

change that that is part of the

configuration I do not set what I want

to send to that edge that's just part of

uh the core

capability so that's telling it now hey

the traffic I need to

send to the tunnel it's establishing

it's totally invisible to the client so

it's that layer 7 htttp

https you're going to go and redirect

and I do want to really stress a point

here this is not a browser

extension this is everything in the

network stack on that machine so it

could be a program yes it could be stuff

I'm looking at the browser but it is at

the Machine level now anything internet

based instead of going that way is going

to go to our entra internet ACC access

Edge so it's really important to

understand that fact this is not just

hey when I'm surfing the web on a

browser it really is everything that I'm

going to do okay

perfect so

now I have to start

defining what are the things I want to

allow or I want to block I need to go

into those details and so the default is

it's just allowing the traffic so I need

to go in and create logical groupings

and if I think about it there's going to

be many different scenarios I'm going to

have where I want the same group of

sites so the first thing we do is we

create web filtering policies so I'm

going to start on this end and try and

give myself as much space as

possible so my step one well that I

policies now these web filtering

policies has come over here are really

just focused on I'm creating those

logical groupings of

categories and or fully qualified domain

names so I would think about okay well

I'm going to create a new web filtering

social and for each of these groups of

web filtering policies I specify a

certain action that I'm going to do so

block and then inside that I say hey

well I'm

including um category

X category y I'm including a certain

fully qualified domain name could have

some World cards in there whatever I

want then I'm going to do uh another

policy I'll create another policy called uh

work and maybe for the work these this is

allow I'm specifying sites I want to

allow so that may have a different

category it's going to have its fully

qualified domain names and you get the

idea I kind of go on and on and then I

would create another

one just call this one group maybe this

one is

block and then all of its

rules so I'm going and creating these

logical groupings that I'm going to want

to use later on so let's go and look at the

the portal

portal

so I go and look at my

secure and I can see under here web

content filtering policies so I select

this now I've created some already you

can see within them there's a certain

number of

rules so if I was to look at stop social

and entertainment for example you can

see my action is to block so I only can

have one action could be allow or

block and what I'm doing here is well

it's web categories so I'm blocking

social networking games and sports and

then I'm also added one that selects

gambling so I can select multiple

categories in one rule let's just create

a new

one and just call it test oh if I can

type the letters right call it test and

again I select is it allow or block then

in my policy rules I can add multiple

rules so I'm going to add a rule we'll

call this just again you would get this

very logical useful names not what I'm

doing but I can select web categories I

think there's currently 76 web

categories so hacking hate and

intolerance illegal drugs illegal

software violence image sharing Finance

you would select the one so I could

select multiple things in here I'm just

randomly selecting them whatever that is

Click add I could go and add some more

rules so I could say category Y and

again I want useful names really but

I'll just select some other

things I could also add in fully

qualified domain names and I can use

wild cards so I could say well star.

