This video demonstrates how to configure web content filtering using Microsoft Entra Internet Access, a cloud-based security gateway that integrates with Entra Conditional Access to protect users and devices accessing internet resources.
Mind Map
点击展开
点击探索完整互动思维导图
in this video we configure web content
filters with entra internet [Music]
access hello everyone I'm Travis and
this is calos entra internet access is
part of The entra Suite it provides a
conditional access integrated secure web
Gateway used to safeguard users and
devices in this video we take a look at
what it is and how to deploy it before
that please like subscribe and share
with a friend click the Bell icon for
notifications of new content and check
out my courses on Azure virtual Desktop
Windows 365 with InTune management
hybrid identities with Windows 80 and
entry ID and my latest course a
beginners guide to the a900 available at
udemy.com the links are below and thank
you channel members your support is
appreciated back to it what is entra
internet access what problems does it
solve and how do we deploy it these are
all the questions I'll try to answer in
this video let's start with what it is
entra internet access is an identity
Centric web security Gateway for
software as a service applications and
other internet traffic it provides a
hosted web content filter that
integrates with conditional access and
supports the zero trust framework entra
internet access routes traffic through
the global secure access client security
controls are performed once internet
traffic reaches the Microsoft network
internet connections including Microsoft
365 traffic are optimized by routing
through the Microsoft Edge Network in a
traditional Network users connect to a
private Network behind a firewall or
some other security device those devices
control what the users have access to if
we need to extend that functionality to
remote users we deploy VPN solution that
routes the traffic through the private
Network out the firewall that
traditional model may not work well when
users access company resources available
on the internet with private and
company-owned devices we can't always
deploy a VPN to those devices if we
could foreseen all traffic through the
private Network could use up a lot of
bandwidth CPU on the security equipment
and increase latency on those user
connections these are the problems entra
internet access addresses we can put
content filtering controls in place
without forcing connections back to the
private Network let's use Windows 365 as
an example to filter web traffic we need
to deploy a private Network that
requires an Azure subscription Azure
virtual networking and other Azure
Resources with entra internet access we
can deploy the global secure access
client to that endpoint and configure
all the policies from the Azure portal
no Azure resources are required content
filtering is an important functionality
of firewalls and security gateways
Microsoft Defender for endpoints and
Azure firewall have this functionality
built in as well so why not just use one
of those entra internet access aims to
provide valid categories to every
endpoint on the internet while the
fender has a smaller list of categories
leading to more manual configurations
and as your firewall still requires Ires
the Azure infrastructure to support it
entra internet access also has policy
integration with entra conditional
access policy enforcement is at the
cloud Edge and it supports many device
platforms so how do we deploy and manage
it the first step to configuring entra
internet access is to enable traffic
forwarding in the global secure access
client there are two traffic forwarding
profiles will enable coming up the
internet access profile and the
Microsoft traffic profile the internet
access profile file specifies the
traffic that gets assigned to the global
secure access client and then tunnel to
the Microsoft Edge Network for
evaluation we can add a bypass in the
internet access policy use that to
Define IP addresses or fully qualified
domain names that won't get pass to the
global secure access client for
evaluation the other profile is the
Microsoft traffic profile with this
enabled all Microsoft 365 traffic is
assigned to the global secure access
client and routed to the Microsoft Edge
Network once we have the traffic
forwarding profiles in place we can
configure the content filters web
content policies include lists of
allowed or denied rules that apply to
web categories or fully qualified domain
names those policies are added to a
security profile the security profile is
then added to a conditional access
policy we can assign the policy to all
users a group of users or a specific
user let's look at the requirements
before we jump into the demo entra
internet access requires a entra P1 or
P2 license and is an add-on to those
licenses it comes with the entra suite
or as a standalone product the endpoint
must have the global secure access
client installed that's available for
Windows 10 or 11 Android iOS and Mac OS
it does not support the Windows 10 or
Windows 11 multi-user OS it only
supports the single user OS in the demo
coming up we configure entra internet
access web content filtering the example
uses an entra hybrid join client with
the global secure access client
installed for testing an entra ID join
client would work as well let's jump
into the entra admin portal to get
started here we are in the entra admin
Center we'll start by enabling internet
traffic forwarding with the internet
access traffic forwarding policy this
policy routes traffic through the global
secure access client this is how we can
control internet access even if the user
is not inside the organization's Network
go to Global secure access content then traffic
forwarding we have three profiles we
have the Microsoft traffic profile this
applies to all Microsoft traffic we have
a private access profile that works
similar to a VPN I have a couple other
videos that dig into that the link is
below and internet access this policy
applies to all internet traffic except
the Microsoft traffic that traffic uses
the Microsoft traffic profile click view
under internet access
policies the custom bypass policy is
where we Define Network locations and
fully qualified domain names that are
excluded from the profile so
destinations that should not apply to
the policy like VPN endpoints internal
IP addresses or known trusted
IPS default bypass is predefined traffic
that bypasses the
profile next is Microsoft traffic bypass
this is a list of Microsoft traffic that
the internet access profile
bypasses and finally is the policy for
default acquired traffic this is all
traffic that is acquired or applies to
the internet traffic policy it's a wild
card or catch off or any internet
traffic it's set to all HTTP and https
traffic we can only modify one custom
bypass we would use the custom bypass to
add traffic we want excluded from the
internet access profile traffic is a
evaluated from the top down once traffic
matches the policy the processing stops
let's add a site to the bypass from
Custom bypass We'll add a
rule we can select a fully qualified
domain name IP address subnet or range
of IP addresses notice as well you can
use wildc cards in the fully qualified
domain name for this example we'll use www.ipchicken.com
