Internet Access and Microsoft 365 Access Configuration

Internet Access and Microsoft 365 Access Configuration

Why Is Internet Access and Microsoft 365 Access Configuration Important?

In today's hybrid and cloud-first environments, organizations must secure how users access the internet and Microsoft 365 services. Traditional VPN and perimeter-based models are no longer sufficient. Microsoft Entra Internet Access and Microsoft 365 Access are part of Microsoft's Global Secure Access (formerly Entra Internet Access and Entra Private Access), which implements a Security Service Edge (SSE) solution. This is critical because it allows organizations to enforce identity-centric security policies for all internet-bound and Microsoft 365 traffic, reducing the risk of data exfiltration, lateral movement, and unauthorized access.

For the SC-300 exam, understanding this topic demonstrates your ability to implement modern access management strategies that go beyond traditional network security.

What Is Internet Access and Microsoft 365 Access Configuration?

Microsoft Entra Internet Access provides a Secure Web Gateway (SWG) solution that routes internet-bound traffic through Microsoft's global edge network. It enables organizations to apply conditional access policies, web content filtering, and threat protection to all outbound internet traffic.

Microsoft Entra Internet Access for Microsoft 365 specifically focuses on securing and optimizing traffic destined for Microsoft 365 services (Exchange Online, SharePoint Online, Teams, etc.). It provides:

- Tenant restrictions v2: Prevents users from accessing unauthorized external tenants using corporate credentials or devices.
- Source IP restoration: Ensures that Conditional Access policies that rely on IP-based conditions continue to work correctly even when traffic is routed through Microsoft's SSE infrastructure.
- Compliant network checks: A new Conditional Access condition that verifies traffic is coming through the Global Secure Access client.
- Universal Conditional Access: Extends Conditional Access to all internet traffic, not just Microsoft cloud apps.

How Does It Work?

The architecture involves several key components:

1. Global Secure Access Client:
A lightweight client installed on user devices that captures and tunnels traffic to Microsoft's Security Service Edge. The client works alongside the device's existing network stack and routes specific traffic profiles to the cloud-based security service.

2. Traffic Forwarding Profiles:
Administrators configure traffic forwarding profiles that determine which traffic is routed through Global Secure Access. There are three main profiles:
- Microsoft 365 traffic profile: Captures traffic destined for Exchange Online, SharePoint Online, and Microsoft Teams.
- Internet Access traffic profile: Captures general internet-bound traffic for web filtering and security inspection.
- Private Access traffic profile: Routes traffic to private, on-premises applications (not directly related to this topic but part of the broader solution).

3. Web Content Filtering:
Administrators can create web content filtering policies that block or allow access to websites based on categories (e.g., social media, gambling, malware) or specific FQDNs (Fully Qualified Domain Names). These policies are linked to security profiles, which are then associated with Conditional Access policies.

4. Security Profiles:
Security profiles are collections of filtering policies that define the security posture applied to traffic. They are the bridge between web content filtering rules and Conditional Access. When a Conditional Access policy targets internet traffic, it references a security profile that contains the relevant filtering rules.

5. Conditional Access Integration:
This is the cornerstone of the solution. Conditional Access policies can now include:
- Compliant network as a condition: Ensures the user is connecting through Global Secure Access.
- All Internet Resources as a target resource: Applies policies to all internet-bound traffic.
- Microsoft 365 traffic as a target: Applies policies specifically to M365-bound traffic.
- Security profiles in the Session controls: Enforces web filtering rules through the Conditional Access framework.

6. Tenant Restrictions v2:
When Microsoft 365 traffic flows through Global Secure Access, the service can automatically inject tenant restriction headers into outbound requests. This prevents users from signing into unauthorized external tenants, even on managed devices. This is configured through cross-tenant access settings in Microsoft Entra ID.

7. Source IP Restoration:
When traffic is proxied through Global Secure Access, the original source IP of the user can be lost. Source IP restoration ensures that the original client IP is preserved and visible in sign-in logs and Conditional Access evaluations, so location-based policies (named locations, trusted IPs) continue to function correctly.

