How to Setup Microsoft Entra Internet Access

Microsoft Entra Internet Access is a new solution and member of the Microsoft Entra product group that enables administration to create progressive steps to building zero-trust environments with built-in comprehensive security. 

In this tutorial, I am going to show you how to deploy Microsoft Entra Internet Access along with Conditional Access to create a secure access method for Microsoft 365 apps and services.

What is Microsoft Entra Internet Access

Microsoft Entra Internet access secures your user’s access to Microsoft 365 services and Enterprise applications in your environment while protecting the user’s data from common online threats. 

The solution integrates into Microsoft Entra and your user’s identity as a whole across the Microsoft platform to provide seamless and secure access over the internet. It will also help to stop increasingly more common threats such as token replay attacks when combined with the network location check conditions in Conditional Access.

Requirements

To interact with and configure Microsoft Entra Internet Access (or any of the Global Secure Access features) you have at minimum the Global Secure Access Administrator role assigned. It is recommended that you use PIM for assigning the role.

To use the preview features, you must have a Microsoft Entra ID Premium P1 license assigned to any user who benefits from the service. However, as it is early on in the products lifecycle, it is likely for the licensing requirements to change soon.

How Microsoft Entra Internet Access works

Microsoft Entra Internet Access works by deploying a client-side application to the end user’s device to tunnel traffic to the Global Secure Access service, traffic is effectively proxied to the destination services without any impact on performance. 

As well as the client-side application, Microsoft Entra Internet Access can also be connected with remote networks by integrating directly with on-premise network routing equipment. This enable connections to be routed directly to the Internet Access service without the need of a client-side application to be deployed. One of the main caveats to this is that Conditional Access policies can only be applied while using the GSA Client and not remote networks.

Global Secure Access Diagram
Global Secure Access Diagram

Step 1. Enable the traffic forwarding profile​

The traffic forwarding profiles require all the traffic that pertains to that profile to go through the Microsoft Entra Internet Access proxy service. In this case, we are selecting the Microsoft 365 profile. Follow the below steps to ensure the Microsoft 365 profile in Global Secure Access.

1. Login to Microsoft Entra https://entra.microsoft.com/

2. Expand Global Secure Access then Connect

3. Select Traffic forwarding

4. Enable the Microsoft 365 Profile

Enable the traffic forwarding profile
Enable the traffic forwarding profile

Step 2. View the Microsoft 365 Profile policies & rules​

The policies & rules section of the Microsoft 365 profile enables you to define what traffic is proxied through the Microsoft Entra Internet Access service and protected. The traffic rules are clearly defined by the destination and destination type of traffic, the ports, the protocol and which service they pertain to. This allows you to make an informed decision if you want this traffic to be secured.

To view the Policies and rules, Select Traffic forwarding and click View next to Microsoft 365 traffic policies. From here you can enable or disable the rule groups and change the Action to Forward or Bypass for individual rules.

Traffic rules
Traffic rules

Step 3. Install the Global Secure Access Windows client

The Global Secure Access Client acts as a VPN client, without the need to deploy an additional network adapter, so you will not see additional adaptors through the control panel or with the ipconfig command.

Option 1: Install the Global Secure Access Client manually

To install the client on an individual machine, download the client from https://aka.ms/GSAClientDownload and run the installer. The installer will run with administrator privileges and install the client to ‘C:\Program Files\Global Secure Access Client’.

Option 2: Deploy the Global Secure Access Client using Intune

1. Start by downloading the Global Secure access client (https://aka.ms/GSAClientDownload) and also the Microsoft Win32 Content Prep Tool (https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool/blob/master/IntuneWinAppUtil.exe)

2. Create two folders on your system:

  • C:\Temp\Intune
  • C:\Temp\Intune\GSAClient

3.  Save the IntuneWinAppUtil.exe file in C:\temp\intune and GlobalSecureAccessClient.exe in C:\temp\intune\GSAClient.

4. Open PowerShell and run the following commands which will navigate to your new location and run the Intune Windows app packaging tool:

  • cd c:\temp\intune
  • .\IntuneWinAppUtil.exe
Open IntuneWinAppUtil
Open IntuneWinAppUtil

5. The application will then launch and require you to complete the information needed to package the Global Secure Access client. Enter the following information, then enter N:

  • Please specify the source folder: C:\Temp\Intune\GSAClient
  • Please specify the setup file: GlobalSecureAccessClient.exe
  • Please specify the output folder: C:\Temp\Intune\GSAClient
Define parameters
Define parameters

One complete you will see the GlobalSecureAccessClient.intunewin file in your output folder:

intunewin output
intunewin output

6. Log in to Microsoft Intune (https://intune.microsoft.com/) and select > Apps > Windows > Add > Windows app (Win32) > Select

Deploy the Global Secure Access Client with Intune
Deploy the Global Secure Access Client with Intune

7. Click Select app package file and on the pop-out windows select the folder icon, upload the GlobalSecureAccessClient.intunewin file you created earlier and click OK.

8. On the app information page, enter the publisher name as Microsoft and click Next. If you want to upload the Global Secure Access icon, copy it below. It should already be in .png format and of 256px x 256px in size.

