Global Secure Access is Microsoft’s SSE (or Secure Service Edge) solution that enables organisations to extend the benefits of Microsoft Entra Identity Security, all the way to the network edge. This ensures users are protected from anywhere in the world. Global Secure Access also provides enhanced web content security by allowing administrators to block access to websites based on their category or by FQDN (domain name) while users are connected to their environment.
How web content filtering in Global Secure Access works
Web Content Filtering with Global Secure Access works by enforcing network-level restrictions on access websites while the user is connected to the Global Secure Access client. This means that if the user pauses the connection (which they can do without local admin access), then they will be able to access the blocked sites. Web Content Filtering is only most effective when paired with the Microsoft 365 traffic forwarding profile and relevant Conditional Access rules that block access to services from untrusted locations.
Web Content Filter does not replace web content filtering solutions baked into other products such as Microsoft Defender for Endpoint or other third-party managed DNS filtering solutions.
Prerequisites
To complete all of the steps to configure Global Secure Access and Web Content Filtering for Internet access, you will need to ensure you have the following roles in Microsoft Entra:
- Global Secure Access Administrator
- Conditional Access Administrator
These roles will enable you to interact will all of the required services to configure the solution.
If you haven’t already deployed the Global Secure Access client to your end-user devices, consider viewing my article; How to Deploy the Global Secure Access Client with Intune, for this step, you will also need the Intune Administrator role. Deploying the client will not be covered in this post.
Enable the internet traffic forwarding profile
The internet access traffic forwarding profile in Global Secure Access will tell the system that all internet access should also be forwarded to Global Secure Access. Once the profile is enabled, traffic will be forwarded for all users/devices in your tenant. Follow the below steps to enable the Internet access profile:
- Log in to entra.microsoft.com.
- Expand Global Secure Access > Connect.
- Select Traffic forwarding.
- Check the box to enable the Internet access profile.
Using Microsoft Graph PowerShell
The internet access traffic forwarding profile can also be enabled using Microsoft Graph PowerShell.
Connect-MgGraph
$uri = "https://graph.microsoft.com/beta/networkaccess/forwardingProfiles/063a63c1-050c-4f1d-b7fd-5855c7171c0d"
$body = @{
"state" = "enabled"
} | ConvertTo-Json
Invoke-MgGraphRequest -uri $uri -body $body -method PATCH -contenttype "Application/Json"
Create a Web content filtering policy
The next step is to create a web content filtering policy, this will allow you to define which web addresses or website categories you want to block for your end-users. Follow the below steps to create a new web content filtering policy:
1. Log in to entra.microsoft.com
2. Expand Global Secure Access > Secure, then select Web content filtering policies.
3. Click Create policy.
4. On the Basics page, define a name and the action you want the policy to apply to the target websites.
5. On the Policy rules page, click Add rule. Then in the popout windows to the right, select the destination type as either webCategory or fqdn. Below I have opted to choose the Social Networking category which I will block.
To block by fqdn, select fqdn as the destination type and enter the address you wish to block. Wildcards can be used.
5. Click Create policy.
Using Microsoft Graph PowerShell
The web content filter policy can also be enabled using Microsoft Graph PowerShell.
Connect-MgGraph
$uri = "https://graph.microsoft.com/beta/networkaccess/filteringPolicies"
$body = @'
{
"name": "Block Social Media",
"policyRules": [
{
"@odata.type": "#microsoft.graph.networkaccess.webCategoryFilteringRule",
"name": "Social media",
"ruleType": "webCategory",
"destinations": [
{
"@odata.type": "#microsoft.graph.networkaccess.webCategory",
"name": "SocialNetworking"
}
]
},
{
"@odata.type": "#microsoft.graph.networkaccess.fqdnFilteringRule",
"name": "Online games",
"ruleType": "fqdn",
"destinations": [
{
"@odata.type": "#microsoft.graph.networkaccess.fqdn",
"value": "*.miniclip.com"
}
]
}
],
"action": "block",
"@odata.type": "#microsoft.graph.networkaccess.filteringPolicy"
}
'@
Invoke-MgGraphRequest -uri $uri -body $body -method POST -contenttype "Application/Json"
Create a Security profile and link your Web content filter policies
Security profiles are applied to users through the use of Conditional Access policies. Web content filter policies are then linked to Security profiles to apply the required filtering. Follow the below steps to create a Security profile:
1. Log in to entra.microsoft.com
2. Expand Global Secure Access > Secure, then select Security profiles.
3. Click Create profile.
4. On the Basics page, define a name for the profile, the state and the priority. Note: the priority refers to the order of security profiles and how they apply when multiple profiles are applied. If you are creating a baseline policy, the priority should be the lowest value (100).
5. On the Link policies page, select Link a policy > Existing policy. Choose your web content filter policy from the drop-down list, then define the priority and set the state to enabled.
(You can add multiple web content filter policies to your security profile)
6. Click Next, then Create a profile.
Create a Conditional Access policy and link your Security profile
The Conditional Access policies apply the security profile to the policy’s target users through session controls. This means that all the time the user is connected to the Global Secure Access client, the session controls and web content filter policies will apply. Follow the below steps to create a Conditional Access policy with your Security profile linked:
1. Log in to entra.microsoft.com
2. Expand Protection and select Conditional Access.
3. Click Create new policy.
4. Include your target users, then on Target resources, select Global Secure Access from the first drop-down list, then on the second drop-down list, select Internet traffic.
5. Define your grant control, then on the Session controls section select Use Global Secure Access security profile and select your security profile from the drop-down list.
6. Enable the policy and click Create.
For guidance on creating Conditional Access policies with Microsoft Graph PowerShell, see my post: How to Create Conditional Access Policies with Microsoft Graph PowerShell.
The end-user experience
A few minutes after the Conditional Access policy is applied to the end user, the web content filter will take effect and access to the websites will be blocked.
By right-clicking the Global Secure Access client icon in the system tray, and then selecting Advanced Diagnostics, you can use the Traffic tab to monitor connections which have been blocked.