Configuration Steps Overview:

Step 1: Enable Global Secure Access in the Microsoft Entra admin center.
Step 2: Activate the desired traffic forwarding profiles (Microsoft 365 profile and/or Internet Access profile).
Step 3: Deploy the Global Secure Access client to endpoint devices.
Step 4: Configure web content filtering policies with appropriate category or FQDN rules.
Step 5: Create security profiles that group the filtering policies with appropriate priority.
Step 6: Create Conditional Access policies that reference security profiles, compliant network conditions, or target all internet resources / Microsoft 365 traffic.
Step 7: Optionally configure tenant restrictions v2 via cross-tenant access settings for M365 traffic control.
Step 8: Enable source IP restoration if you rely on IP-based Conditional Access policies.

Key Concepts to Remember:

- Licensing: Microsoft Entra Internet Access and Microsoft 365 Access require Microsoft Entra Suite or specific Global Secure Access licenses.
- Priority of security profiles: When multiple security profiles apply, the one with the lowest priority number (highest priority) is evaluated first.
- Baseline profile: A default security profile that applies to all traffic processed by Internet Access. It has the lowest priority (highest number, 65000) and acts as a catch-all.
- Compliant network: This is a Conditional Access location condition that verifies traffic comes through the Global Secure Access service. It does NOT check device compliance — the name can be misleading.
- Web content filtering operates in block mode only — you define what to block; everything else is allowed unless another policy blocks it.

Exam Tips: Answering Questions on Internet Access and Microsoft 365 Access Configuration

Tip 1: Understand the Relationship Between Components
Exam questions often test whether you understand the chain: Web content filtering policy → Security profile → Conditional Access policy. Remember that filtering policies are not applied directly; they must be linked to a security profile, which is then enforced through Conditional Access.

Tip 2: Know the Difference Between Microsoft 365 Access and Internet Access
Microsoft 365 Access specifically handles traffic to Exchange Online, SharePoint Online, and Teams. Internet Access handles all other web-bound traffic. Questions may ask which profile to enable for a specific scenario.

Tip 3: Compliant Network ≠ Compliant Device
A common trick in exam questions is confusing compliant network (traffic routed through Global Secure Access) with compliant device (device marked compliant in Intune). Read carefully and ensure you select the correct condition.

Tip 4: Tenant Restrictions v2 Requires Microsoft 365 Traffic Profile
If a question asks about preventing users from accessing external tenants, the answer involves enabling the Microsoft 365 traffic forwarding profile and configuring cross-tenant access settings with tenant restrictions v2. The internet access profile alone is not sufficient for this.

Tip 5: Source IP Restoration Is Key for Location-Based Policies
If a scenario describes location-based Conditional Access policies failing after enabling Global Secure Access, the solution is to enable source IP restoration. This is a commonly tested troubleshooting scenario.

Tip 6: Remember the Baseline Profile
The baseline security profile is always evaluated last (priority 65000). If a question asks about default behavior for unmatched traffic, the baseline profile is the answer. Custom security profiles always take precedence over the baseline.

Tip 7: Client Deployment Is Required
The Global Secure Access client must be installed on user devices for traffic forwarding to work. If a question describes a scenario where policies are configured but not enforced, check whether the client deployment step is missing.

Tip 8: Understand the Admin Roles
Configuring Global Secure Access typically requires the Global Secure Access Administrator role. Conditional Access policies require Conditional Access Administrator or Security Administrator. Questions may test role-based access for these configurations.

Tip 9: Watch for Licensing-Related Scenarios
Some questions may present scenarios where certain features are unavailable. If Internet Access or Microsoft 365 Access features are not functioning, consider whether the correct licensing (Microsoft Entra Suite) is in place.

Tip 10: Practice the Configuration Flow
For scenario-based questions, remember the logical order: Enable Global Secure Access → Activate traffic profiles → Deploy client → Create filtering policies → Create security profiles → Create Conditional Access policies. Questions may ask you to arrange steps in the correct order or identify a missing step in a partially completed configuration.