saav tech.com that's never any

good so I could put that in as well if I wanted

wanted

to you just add so it's just I'm

creating a really logical grouping that

I'm going to want to use again I've

already created these so I've got other

ones that blocks YouTube now YouTube has

youtube.com then there's studio and

YouTube Works a little bit funny so you

can see I added two fully qualified

domain names I added star. youtube.com and

and

youtube.com I've got another one that

allows so I created one that allows

specifically LinkedIn so anything

linkedin.com I'm allowing but I'm just

going through no Sav tech.net

have the wild cards I have all these different

different

combinations but I'm going to end up

with these logical groupings so I've got

these four logical grouping some of them

are allow some of them are block and I

can see all of that detail right here so

these are just units of logical grouping

that I'm now going to be able to use

elsewhere okay now I want to start

thinking about let's combine those into

a certain profile that I actually want

to leverage and apply to different

groups of users so great we've created

the web filtering policy now I need to

do is create those security profiles so

now we'll go ahead and create our make

space security

profiles now once again they have a name

so I'm going to add a security profile

and again give it a useful name I'm just

here I give it a priority so we have to

track this a little bit and makeing more

sense when I show it to you but the

profile has a priority so this profile

I'm going to say has a priority of

110 and then I just link these web

filtering policies to it these were

defined as their own objects I'm going

to use them into a profile so I'm going

to say well the work one I'm going to

in and I give it a priority so this is

its relative priority within this

profile so this one has a priority of

one and that one give it a priority of

200 um now I'll create another one I'll

create a

profile two I'll give this one a

priority of

200 and once again I'll I'll add some

I'll actually add this one in to here as

well I give that a priority of

100 um and also I'll add this one in

actually I just got to leave that one as it

is there's also a special

priority so I'm going to give a create a

profile just called General it could be

all I'm going to give this one a

65,000 and I'm going to add this one

in and I give that priority of 100 doesn't

doesn't

matter this is special this one would

apply to all internet traffic whether

this profile is used as part of uh a

conditional access policy which we're

going to see in a second how we assign

these or not if if I give this 6500 I

can only have one because the priorities

of each of these security profiles has

to be unique which is going to make

sense this one is general and applies to

everything now the reason we have

priorities within the profile we're

linking these is what if they conflicted

so for example this one allows let's say

fully qualified domain named

linkedin.com well this category here may

be was social which blocked it

so if I just applied them and they had

equal weight what does it do with

LinkedIn so by having a priority with in

the profile well this is a higher

priority so allowing LinkedIn comes

first and even though LinkedIn is then

blocked by social it's a lower priority

the one that allows it so it would have

the access and be allowed so that's why

we have the priorities and it makes

total sense we have groups of block and

allow well how should that

work then you can imagine scenarios will

occur where as a user there's going to

be multiple conditional access policies

apply to me I may have multiple profiles

applying to me well then what if the

profiles conflicted that's why the

profiles have a priority so again take

this scenario social was blocked

completely in this profile in this

profile social war was blocked but it allowed

allowed

LinkedIn well this profile has a higher

priority than this profile which means

hey LinkedIn is still going to work

because the profile is higher than this

one that's why there's those two

sets within it it's just relative to

each other the profiles is hey if

there's a conflict between those so

let's go and see that and I think it

will make a lot more sense so we had the

web content filtering policies great

now we use them in a security

profile so I could just go ahead and create

create

one um

test enabled so I enable it and I have

to have a priority this has to be unique

I cannot have the same priority as one

I've used already so we can see here

I've got priorities 110 200 and

6500 so if I try and create a profile if

I select 110

110

if I actually went through I need test

it won't ultimately let me I don't know

when it does the check but it wouldn't

let me actually create it so

error profile with the same priority 110

already exists so it has to be unique

which makes sense I would not start at

one because what if something comes

along in the future that you need so I

like groups of like big gaps of 100s you

have a a huge 65,000 to play with notice

if I hover over the eye it's telling me

a special one if you use

6500 applies to all traffic it does not

need to be linked to a conditional

access policy so that 6500 is a special

one let's just say I'm going to say this

is 500 I'm not going to use this one

anyway and now I just go and Link the

policies so I can use an existing policy

I'll select it from the groups that I

