Block access using Baseline profile

POC scenario: Create a baseline policy applying to all internet access traffic routed through the service

Microsoft Internet Access baseline policy allows to configure filtering policies that apply to all traffic without linking to a Conditional Access policy. You can use the baseline profile to block web categories that no user in the organization should be allowed to browse, for example inappropriate sites.

Complete the following tasks to create this baseline policy to block an FQDN:

• Configure a block rule for a risky web category by creating a web filtering policy.
• Group and prioritize your web filtering policies by configuring the baseline profile.
• Use your test user to attempt to access the blocked site to confirm application of your rule.
• View activity in the traffic log.

Create a web filtering policy

1. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Web content filtering policies > Create policy > Configure Global Secure Access content filtering.

2. On Create a web content filtering policy > Basics, provide the following details.

   • Name: Baseline Internet Access block rule.
   • Description: Add a description.
   • Action: Block.

3. Select Next.

4. On Create a web content filtering policy > Policy Rules, select Add Rule.

5. In the Add Rule dialog box, provide the following details.

   • Name: Baseline blocked web categories.
   • Destination type: webCategory.
   • Search: Select a few risky categories, confirm they are in the Selected items list.

6. Select Add.

7. On Create a web content filtering policy > Policy Rules, confirm your selections.

8. Select Next.

9. On Create a web content filtering policy > Review, confirm your policy configuration.

10. Select Create policy.

11. To confirm policy creation, view it in the Manage web content filtering policies list.

Configure the baseline profile

1. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Security profiles. Select Baseline profile.
2. Click Edit Profile, and complete the following information on the Basics page.
   • Profile name: Baseline Internet Access Block Profile.
   • Description: Add a description.
   • State: enabled.
3. Select the Link policies page.
4. Select Link a policy. Select Existing policy.
   • In the Link a policy dialog box, select Policy name and select Baseline Internet Access block rule.
   • Priority: 100.
   • State: Enabled.
5. Select Add.
6. On Link policies, confirm Baseline Internet Access Block Rule is in the list.
7. Close the baseline profile.

Attempt to access blocked sites

1. Sign in to the test device where you installed the global secure access (GSA) agent.
2. To confirm blocked access, attempt to open the FQDN you blocked. It can take up to 20 minutes for the policy to apply to your client device.

View activity in the traffic log

1. In the Microsoft Entra admin center > Global Secure Access > Monitor, select Traffic logs. If needed, select Add filter. Filter when User principal name contains testuser and Action set to Block.
2. Observe the entries for your target FQDN that show traffic as blocked and then allowed. There may be a delay of up to 20 minutes for entries to appear in the log.