Base SWG: Onboard Internet Access Secure Web Gateway capabilities
Overview
To securely enable Internet access in a modern enterprise environment, organizations should implement an Internet Access profile and leverage Secure Web Gateway (SWG) capabilities, such as those provided by Microsoft Entra Internet Access. This approach ensures granular control, visibility, and protection for all outbound Internet traffic, regardless of user location or device.
When designing your Internet Access profile and SWG policies, consider the following steps:
-
Define a Baseline Policy for All Internet Access Traffic
Establish a default policy that applies to all traffic routed through Microsoft Entra Internet Access. This baseline should enforce essential controls, such as blocking access to known malicious sites, enforcing safe browsing, and logging all activity for auditing and compliance. The baseline ensures a consistent security posture across the organization, regardless of user group or device. -
Restrict Access by Category for Specific Users and Groups
Use Microsoft Entra’s identity-aware capabilities to apply differentiated policies based on user or group membership. For example, you can prevent specific users or groups from accessing website categories such as social media, gambling, or adult content when using managed devices. This targeted enforcement helps organizations reduce risk exposure and maintain productivity, while still allowing appropriate access for roles that require it. -
Block Access to Specific Fully Qualified Domain Names (FQDNs)
Extend control to the domain level by preventing users or groups from accessing certain FQDNs, regardless of site category. This is particularly useful for blocking known high-risk or non-business-related domains. With Microsoft Entra Internet Access, these restrictions can be dynamically enforced based on device compliance, user risk level, or other contextual signals.