Web content filtering empowers you to implement granular Internet access controls for your organization based on website categorization.
Microsoft Entra Internet Access’s first Secure Web Gateway (SWG) features include web content filtering based on domain names. Microsoft integrates granular filtering policies with Microsoft Entra ID and Microsoft Entra Conditional Access, resulting in filtering policies that are user-aware, context-aware, and easy to manage.
Currently, the web filtering feature is limited to user- and context-aware Fully Qualified Domain Name (FQDN)-based web category filtering and FQDN filtering.
Prerequisites
- The Global Secure Access Administrator role role to manage the Global Secure Access features.
- The Conditional Access Administrator to create and interact with Conditional Access policies.
- Complete the Get started with Global Secure Access guide.
- You must disable Domain Name System (DNS) over HTTPS (Secure DNS) to tunnel network traffic. Use the rules of the fully qualified domain names (FQDNs) in the traffic forwarding profile. For more information, see Configure the DNS client to support DoH.
- Disable built-in DNS client on Chrome and Microsoft Edge.
- User Datagram Protocol (UDP) traffic (that is, QUIC) isn’t supported in the current preview of Internet Access. Most websites support fallback to TCP when QUIC cannot be established. For improved user experience, you can deploy a Windows Firewall rule that blocks outbound UDP 443: @New-NetFirewallRule -DisplayName “Block QUIC” -Direction Outbound -Action Block -Protocol UDP -RemotePort 443.
Enable internet traffic forwarding
First we need to enable the Internet Access traffic forwarding profile.
Create a web content filtering policy
- Go to Global Secure Access > Secure > web content filtering policy.
- Select Create policy.
- Enter a name & description & select Next.
- Select Add rule.
- Enter a name, select a web category or a valid FQDN, and then select Add.
- Valid FQDNs in this feature can also include wildcards using the asterisk symbol, *.
- Select Next to review the policy and then select Create policy.
Create a security profile
Security profiles are groupings of filtering policies. You can assign or link security profiles with Microsoft Entra Conditional Access policies. A single security profile can contain multiple filtering policies and be associated with multiple Conditional Access policies.
In this step, you will create a security profile to group filtering policies. Then, you will assign or link the security profiles with a Conditional Access policy to make them user or context-aware.
- Go to Global Secure Access > Secure > Security profiles.
- Select Create profile.
- Enter a name, description, a state & priority & select Next.
- Select Link a policy and then select Existing policy.
- Select web content filtering policy already created & select Add.
- Select Next to review security profile & associated policy.
- Select Create a profile.
- Select Refresh to refresh the profiles page & view the new profile.
Create and link Conditional Access policy
Create a Conditional Access policy for end users or groups and deliver your security profile through Conditional Access session controls. Conditional Access serves as the delivery mechanism for user and context awareness in Internet Access policies.
- Go to Identity > Protection > Conditional Access.
- Select Create new policy.
- Enter a name & assign a user or group.
- Select Target resources & Global Secure Access from drop-down menu.
- Select Internet traffic from drop-down menu.
- Select Session > Use Global Secure Access security profile & choose a security profile.
- Choose Select.
- In Enable policy section, ensure On is selected.
- Select Create.
User and group assignments
You can scope the Internet Access profile to specific users and groups. To learn more about user and group assignment, see How to assign and manage users and groups with traffic forwarding profiles.
Verify end user policy enforcement
Use a Windows device with the Global Secure Access client installed. Sign in as a user that is assigned the Internet traffic acquisition profile. Test that navigating to websites is allowed or restricted as expected.
- Right-click the GSA client icon in the task manager and select Advanced Diagnostics > Forwarding profile. Check the Internet access acquisition rules are present. Check if the hostname acquisition and flows for the users Internet traffic are being acquired while browsing.
- Browse to allowed and blocked sites and check if they behave correctly. Browse to Global Secure Access > Monitor > Traffic logs to confirm traffic is blocked or allowed appropriately.
The current blocking experience for all browsers shows a “Connection Reset” browser error for HTTPS traffic.