have created

so I say hey block YouTube I remember

I'm giving it a relative priority within

the profile so maybe this one is

300 I could then add another

one that may be um allow LinkedIn I mean

obviously it's not conflicting but I'll

give that 100 so I'm creating that

relative priority within the profile so

that's the whole point of these and so

in my case

if we look at what I did my highest

priority let just expand all of these

out my highest

priority of

110 has three of those web filtering

policies in it the highest priority is

allow LinkedIn priority 100 the next is

stop social which would block LinkedIn

because it's that social category but a

higher R within there allows it and then

I'm blocking

YouTube then I have another security

profile that just stops the

social but notice its priority of 200 is

less than this one that is 110 so if

they ever conflicted I'd still be able

to get allow Linked In if they apply to

the same user and then I've got this

6500 that will apply to everyone and we

want to block that trash Sav tech.net no

one should look at that ever so you can

see how those things are really all

coming together to give those

protections so that that's the point of

how really it just all comes together to

give that solution so great now we've

got profiles that actually include them

fantastic I need to use them so the last

step as applies to nearly everything

when I ever think of entra conditional

create conditional access

policies so I'll create a conditional access

one I apply I have a certain Target it

could be a user I'll say it's applying

to user group one as well and be very

lazy and then what what is it targeting

is it an application well it's targeting

the global secure access and it's targeting

internet and then because it's using GSA

and internet I have to specify well

profile I'll use this one

one

now I can only have one this is not a I

can specify mul profiles each

conditional access can use one profile

and remember we have the allow the

action we're going to

allow this is a very important point you

might think oh well most of these are

blocking I should set the conditional

access to block no the web filtering

policy takes care of the action The Edge

should do to the traffic if I say block

for remember internet access it's just

going to block access to the internet

completely like for the whole machine

never to use block I wouldn't even

really use things like uh require MFA

because again it's at the Machine level

those policies apply all up top level

internet not to the sites within this

policy so if I was to set this to

require MFA as soon as the client tried

to authenticate the first thing that

tries to talk to the internet it would

do MFA then so really my profile is just

going to say allow action and then I

could have another

policy condition access 2 maybe it

targets a different group group two once

again it's GSA it's

internet my

profile be this

one okay it's always one one to one and

do not link you don't need to it applies

to everything the 6500 is special it's

always going to apply that's really the

the the key point in all of this so

let's show this as

well so great I've got my security

profiles now I would just go to my

regular conditional access create a new policy

policy

Target whatever users and groups you

would normally do but when I do Target

resources I'm targeting Global secure

access specifically I'm going to Target

internet and then the only thing I now

session I have to check down here on the

bottom use Global secure access let's

get rid of my little icon again it's

profile so I would select which one

remember I can only select one so maybe

I would select how social entertainment

profile stop so i' select that one and

now that is

configured right there and those are the

steps that that's really all I have to

do now what I was talking I probably

enforce the policy to on now normally

obviously Group Policy we always do

report only first um for this for the

testing I I'm going to set these to on

to actually apply these to the checks my

grant is just grant

access once again if I select block and

maybe at the end I'll show it just to

frustrate myself it just blocks internet

it is not blocking the sites you don't

want that you need to Grant the access

the web filtering policies linked from

the security profile will take care of

allowing or denying the sites this

action right here is about internet

access so again if I was to select MFA

even it's just going to make me prompt

for MFA at the start of the first thing

that talks to the Internet it's not

about the site specifically today that

may change in the future but for now you

want to just grant

access so for me I have created a policy already

already

honestly it's very slow this morning

it's early on a Sunday waking up all

right so I created internet access for

John it's just

me it's internet

traffic and all I've

done is selected that social and

entertainment profile now just to remind

us the social and entertainment profile

was allowing LinkedIn stopping Social

stopping YouTube and then remember we

have that default for all that would

stop Sav tech.net

so those are the rules so I'm blocking

social blocking entertainment I'm blocking

blocking

gambling we can see all of

those in here my

rules social games Sports gambling are

all blocked as part of those rules so

those things should all be impacting

me when I now try to do the things so

