Sunday, February 9, 2025
HomePowershellGetting Began with Microsoft Entra Web Entry — LazyAdmin

Getting Began with Microsoft Entra Web Entry — LazyAdmin


Microsoft Entra Web Entry is a Safe Internet Gateway that secures entry to Microsoft providers, SaaS functions, and different public Web functions. It’s a part of Microsoft’s Safety Service Edge resolution (SSE) that helps you defend your customers and units in opposition to web threats.

The important thing function of Microsoft Entra Web Entry is net content material filtering. It permits you to management which web site and SaaS functions your customers can go to primarily based on net classes and FQDNs.

On this article, we’re going to try how Microsoft Entra Web Entry works, and how one can deploy it in your group.

What’s Microsoft Entra Web Entry

Microsoft Entra Web Entry is a part of the brand new Microsoft’s new SSE resolution, along with Microsoft Entra Non-public Entry. Non-public Entry replaces VPNs for distant entry to inner sources and provides you granular entry management to on-premise sources. Web Entry, however, gives cloud-based proxy providers for Web-based sources.

Each options combine with Microsoft Entra and Conditional Entry, providing a unified method to securing community entry and identities.

Entra Web Entry secures consumer and system entry to the Web, defending in opposition to threats and undesirable content material by way of net filtering. This may be carried out categorically or granularly utilizing FQDNs and URLs. Visitors is routed by way of the World Safe Entry agent on end-user units or by way of distant community functionality for on-premises networks.

How does Web Entry work?

Microsoft Entra Web Entry permits you to block entry to web sites or net functions primarily based on classes or the FQDN. To do that you’ll need to put in the World Safe Entry consumer on the consumer units. This consumer will route all of the web visitors by way of the Microsoft Safety Service Edge resolution.

Now to outline which visitors is allowed or not, we have to outline net content material filtering insurance policies and create safety profiles. The latter is then assigned to customers, teams, or units with the assistance of conditional entry insurance policies.

We will outline which classes we wish to block or enable within the net content material filtering insurance policies. You’ll be able to outline a number of classes and/or a number of FQDNs inside one coverage. In the mean time there are ca. 60 classes to select from.

Safety Profiles group Internet Content material Filtering insurance policies and are wanted to deploy the insurance policies to end-users by way of Conditional Entry. These profiles can include a number of insurance policies, however every Conditional Entry coverage can solely have one profile assigned.

By utilizing the precedence metric within the safety profiles, we will decide which profile ought to take priority over one other in case of a battle. The decrease the quantity, the upper the precedence. It’s finest to begin priorities at a low quantity (e.g., 100) and depart gaps between subsequent priorities for flexibility sooner or later.

The precedence of 65000 is the default profile and can mechanically deploy to end-users and not using a Conditional Entry coverage project. All different profiles require linking to Conditional Entry insurance policies for deployment.

Necessities

To make use of Microsoft Entra Web Entry, you’ll need to have not less than Microsoft Entra ID P1 and want to purchase the Microsoft Entra Suite, which incorporates Entra Verified ID, Entra ID Governance, Entra Web Entry, and Entra Non-public Entry for a further $12 per consumer monthly.

It’s additionally attainable to purchase Entra Web or Non-public entry as a standalone add-on for Entra ID P1, every product then prices $5 per consumer monthly.

Additionally, the consumer units have to run Win 10 or 11 and must be both Microsoft Entra Joined or Hybrid Joined.

You have to to have native admin rights for the set up of the consumer

Set up and Configure Web Entry

To begin utilizing Microsoft Entra Web Entry we might want to carry out a few steps:

  • Activate World Safe Entry within the tenant
  • Set up or deploy the World Safe Entry consumer on the consumer’s units
  • Configure Internet Content material Filtering Insurance policies
  • Create Safety Profiles
  • Assigning Conditional Entry Insurance policies

Step 1 – Allow World Safe Entry

Step one is to allow World Safe Entry in your tenant. You have to to have the World Safe Entry Administrator function or use the World Administrator account to activate the service.

  1. Open Microsoft Entra
  2. Develop World Safe Entry (Preview) and click on on Get began
  3. Click on on Activate
Enable Global Secure Access

It takes a few seconds to activate the service. When achieved we have to allow Adaptive Entry. This permits us to make use of conditional entry insurance policies and Microsoft Entra Identification Safety with Non-public Entry.

