Configure web content filtering and URL filtering (Preview)

Implementation Effort: Medium

User Impact: Medium

Overview

In a Zero Trust security model, internet access must be governed by identity-aware, context-aware policies that enforce least-privilege principles regardless of user location or network. Microsoft Entra Internet Access provides Secure Web Gateway (SWG) capabilities through web content filtering, enabling organizations to control internet access based on website categorization, specific URLs (Preview), and FQDNs—all integrated with Microsoft Entra Conditional Access for user and context awareness.

Web content filtering empowers administrators to implement granular internet access controls that align with Zero Trust principles by combining network security with identity and context. Rather than relying solely on network-level controls, filtering policies are delivered through Conditional Access, ensuring that access decisions factor in user identity, device compliance, risk level, and location.

Key Zero Trust outcomes for web content filtering:

• Category-based filtering: Block or allow access based on predefined web categories (e.g., social media, gambling, adult content)
• URL and FQDN filtering: Apply granular controls using specific URLs (Preview) or FQDNs with wildcard support
• User and context-aware enforcement: Deliver filtering policies through Conditional Access for identity-driven, risk-based controls
• Security profile grouping: Group multiple filtering policies into security profiles for flexible policy management
• Traffic monitoring and visibility: Monitor and log all internet traffic for compliance, security analysis, and policy verification

Implementation steps:

• Enable Internet Access traffic forwarding profile to acquire internet traffic
• Create web content filtering policies based on web categories, URLs (Preview), or FQDNs
• Create security profiles to group related filtering policies
• Link security profiles to Conditional Access policies targeting "All internet resources with Global Secure Access"
• Assign users or groups to the Internet Access traffic forwarding profile
• Verify policy enforcement using Advanced Diagnostics client and Traffic logs

Reference

• How to configure Global Secure Access web content filtering
• Web content filtering categories reference
• Internet Access concept overview