9. On the Program page you will need to configure the install command and Uninstall command and click Next when ready. You can use the following examples:

  • Install command: .\GlobalSecureAccessClient.exe /q n
  • Uninstall command: MsiExec.exe /X{4DB0A026-1C26-4A8C-8378-DCB94900B604} /quiet

Depending on the version of the client you deploy, the Uninstall command may differ from my example. You should install the application manually on a device and then locate the UninstallSting Registry value using RegEdit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Program settings
Program settings

10. On the Requirements page, ensure you set the operating system architecture to 64-bit and the minimum operating system to a support version of Windows. (Although officially the client is supported on all 64-bit versions of Windows 11 or 10, however, that may just be vague wording).

11. On the detection rules tab you will need to configure a rule to determine if the client has successfully deployed. For this, I am choosing a File rule which will monitor the existence of the GlobalSecureAccessTunnelingService.exe file located in C:\Program Files\Global Secure Access Client.

On the Rules format drop-down box, select Manually configure detection rules, then enter the following settings:

  • Rule type: File
  • Path: C:\Program Files\Global Secure Access Client
  • File or folder: GlobalSecureAccessTunnelingService.exe
  • Detection method: File or folder exists
  • Associated with a 32-bit app on 64-bit clients: No

12. You can skip through the Dependencies and Supersedense page as these will not be needed for now.

13. On the Assignments page, under the Required heading ensure you add the user or device groups that this app should be deployed to and click Next. Then lastly click Review & Create.

Once your devices sync with Intune next, the app will be deployed. As for the end users’ experience, they will receive a notification in the message center on their device:

Soft distribution alert
Soft distribution alert

Users will then immediately receive a prompt and must select the account they wish to sign-in with. Due to the devices requiring to be joined to AzureAD, this should be a single-click experience and will not prompt for a password.

Global Secure Access Sign In prompt
Global Secure Access Sign In prompt

Step 4. Enable Global Secure Access signalling

Global Secure Access signalling is an important feature as without it, source IP information will not be accurate in the Microsoft Entra ID audit logs. This can have adverse effects in the accuracy of reporting and more importantly, any Conditional Access policies which enforce access based on trusted locations.

To enable Global Secure Access signalling, expand Global Secure Access from the Entra admin center and select Session Management.  On the Adaptive Access tab, change the slider to On.

Enable Global Secure Access Signalling
Enable Global Secure Access Signalling

From the Azure AD Sign logs you will see a change in IP address for the client source. Highlighted in Purple below is the IP address of the Microsoft Entra Internet Access service (while signalling is turned off) and in Blue is the public-facing IP of my Azure Virtual Machine (while signalling is turned on). As you can see, accurate information is displayed while signalling is turned on, so in most cases, it should be enabled.

Step 5. Configure Conditional Access Policies

Conditional Access can be used alongside the Global Secure Access client to ensure that only compliance devices can authenticate and connect to the client. Creating multiple policies that target both the client and location will enable you to create a secure access solution for your Microsoft 365 services and applications. 

For this scenario and I going to create 2 policies, described below:

Policy 1:

This policy will target Exchange Online, SharePoint Online and any cloud apps as required. Currently, only these services are supported by the Microsoft 365 traffic profile, so eventually this policy can be expanded to cover all cloud apps. The policy will target all locations with an exclusion ‘All Compliant Network locations’. The policy will be set to block.

  • Name: Location Block – Baseline
  • Target Resources: Exchange Online & SharePoint Online
  • Conditions: Include: Any location, Exclude: All Compliance Network locations
  • Grant: Block Access

Policy 2:

This policy will target the Global Secure Access resource with the Microsoft 365 traffic policy applied and it will include a grant control for requiring MFA and a compliant device.

  • Name: GSA – Allow
  • Users: All Users
  • Target resources: Global Secure Access: Microsoft 365 traffic
  • Grant: Require MFA & Compliance device

Once both policies are enabled, while the Global Secure Access is OFF, you will not be able to access the Microsoft 365 services:

GSA access blocked - CA
GSA access blocked - CA

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 6 Comments

  1. Michele

    Hi, so I could use this feature to have my clients connect on our local file server?

    1. Daniel

      Hi Michele, no this feature provides secure access to Microsoft 365 resource from identities within your own tenant 🙂

  2. Steve

    Hi Daniel,

    Great article and thanks for posting! Just a quick question regarding the client, what if I regularly access multiple customer’s tenants (having ID’s in each organization) , will it support this if they were all using Entra Internet access?

    Regards
    Steve

    1. Daniel Bradley

      Hi Steve, you have the option to switch user by right-clicking icon in the system tray, so it should support this. Another thing for me to test and update this post with!

  3. Michael

    How does the GSA client login/authentication look in sign-in logs? My question revolves around monitoring sign-ins to the GSA client and looking for potential risks since anyone can download the client.

    1. Daniel Bradley

      Hi Michael,

      The application in the sign-in log will show as ‘ZTNA Network Access Client’.

      Hope that helps!

      Daniel

Leave a Reply