Block certain web categories
POC scenario: Block social networking sites for a group of users
Use Microsoft Entra Internet Access to block or allow access to Internet sites based on category. Manually managing blocklists isn't required. In this scenario, we block Social Networking sites for a group of users.
Complete the following tasks to configure the scenario:
- Configure a block rule for category sites. Create a web filtering policy.
- Group and prioritize your web filtering policies. Create a security profile.
- Configure your test group, with the test user, to use the security profile. Create and assign a Conditional Access policy.
- Confirm rule application by using your test user to attempt to access a blocked site.
- View activity in the traffic log.
Create a web filtering policy
-
In the Microsoft Entra admin center, go to Global Secure Access > Secure > Web content filtering policies > Create policy > Configure Global Secure Access content filtering.
-
On Create a web content filtering policy > Basics, provide the following details.
- Name: Block Social Networking.
- Description: Add a description.
- Action: Block.
-
Select Next.
-
On Create a web content filtering policy > Policy Rules, select Add Rule.
-
In the Add Rule dialog box, provide the following details.
- Name: Social Networking.
- Destination type: webCategory.
- Search: Social Networking
- Select Social Networking.
-
Select Add.
-
On Create a web content filtering policy > Policy Rules, select Next.
-
On Create a web content filtering policy > Review, confirm your policy configuration.
-
Select Create policy.
-
To confirm policy creation, view it in the Manage web content filtering policies list.
Create a security policy profile
- In the Microsoft Entra admin center, go to Global Secure Access > Secure > Security profiles. Select Create profile.
- On Create a profile > Basics, provide the following details.
- Profile name: Internet Access Profile.
- Description: Add a description.
- State: enabled.
- Priority: 1000.
- Select Next.
- On Create a profile > Link policies, select Link a policy.
- Select Existing policy.
- In the Link a policy dialog box, provide the following details.
- Policy name: Block Social Networking.
- Priority: 1000.
- State: Enabled.
- Select Add.
- On Create a profile > Link policies, confirm Block Social Networking in list.
- Select Next.
- On Create a profile > Review, confirm your profile configuration.
- Select Create a profile.
Create a Conditional Access policy
- In the Microsoft Entra admin center, go to Protection > Conditional Access. Select Create new policy.
- In the New Conditional Access Policy dialog box, configure the following details.
- Name: Internet Access Policy.
- Users or workload identities: Specific users included.
- What does this policy apply to? Users and groups.
- Include > Select users and groups > Select Users and groups.
- Select your test group > click Select.
- Target resources.
- Select "All internet resources with Global Secure Access".
- Leave the Grant control at default to grant access so that your defined security profile defines block functionality.
- In the Session dialog box, select Use Global Secure Access security profile.
- Select Internet Access Profile.
- In Conditional Access Overview > Enable policy, select On. Select Create.
Attempt to access blocked sites
- Sign in to your test device where you installed the GSA agent with a user included in the above test group.
- Attempt to open a Social Networking site to confirm blocked access. You should see DeniedTraffic for http websites and a Can't reach this page notification for https websites. It can take up to 20 minutes for the policy to apply to your client device.
View activity in the traffic log
- In the Microsoft Entra admin center > Global Secure Access > Monitor, select Traffic logs.
- If needed, select Add filter. Filter when User principal name contains testuser and Action set to Block.
- Observe the entries for your target FQDN that show traffic as blocked and then allowed. There can be a delay of up to 20 minutes for entries to appear in the log.