  1. Develop World Settings
  2. Open Session administration
  3. Click on on Adaptive Entry
  4. Allow World Safe Entry signaling in Conditional Acces and click on on Save
Add Conditional Access

The final step that we have to configure for now could be which visitors we wish to ahead to World Safe Entry. We will allow this for Microsoft 365 Entry, Non-public Entry, and Web Entry.

  • Microsoft 365 Entry – All visitors for Entra ID, SharePoint On-line, Trade On-line, and different Microsoft 365 apps.
  • Non-public Entry – Permits you to route all visitors to your on-premise sources
  • Web Entry – Route all visitors to the general public web, together with SaaS apps, primarily based on IP Addresses and FQDNs

We’re going to allow each Microsoft 365 Entry and the Web Entry profile:

  1. Develop Join and click on on Visitors Forwarding
  2. Allow the Microsoft 365 Entry Profile
  3. Allow the Web Entry Profile
Enable Internet Access Profile

For each profiles, we might want to assign customers or teams. Click on on View (11) in every profile and both allow it for all customers or choose a gaggle of customers. As all the time with adjustments in IT, first try it out on a small group of customers.

Step 2 – Putting in the Consumer

With World Safe Entry enabled and the profiles activated, we will set up the consumer. The consumer could be put in manually, however you may in fact additionally deploy the consumer together with your deployment instruments like PDQ or Intune.

Obtain the newest model of the consumer in Microsoft Entra, beneath World Safe Entry > Join > Consumer Obtain.

Observe Step 3 within the Non-public Entry article for extra info on putting in the consumer.

Step 3 – Configure Internet Content material Filtering Insurance policies

We will now create the Internet Content material Filtering Insurance policies. For those who open the insurance policies, you will notice that there’s a default “All web sites” coverage. This incorporates a FQDN wildcard to permit all web site. This coverage is assigned to the Baseline safety profile which we’ll have a look at later.

At the moment, you may create as much as 100 net content-filtering insurance policies, which needs to be sufficient for many tenants. For this instance, we’re going to create the next 3 insurance policies:

  • Block All Social Media
  • Block Undesirable Content material
  • Enable LinkedIn

Click on on Create Coverage to begin creating a brand new coverage. Enter the next particulars:

  1. Identify: Block All Social Media
  2. Motion: Block
Create web content filtering policy

We will now outline the coverage rule. Bear in mind you add a number of guidelines in a single coverage.

  1. Click on on Coverage Guidelines (or Subsequent)
  2. Select Add Rule
  3. Enter a reputation for the Rule
  4. Set the Vacation spot sort to webCategory
  5. Choose the class Social Networking
  6. Click on on Add so as to add the rule.
Select web category

Evaluate the settings and click on on Create Coverage. We now have to create the opposite two insurance policies as effectively. Repeat the steps above, utilizing the next settings:

Undesirable Content material Enable LinkedIn Block Streaming
Coverage identify Block Undesirable
Content material
Enable LinkedIn Block Streaming Companies
Motion Block Enable Block
Vacation spot sort webCategory fqdn webCategory
Class / Vacation spot Choose all undesirable cagories *.LinkedIn.com Streaming Media

You’ll be able to develop this in fact to your wants. I like to recommend creating not less than one coverage with all undesirable classes, so you may assign this to the baseline safety profile in a while. This fashion the baseline will block all undesirable content material for everyone and you may make exclusions if wanted with an enable coverage.

Step 4 – Create Safety Profiles

The subsequent step is to create the safety profiles. These profiles might be used to assign the insurance policies to your teams. A bunch can solely have one safety profile assigned. It’s in fact attainable {that a} consumer is a member of a number of teams, which might end in a number of safety profiles.

To unravel this, we will use the precedence. A decrease quantity signifies the next precedence. We even have a baseline profile, which can mechanically be utilized to all customers.

Let’s first check out the Baseline profile:

  1. Open the Safety Profiles
  2. Click on on Baseline Profile
  3. Develop the profile
Baseline Security Profile

By default, solely the All Web site profile is added to the baseline, and the baseline profile can also be disabled. What we would like, nevertheless, it to dam all undesirable content material, and allow the profile.