great I have created now those

conditional access

policies so how does this all come

together this is I guess the cool

before the client authenticates and it

gets this

token as part of that token each of

these has uh an ID has a security profile

profile

identifier so what's now going to happen

is when this does this authentication

and when it goes and gets that

token that is now updated the token gets

the security profiles IDs added to it

that are being applied so that profile

one this token was actually happening here

here

is what color should I use use this this

one is getting

added to my

token and obviously there were multiple

conditional access policies that applied

each with their own then there could be

a list of these added to my token so now

this client it's token has the security

profile IDs as entries in its token and

that's so it's got these claims for the

security profile ID that's that's the

huge part here so now what's actually

happening when this client gets

redirected to that Enterprise

token gets sent along with it so now

that entra internet access again I think

this is really

Edge when I talked about this magnifying

glass allowing or denying what it's

looking at are the IDS cuz remember it's

got this like

id1 it's looking at okay well what are

token that controls the traffic that's

going to control is it allowed or not

and that's really the the key point of

how this is

working follow the structure through we

created web filtering policies which are

logic IAL groupings of categories or

fully qualified domain names that we may

want to use maybe multiple times

different places we put those into

security profiles they have their own

priority within the within it in case

they conflict and what should win then

the profiles themselves have a unique

priority because what if I get multiple

profiles which one should win and then

ultimately we apply them by linking a

profile to a conditional access policy

just like we always do and then that

gets popular at as a claim in the

token and then that constantly verifying

now because it is an access

token it's good for an hour so if I was

to create a new conditional access

policy or I Chang the conditional access

policy to point to a different profile

it could take up to an hour to be seen

because the access token is good for an

hour now if I was to

change it's not good

if I was to

change what was linked in the profile

that just requires propagation through

the global entra maybe that's 5 minutes

so I can change these things but if I

actually create a new conditional access

or I changed the profile well remember

it's the profile that gets linked in as

a claim in my token I have to let that

expire so that could be up to an hour if

I create a new conditional access or I

changed the profile it links to so

that's that that's the timing involved

in that whole

process so

then does it work uh so let's try it so

if we jump over and we hope it does work

this will be a terrible terrible demo so

if I go to my

machine so now let let's think about

what we did so I'll open up the

browser so I blocked YouTube so youtube.com

can't reach

it nope and just to prove internet is

working if I go to Sav tech.com

that works fine what about Studio

remember we did the Wild

Card NOP can't reach it what about

Twitter remember we had the social

twitter.com nope can't reach it what

about LinkedIn remember we had that

allow R which was a higher

priority LinkedIn we can get to

awesome what about uh a gambling site

now I actually have to look this up

because I

don't know a lot of gambling sites so if

site can't get to it now you will notice

this one said denied whereas the others

it couldn't get to this was because this

was just a

HTTP I not secure so it can return a

different response if it's https it's

just like hey you can't get to it and

the same would apply if I do www.avc.edu

rule that's just HTTP it can just say

https then we'll see H can't reach the

page so you will today see a different response

response

on if it is https or htttp because it

impacts what it's allowed to do but you

I mean that that's it you see the client

experience it's totally seamless it just works

works

now what about if things uh are not

quite right if it's not working maybe as

you would expect so this agent remember

I P up the advanced host name

acquisition I could say St start

collecting and what this is going to do

it's going to focus on the idea of well

what are the host names what's the DNS

that's being acquired when I'm trying to

do things so if I did the S tech.net

again and also let's try uh Twitter

again and and then we'll do one that

okay I could do stop so we can see hey yeah

yeah

look I can see the things it was trying

to do so I can get an idea of the

actual um responses and if it was truly

going through the the DNS I can also

look at the traffic so we'll start that

as well just go back to this page

twitter.com nope let's try the linkedin.com

yep and now we see a whole

bunch of connections we saw it hey it's

going to the edge so I can get all of

that detail of things that it's doing in the

the

background so I can see everything it's

trying to do if it's closed if it's

here so it's just a great way to see

everything that is happening on the

machine so the this is super useful if

things don't work as you're

expecting now the other

thing I want I guess I did say okay so

while we're over here this is going to

