Microsoft 365/Entra

GSA. (2) Internet Access Profile

Pepuri Ver.Eng 2026. 6. 28. 14:28
반응형

Previous post:

2026.05.24 - [Microsoft 365/Entra] - GSA. (1) Microsoft Traffic & Tenant Restriction

 

Youtube: https://youtu.be/rC5fUBNuBqA

 

Prerequisites

Internet Access Profile requires one of the following licenses:

  • Microsoft Entra Internet Access
  • Microsoft Entra Suite

Architecture

Internet Access routes outbound Internet traffic through Microsoft
Global Secure Access, allowing organizations to apply centralized
security controls such as:

  • Web Filtering
  • TLS Inspection
  • Content Policies
  • Prompt Policies
  • File Upload / Download Control

Note

The architecture diagram used in this article was AI-generated and is
intended to explain the overall design. It may evolve as Microsoft
updates the service.

1. Enable Internet Access Profile

If only Microsoft Traffic is enabled, the GSA Client shows Microsoft
connectivity only.

To enable Internet Access:

Connect
└── Traffic Forwarding
    └── Internet Access Profile

Procedure

  1. Open Traffic Forwarding.
  2. Enable Internet Access Profile.
  3. Assign the users or groups that should use Internet Access.
  4. Save the configuration.

Validation

After policy synchronization completes, the GSA Client should display
Internet as enabled.

 

2. Create a Security Profile

Internet Access does not assign individual policies directly to
users.

Instead, Microsoft uses a Security Profile, which acts as a
container for multiple security policies.

Typical policies include:

  • Web Filtering
  • TLS Inspection
  • Content Policy
  • Prompt Policy

Navigate to:

Secure
└── Security Profiles
    └── Create Profile

 

 

Profile Name Your preferred name > Priority As required > Click Next.

 

Since no policies exist yet, continue through the wizard and create the profile.

 

Result

 

The Security Profile is now ready to receive Web Filtering, TLS
Inspection, Content Policies, and Prompt Policies.

3. Create a Web Filtering Policy

Web Filtering controls Internet access based on:

  • Categories
  • FQDNs
  • Custom Rules

Navigate to:

Secure
└── Web Content Filtering Policies
    └── Web Filtering Policy (V2)

Microsoft recently introduced Web Filtering Policy (V2), which
provides an improved policy experience.

 

Create the Policy

Select Create Policy.

 

Configure the following values.

Setting Value

 

 


Default Action Allow

 

 

Click Create.

 

Allow vs Block

Allow

  • Allows all websites by default.
  • Only specified sites or categories are blocked.
  • Similar to a blacklist model.

Block

  • Blocks all websites by default.
  • Only explicitly allowed destinations are accessible.
  • Similar to a whitelist model.

For most pilot deployments, Allow is the recommended starting point.

Add a Rule

Open the newly created policy.

Navigate to:

Rules
└── Add Rule

 

 

Configure the rule > Category AI > Action Block > create the rule.

 

Link the Policy

Return to the previously created Security Profile.

 

Navigate to:

Link Policies
└── Link a Policy
    └── Existing Web Filtering Policy (V2)

 

Select the newly created Web Filtering Policy and click Add.

Validation

Verify that the Web Filtering Policy now appears under the Security Profile.

4. Assign the Security Profile with Conditional Access

Internet Access policies become effective only after they are assigned
through Conditional Access.

Navigate to:

Microsoft Entra admin center
└── Protection
    └── Conditional Access
        └── Policies

Select New Policy.

 

 

Users

Select the users or groups that should use Internet Access.

 

Target Resources

Choose:

All Internet Resources with Global Secure Access

 

Conditions 

Device Platform: Windows

 

Session Controls

Enable:

Use Global Secure Access

 

 

Confirm (Connect  to AI Sites)

 

Step 5 -- Configure TLS Inspection

TLS Inspection allows Microsoft Global Secure Access to inspect
encrypted HTTPS traffic.

Without TLS Inspection, advanced Content Policies and Prompt Policies
cannot inspect encrypted sessions.

Create the Inspection Certificate

Navigate to:

Secure
└── TLS Inspection Policies
    └── TLS Inspection Settings

Select Create Certificate.

 

 

Enter the certificate information.

 

Global Secure Access automatically downloads a Certificate Signing
Request (CSR).

Issue the CSR using AD CS

On your Active Directory Certificate Services server:

Request a Certificate
    └── Advanced Certificate Request

 

Open the downloaded CSR with a text editor.

 

Copy the entire request. > Template Subordinate Certification Authority > Submit the request.

 

 

Export Certificates

Download both certificates using Base-64 encoded format.

 

Export:

  • Issued Certificate
  • Intermediate CA
  • Root CA

Rename the issued certificate to:

certificate.pem

 

 

Export the Intermediate and Root certificates separately.

 

 

Build the Certificate Chain

Run:

copy /b intermediate.cer + root.cer chain.pem

 

Upload:

  • certificate.pem
  • chain.pem

Return to Global Secure Access and upload both files.

 

 

Enable the certificate.

Create a TLS Inspection Policy

Navigate to:

TLS Inspection Policies
└── Create Policy

 

Policy Name TLS Inspection


Default Action Inspect

Click Next without adding custom rules.

 

Submit the policy.

 

Link the policy to the existing Security Profile.

Deploy the Root Certificate

Endpoints must trust the inspection certificate.

Install root.cer into:

Trusted Root Certification Authorities

 

After deployment, browsers should trust certificates issued by Global Secure Access.

QUIC Consideration

Some browsers may bypass TLS Inspection when using HTTP/3 (QUIC).

 

For Microsoft Edge:

edge://flags

 

Disable QUIC, restart Edge, and verify that TLS Inspection is now


applied.

6. Configure Content Policies

Content Policies require TLS Inspection.

Navigate to:

Secure
└── Content Policies

Create a new policy.

 

 

Setting Value

 

Action Block > Inspection Upload > Destination AI Websites

 

Create the rule.

 

Link the Content Policy to the Security Profile.

Validation

Attempt to upload a file to a supported AI service.

The upload should be blocked according to policy.

7. Configure Prompt Policies

Prompt Policies provide monitoring and protection for Generative AI
prompts.

Navigate to:

Secure
└── Prompt Policies

Create a new policy.

 

Example:

Setting Value

Action Block > Prompt Logging Always

 

Select all predefined Conversation Schemes.

 

Create the policy.

Return to the Security Profile.

Link the Prompt Policy.

Validation

Generate test prompts against supported AI services.

 

Blocked prompts should be denied, while prompt logging records the
activity according to policy.

 

 

Validate the Deployment

 

Architecture Summary

Internet User
      │
      ▼
Global Secure Access
      │
      ├── Web Filtering
      ├── TLS Inspection
      ├── Content Policy
      └── Prompt Policy
      │
      ▼
Internet

The Security Profile acts as the central container that combines all
security controls and is assigned through Conditional Access.

Final Thoughts

Microsoft Global Secure Access Internet Access continues to evolve
rapidly.

Although some capabilities are still expanding, combining Internet
Access with Microsoft Entra, Microsoft Purview, and Microsoft Defender
provides a strong Zero Trust foundation for protecting modern Internet
and AI traffic.

In future articles I plan to cover:

  • Microsoft Purview integration
  • AI prompt investigation
  • Prompt logging
  • Advanced Content Policies
  • Data Security controls
  • Microsoft Defender integration
반응형