  1. Click on on Edit Profile
  2. On the primary display screen, set the state to enabled
  3. Click on on Hyperlink Insurance policies
  4. Click on on Hyperlink a coverage and select Present Coverage
  5. Choose the Block undesirable content material coverage
  6. Set the Precedence to 100, so it overrules the default enable all web sites coverage
  7. Be sure that the State is about to enabled.
Link policy to profile

With the baseline set, we will return to the safety profiles, and create a brand new profile. We’re going to create the next profiles:

Profile identify Precedence Coverage Coverage Precedence
Block Social and Leisure 100 Enable LinkedIn 100
Block All Social Media 200
Block Streaming 300
Block Streaming 200 Block Streaming 100
  1. Within the Safety Profiles web page, click on on + Create Profile
  2. Enter the profile identify: Block Social and Leisure
  3. Set the state to enabled and the precedence to 100
Create new security profile
  1. Click on on the Hyperlink Insurance policies tab
  2. Click on on + Hyperlink a Coverage and choose Present Coverage
  3. Select Enable LinkedIn and click on Add
  4. Do the identical for the coverage Block Social Media and Block Streaming Service. Just be sure you set the next precedence for these.
Link policy

Create the opposite safety profile as effectively, utilizing the identical steps above.

Step 5 – Assigning Conditional Entry Insurance policies

The final step is to assign the safety profiles with conditional entry insurance policies. The conditional entry insurance policies will solely be used to assign the World Safe Entry safety profile. You’ll be able to add some further circumstances, like consumer places for instance. However you shouldn’t add any necessities to the Grant Entry.

When trying on the Internet Content material Safety Insurance policies and Conditional Entry Insurance policies, you may suppose, I can add an MFA requirement earlier than accessing a particular web site (primarily based on the FQDN). The issue nevertheless is, that the CA is triggered earlier than the web page or software is even opened. It’s initiated on the primary contact.

This leads to the consumer not even seeing the MFA request developing, making the entire software unusable. We additionally don’t wish to use the Block possibility right here. Blocking entry is finished within the Internet Content material Filtering Coverage stage, not on the Conditional Entry coverage.

So, to assign a safety profile, we’re going to create the next CA coverage:

  1. Identify – GSA – Block Social and Streaming
  2. Customers – Choose Group to assign coverage to
  3. Goal –
    • World Safe Entry
    • Visitors Profile > Web Visitors
  4. Grant – Simply choose Grant Entry, depart the necessities unchecked
  5. Session – Use World Safe Entry profile
    • Choose the profile Block Social and Leisure
Assign profile to conditional access policy

Just be sure you check the coverage first in Report-Solely mode earlier than you allow it. You’ll be able to repeat these steps to assign the opposite safety profiles as effectively to your consumer teams.

Testing Microsoft Entra Web Entry

With all of the insurance policies and profiles configured and assigned to teams, we will begin testing it. First, guarantee that the  World Safe Entry Consumer is operating and that the Web Profile is utilized.

  • Proper-click on the consumer
  • Open the Superior Diagnostics
Microsoft Entra Private Access Client

Within the World Safe Entry Consumer diagnostics, open the Forwarding profile tab. Right here we will see all the foundations which were utilized to the consumer. Examine if the Web Entry Guidelines are loaded. For those who don’t see the Web Entry Guidelines, then attempt to restart the consumer or simply give it a couple of minutes.

We now have blocked all social media websites for instance, for all our customers. So to check it we will attempt to open Fb for instance. When you have configured every little thing appropriately, you’ll get a connection error:

Blocked page

Troubleshooting

To troubleshoot coverage errors it’s best to look into the Visitors Logs beneath World Safe Entry > Monitor within the Microsoft Entra Admin Middle. Right here you may see all of the visitors from the shoppers, the motion and should you click on on a document, it is going to additionally present you the utilized net class, filtering coverage, and coverage identify.

Microsoft Entra Internet Access Traffic Logs

Needless to say altering coverage guidelines can take a while to propagate to the shoppers. You’ll be able to see when the final profile replace time within the Superior Diagnostics on the consumer, beneath the Forwarding Profile tab.

Wrapping Up

Microsoft Entra Web Entry is a good way to realize management over who can entry what on the web. It’s a bit of labor to arrange, however vital is to create a superb baseline profile.

Web Entry continues to be in growth, for instance, in the intervening time IPv6 or UDP Protocol usually are not supported but. Additionally, user-friendly notifications are in growth. Nonetheless, that is an fascinating function to try. Remember although, that quite a lot of AV options additionally supply comparable form of performance (not group-based, however content material blocking for all shoppers).

The extra license value may be a deal breaker. I discover the extra value on high of Microsoft Entra ID P1 or P2 fairly excessive, to be trustworthy. I personally see essentially the most alternative for Microsoft Entra Non-public Entry, which may exchange current VPN options and likewise can help you higher defend on-premise sources.

Hope this text gave you a greater understanding of Microsoft Entra Web Entry. When you have any questions, simply drop a remark beneath

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments