Implement Microsoft Entra Internet Access (Secure Web Gateway)

Implementation Effort: High

User Impact: High

Overview

In a Zero Trust security model, internet access must be governed by identity-centric, context-aware policies that protect users, devices, and data from internet threats regardless of location. Microsoft Entra Internet Access provides an identity-aware Secure Web Gateway (SWG) solution that delivers comprehensive security controls for SaaS applications and all internet traffic through integration with Microsoft Entra ID and Conditional Access.

Unlike traditional network-based security solutions that rely on network perimeters and implicit trust, Microsoft Entra Internet Access enforces security at the cloud edge based on user identity, device context, and risk signals. This approach ensures that security policies follow the user rather than being tied to network location—a fundamental principle of Zero Trust architecture.

Core SWG capabilities (see related guidance):

• Web content filtering and URL filtering (Preview) - Control internet access based on categories, URLs, and FQDNs (see NET_030)
• TLS inspection - Enable deep inspection of encrypted traffic for threat detection and policy enforcement (see NET_037)
• Network content filtering with file policies (Preview) - Monitor and control file transfers to prevent data exfiltration with basic and Purview-based DLP (see NET_038)
• Threat Intelligence filtering - Block known malicious destinations based on real-time threat intelligence feeds (see NET_039)
• Netskope integration - Extend capabilities through Netskope Advanced Threat Protection and Data Loss Prevention (see NET_040)
• Cloud Firewall (Roadmap) - Filter web traffic for non-standard protocols beyond HTTP/HTTPS (see NET_041)
• Secure Web and AI Gateway for Copilot Studio agents (Preview) - Apply network security controls to AI agent traffic (see NET_093)
• Prompt Shield (Preview) - Protect enterprise generative AI applications from prompt injection attacks (see NET_094)

Implementation approach:

• Enable Internet Access traffic forwarding profile to acquire internet traffic from Global Secure Access clients
• Create web content filtering policies based on organizational security requirements (categories, URLs, FQDNs)
• Configure TLS inspection with your own trusted certificate for deep packet inspection of encrypted traffic
• Enable threat intelligence filtering to automatically block high-severity threats
• Group filtering policies into security profiles with priority-based ordering
• Link security profiles to Conditional Access policies targeting "All internet resources with Global Secure Access"
• Assign users and groups to the Internet Access traffic forwarding profile
• Monitor policy enforcement through Advanced Diagnostics client and Traffic Logs

Security profiles and policy processing: Security profiles are objects used to group filtering policies and deliver them through Conditional Access. Within a security profile, policies are enforced according to priority ordering (100 = highest priority, 65,000 = lowest priority). The baseline security profile applies to all traffic as a catch-all policy, even without Conditional Access assignment, ensuring consistent security enforcement across all internet-bound traffic.

Reference

• Learn about Microsoft Entra Internet Access for all apps
• How to configure web content filtering
• Known limitations for Global Secure Access

See Also

• Configure web content filtering and URL filtering (Preview)
• Enable and Configure TLS inspection
• Configure network content filtering with file policies (Preview)
• Implement Threat Intelligence filtering
• Integrate Netskope Advanced Threat Protection and Data Loss Prevention
• Implement Cloud Firewall capabilities (Roadmap)
• Configure Secure Web and AI Gateway for Copilot Studio agents (Preview)
• Protect enterprise generative AI applications with Prompt Shield (Preview)