break my environment but so you don't

break your

own if I go to my

policy internet access for John I'll

block and again we have to give it a few

minutes to propagate out through the intern

intern

while we're doing that the other thing

we have available to us in the global secure

secure access

access

is we have monitor we have audit logs

but I'm going to focus on these traffic

logs I can see the traffic across the

different types so internet private access

access

M365 so I'm going to focus on my internet

internet

access from here I I can see a whole

bunch of communications to different

things but I could add a filter where

the action is

block and I can see all of that

detail yep the sports the gambling

site Facebook got blocked Sav tech.net

got blocked YouTube got

blocked so it's got this really nice set of

capabilities that I can go back and see

all of the detail and there's a little

bit of a delay so it's not going to show

up out here instantly in my playing

around I've seen it take maybe 15

minutes to show up again it's public

preview at time recording that could

absolutely change but there there is a

little bit of a delay but then I can go

and see all of that

detail so let's see I don't know if it's

been long enough let's see if I can

break my machine so what I would now

do I say log in as a different user so

it's signing me out

remember I applied that block policy

which remember is not just the sites

it's everything now internet traffic on

the machine so when it re

authenticates it's now going to go and

get a new access token and when I get

the access token that's when it's going

to tell me so I have to sign in again

out so I

have strong wols enabled I can't get

access so your signning was

successful but now I can't do anything

I'm I'm basically blocked out of

Internet so I can't even finish the sign in

anymore and it's going to get stuck

because I've essentially wiped out

internet on my machine so I would now

hastily uh come back to here change that

conditional access to one that isn't

junk and I would see the same if I did

MFA it would require it for basically

that client is this the first thing that

will get impacted when it gets the new access

access token

token

so it it wouldn't be that useful I

really think of the conditional access

its use and its power is to apply the

apply the security profiles I'm defining

I'm not using these to try and then do

additional MFA or block the block is in

the web filtering policy see so this

should just be allow that really is a

key Point make sure I'm doing allow in

these anything else is not that useful

obviously I can use it for the

granularity of which sites apply to

which groups maybe I get different rules

based on the device as well I might even

have different sites based on risk I'm

detecting all of that

applies but just the action it's no good

trying to do block or even MFA is not

particularly useful here because it's

applying to the all

up your connection to the

internet not the granular rules in the

claims so if I do block I just block it

getting into the internet which is a sad

day for this poor person that have a big frowny

frowny

face that's it so I hope this was useful

I hope it really makes it clear what's going

going

on I showed a lot of things I maybe

talked a lot about it but it's actually

pretty logical and simple hey create the

web filtering policies which are the the

categories and the fully qualified

domain names that make up a logical

grouping of

sites I can then use n number of those

in a security profile which is a certain

profile that I'm going to want to apply

to populations based on certain criteria

again those had a allow block they have

priorities for when there's going to be

those conflicts which should win out and

then hey I'm going to take those

profiles and apply them to those groups

of the population with all the normal

conditional access targeting groups

client device location risk all of those

apply it's just we make sure the action

is allow it's the policy that takes care

of if the site allowed or blocked that's

the key point and then it it would just

take effect and you saw how simple it

was I'm protecting the user doesn't

matter where the user is it could be

anywhere it's protecting them from those

bad things my policy hey can let it

through or it can block it um and that's

a solution I have no pricing information

at this time that will get released at

GA so there's no comment on that the

only thing I know is the internet access for

for

M365 that's just part of I think it's

the E3 license but again you should

validate that so that was it as always I

hope this was useful and I hope I can

now log into my client now said back to

Click on any text or timestamp to jump to that moment in the video

Most transcripts ready in under 5 seconds

One-Click Copy125+ LanguagesSearch ContentJump to Timestamps

Paste YouTube URL

Enter any YouTube video link to get the full transcript

Most transcripts ready in under 5 seconds

Get Our Chrome Extension

Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.

Add to Chrome — Free

Works with YouTube, Coursera, Udemy and more educational platforms

Get Instant Transcripts: Just Edit the Domain in Your Address Bar!

YouTube

←

→

↻

https://www.youtube.com/watch?v=UF8uR6Z6KLc

YoutubeToText

←

→

↻

https://youtubetotext.net/watch?v=UF8uR6Z6KLc

YouTube TranscriptPreparing your results…

YouTube Transcript:Deep Dive on Microsoft Entra Internet Access