跳到主要内容

Configure Internet Access for remote networks (branch offices)

Implementation Effort: Medium

User Impact: Medium

Overview

In a Zero Trust security model, security controls must be consistently enforced regardless of where users connect from—whether working remotely with individual clients, from headquarters, or from branch office locations. Traditional branch office security often relies on local security appliances or backhauling traffic to headquarters, creating complexity, inconsistent policy enforcement, and performance challenges.

Microsoft Entra Internet Access for remote networks extends Global Secure Access capabilities to branch offices and remote locations through agentless connectivity using IPsec tunnels from customer premises equipment (CPE). This enables organizations to apply the same identity-aware, cloud-delivered Secure Web Gateway policies to branch office traffic that they enforce for individual users—ensuring consistent security posture across all network locations without requiring Global Secure Access clients on every device.

While securing Microsoft 365 traffic over remote network connectivity has been generally available, the capability now extends to full Internet Access traffic forwarding, enabling comprehensive SWG policy enforcement (web content filtering, threat intelligence, TLS inspection, file policies, etc.) for all internet-bound traffic from branch offices.

Key Zero Trust outcomes for remote network Internet Access:

  • Consistent SWG policy enforcement: Apply identical web content filtering, threat intelligence, TLS inspection, and file policies to branch office traffic as enforced for individual client users
  • Agentless branch office protection: Secure all devices at branch locations through network-level IPsec tunnels without requiring Global Secure Access clients on individual devices
  • Centralized policy management: Manage security policies centrally in Microsoft Entra admin center regardless of user location (individual remote users, headquarters, or branch offices)
  • Dual traffic profile support: Assign both Microsoft traffic profile (for M365 optimization) and Internet Access traffic profile (for full internet traffic) to remote networks
  • Identity-aware security at network edge: Enforce security controls at the cloud edge for branch traffic while maintaining visibility through enriched traffic logs
  • Simplified branch security architecture: Eliminate complex local security appliances and backhauling by routing traffic directly through Global Secure Access cloud edge

Implementation steps:

  • Create remote network in Global Secure Access (Connect > Remote networks)
  • Configure customer premises equipment (CPE) at branch office to establish IPsec tunnel to Global Secure Access
  • Verify remote network connectivity status in Microsoft Entra admin center
  • Assign Microsoft traffic profile to remote network for optimized M365 access (if applicable)
  • Assign Internet Access traffic profile to remote network for full internet traffic forwarding and SWG policy enforcement
  • Configure desired security policies (web content filtering, threat intelligence, TLS inspection, file policies) via security profiles
  • Security policies linked to baseline profile automatically apply to remote network traffic
  • Monitor remote network traffic through Global Secure Access Traffic logs

Assignment methods: Remote networks can be assigned to traffic forwarding profiles using three methods:

  • When creating or managing a remote network in Microsoft Entra admin center (Remote networks > Traffic profiles)
  • When managing traffic forwarding profiles in Microsoft Entra admin center (Traffic forwarding > Add/edit assignments)
  • Using Microsoft Graph API with PATCH operations on /beta/networkaccess/branches/{id}/forwardingProfiles

Important considerations:

  • Security policies linked to Conditional Access profiles do not apply to remote network traffic—only baseline profile policies apply
  • Remote network traffic is not user-aware at the individual user level—policies apply at the network/branch level
  • TLS inspection requires trusted certificate deployment to devices at branch locations (similar to client-based deployments)
  • Internet Access profile assignment enables full SWG capabilities for branch office traffic, extending beyond just M365 optimization

Reference