How to Configure Web Content Filtering with Global Secure Acess

Global Secure Access is Microsoft’s SSE (or Secure Service Edge) solution that enables organisations to extend the benefits of Microsoft Entra Identity Security, all the way to the network edge. This ensures users are protected from anywhere in the world. Global Secure Access also provides enhanced web content security by allowing administrators to block access to websites based on their category or by FQDN (domain name) while users are connected to their environment.

How web content filtering in Global Secure Access works

Web Content Filtering with Global Secure Access works by enforcing network-level restrictions on access websites while the user is connected to the Global Secure Access client. This means that if the user pauses the connection (which they can do without local admin access), then they will be able to access the blocked sites. Web Content Filtering is only most effective when paired with the Microsoft 365 traffic forwarding profile and relevant Conditional Access rules that block access to services from untrusted locations.

Web Content Filter does not replace web content filtering solutions baked into other products such as Microsoft Defender for Endpoint or other third-party managed DNS filtering solutions.

Prerequisites

To complete all of the steps to configure Global Secure Access and Web Content Filtering for Internet access, you will need to ensure you have the following roles in Microsoft Entra:

  • Global Secure Access Administrator
  • Conditional Access Administrator

These roles will enable you to interact will all of the required services to configure the solution. 

If you haven’t already deployed the Global Secure Access client to your end-user devices, consider viewing my article; How to Deploy the Global Secure Access Client with Intune, for this step, you will also need the Intune Administrator role. Deploying the client will not be covered in this post.

Enable the internet traffic forwarding profile

The internet access traffic forwarding profile in Global Secure Access will tell the system that all internet access should also be forwarded to Global Secure Access. Once the profile is enabled, traffic will be forwarded for all users/devices in your tenant. Follow the below steps to enable the Internet access profile:

  1. Log in to entra.microsoft.com.
  2. Expand Global Secure Access > Connect.
  3. Select Traffic forwarding.
  4. Check the box to enable the Internet access profile.
Enable the Internet access profile
Enable the Internet access profile

Using Microsoft Graph PowerShell

The internet access traffic forwarding profile can also be enabled using Microsoft Graph PowerShell.

Connect-MgGraph
$uri = "https://graph.microsoft.com/beta/networkaccess/forwardingProfiles/063a63c1-050c-4f1d-b7fd-5855c7171c0d"
$body = @{
    "state" = "enabled"
} | ConvertTo-Json
Invoke-MgGraphRequest -uri $uri -body $body -method PATCH -contenttype "Application/Json"

Create a Web content filtering policy

The next step is to create a web content filtering policy, this will allow you to define which web addresses or website categories you want to block for your end-users. Follow the below steps to create a new web content filtering policy:

1. Log in to entra.microsoft.com

2. Expand Global Secure Access > Secure, then select Web content filtering policies.

3. Click Create policy.

4. On the Basics page, define a name and the action you want the policy to apply to the target websites.

Web content filter policy basics page
Web content filter policy basics page

5. On the Policy rules page, click Add rule. Then in the popout windows to the right, select the destination type as either webCategory or fqdn. Below I have opted to choose the Social Networking category which I will block.

Web content filter policy add rules
Web content filter policy add rules

To block by fqdn, select fqdn as the destination type and enter the address you wish to block. Wildcards can be used.

Block by fqdn
Block by fqdn

5. Click Create policy.

Using Microsoft Graph PowerShell

The web content filter policy can also be enabled using Microsoft Graph PowerShell.

Connect-MgGraph
$uri = "https://graph.microsoft.com/beta/networkaccess/filteringPolicies"

$body = @'
{
    "name": "Block Social Media",
    "policyRules": [
        {
            "@odata.type": "#microsoft.graph.networkaccess.webCategoryFilteringRule",
            "name": "Social media",
            "ruleType": "webCategory",
            "destinations": [
                {
                    "@odata.type": "#microsoft.graph.networkaccess.webCategory",
                    "name": "SocialNetworking"
                }
            ]
        },
          {
            "@odata.type": "#microsoft.graph.networkaccess.fqdnFilteringRule",
            "name": "Online games",
             "ruleType": "fqdn",
            "destinations": [
                {
                    "@odata.type": "#microsoft.graph.networkaccess.fqdn",
                    "value": "*.miniclip.com"
                }
            ]
        }
    ],
    "action": "block",
    "@odata.type": "#microsoft.graph.networkaccess.filteringPolicy"
}
'@

Invoke-MgGraphRequest -uri $uri -body $body -method POST -contenttype "Application/Json"

Create a Security profile and link your Web content filter policies

Security profiles are applied to users through the use of Conditional Access policies. Web content filter policies are then linked to Security profiles to apply the required filtering. Follow the below steps to create a Security profile:

1. Log in to entra.microsoft.com

2. Expand Global Secure Access > Secure, then select Security profiles.

3. Click Create profile.

4. On the Basics page, define a name for the profile, the state and the priority. Note: the priority refers to the order of security profiles and how they apply when multiple profiles are applied. If you are creating a baseline policy, the priority should be the lowest value (100).

Create a new security profile
Create a new security profile

5. On the Link policies page, select Link a policy > Existing policy. Choose your web content filter policy from the drop-down list, then define the priority and set the state to enabled.

Link a web content filter policy
Link a web content filter policy

(You can add multiple web content filter policies to your security profile)

6. Click Next, then Create a profile.

Create a Conditional Access policy and link your Security profile

The Conditional Access policies apply the security profile to the policy’s target users through session controls. This means that all the time the user is connected to the Global Secure Access client, the session controls and web content filter policies will apply. Follow the below steps to create a Conditional Access policy with your Security profile linked:

1. Log in to entra.microsoft.com

2. Expand Protection and select Conditional Access.

3. Click Create new policy.

4. Include your target users, then on Target resources, select Global Secure Access from the first drop-down list, then on the second drop-down list, select Internet traffic.

Target Global Secure Access Internet traffic
Target Global Secure Access Internet traffic

5. Define your grant control, then on the Session controls section select Use Global Secure Access security profile and select your security profile from the drop-down list.

Use Global Secure Access security profile
Use Global Secure Access security profile

6. Enable the policy and click Create.

For guidance on creating Conditional Access policies with Microsoft Graph PowerShell, see my post: How to Create Conditional Access Policies with Microsoft Graph PowerShell.

The end-user experience

A few minutes after the Conditional Access policy is applied to the end user, the web content filter will take effect and access to the websites will be blocked.

Web content filter policy applied
Web content filter policy applied

By right-clicking the Global Secure Access client icon in the system tray, and then selecting Advanced Diagnostics, you can use the Traffic tab to monitor connections which have been blocked.

Traffic monitoring it the GSA client
Traffic monitoring it the GSA client

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply