How to configure Global Secure Access web content filtering

Overview

Web content filtering empowers you to implement granular Internet access controls for your organization based on website categorization.

Microsoft Entra Internet Access's first Secure Web Gateway (SWG) features include web content filtering based on domain names. Microsoft integrates granular filtering policies with Microsoft Entra ID and Microsoft Entra Conditional Access, which results in filtering policies that are user-aware, context-aware, and easy to manage.

The web filtering feature currently supports user- and context-aware Uniform Resource Locator (URL)-based web category filtering, URL filtering, and FQDN filtering.

Web content filtering also supports two optional rule conditions that enable traffic-aware policy enforcement:

• Source traffic type filtering (preview): Scope rules to specific traffic types, such as agent, browser, or application.
• HTTP method request filtering (preview): Block or allow specific HTTP methods, such as GET, POST, PUT, PATCH, and DELETE.

Prerequisites

• Administrators who interact with Global Secure Access features must have one or more of the following role assignments depending on the tasks they're performing.

  • The Global Secure Access Administrator role role to manage the Global Secure Access features.
  • The Conditional Access Administrator to create and interact with Conditional Access policies.

• Complete the Get started with Global Secure Access guide.

• Install the Global Secure Access client on end user devices.

• You must disable Domain Name System (DNS) over HTTPS (Secure DNS) to tunnel network traffic. Use the rules of the fully qualified domain names (FQDNs) in the traffic forwarding profile. For more information, see Configure the DNS client to support DoH.

• Disable built-in DNS client on Chrome and Microsoft Edge.

• IPv6 traffic isn't acquired by the client and is therefore transferred directly to the network. To enable all relevant traffic to be tunneled, set the network adapter properties to IPv4 preferred.

• User Datagram Protocol (UDP) traffic (that is, QUIC) isn't supported in the current preview of Internet Access. Most websites support fallback to Transmission Control Protocol (TCP) when QUIC can't be established. For an improved user experience, you can deploy a Windows Firewall rule that blocks outbound UDP 443: New-NetFirewallRule -DisplayName "Block QUIC" -Direction Outbound -Action Block -Protocol UDP -RemotePort 443.

• To enforce source traffic type and HTTP method request rules for HTTPS traffic, enable TLS inspection. Without TLS inspection, only Server Name Indication (SNI)-based web content filtering rules apply.

• Source traffic type filtering requires client-based Global Secure Access connections. Remote networks don't support source traffic type rules.

• Review web content filtering concepts. For more information, see web content filtering.

High level steps

There are several steps to configuring web content filtering. Take note of where you need to configure a Conditional Access policy.

1. Enable internet traffic forwarding.
2. Create a web content filtering policy.
3. Create a security profile.
4. Link the security profile to a Conditional Access policy.
5. Assign users or groups to the traffic forwarding profile.

Enable internet traffic forwarding

The first step is to enable the Internet Access traffic forwarding profile. For more information about the profile and how to enable it, see How to manage the Internet Access traffic forwarding profile.

Create a web content filtering policy

1. Browse to Global Secure Access > Secure > web content filtering policy.
2. Select Create policy.
3. Enter a name and description for the policy and select Next.
4. Select Add rule.
5. Enter a name, select a web category, a valid URL, or a valid FQDN, and then select Add.
   • Valid URLs and FQDNs in this feature can also include wildcards using the asterisk symbol, *, and can be comma-separated lists.
   • When entering FQDNs, use the domain name only. Don't include protocols (such as https://), port numbers, or URL paths. For example, enter contoso.com instead of https://contoso.com:443/path.
   • To match all subdomains of a domain, use the wildcard format *.domain.com. Note that the wildcard *.domain.com matches subdomains like www.domain.com but doesn't match the root domain domain.com itself. To cover both the domain and all its subdomains, include both entries as a comma-separated list (for example, *.contoso.com,contoso.com).
   • When entering multiple FQDNs in a comma-separated list, don't include spaces between entries (for example, contoso.com,fabrikam.com,*.example.com).
   • Note, the URL filtering Preview supports a maximum of 1,000 URLs per tenant.
6. (Optional) Configure the Source type condition (preview). For more information, see Configure source traffic type filtering (preview).
7. (Optional) Configure the HTTP method request condition (preview). For more information, see Configure HTTP method request filtering (preview).
8. Select Next to review the policy and then select Create policy.

Configure source traffic type filtering (preview)

Source traffic type filtering lets you scope web content filtering rules to specific types of network traffic. You can enforce differentiated policies based on whether traffic originates from an AI agent, a web browser, or an application.

Supported source traffic types

Configure the source traffic type condition

1. In the web content filtering rule configuration, locate the Source type field.
2. Enable the Source type field to include it in the rule.
3. Select the source traffic types to include in the rule.

Example: Block AI agents from accessing social networking sites

To prevent AI agents from accessing social networking websites while allowing browser and application traffic:

1. Create a web content filtering policy rule.
2. Select the SocialNetworking web category.
3. Enable Source type and select Agent.
4. Set the policy action to Block.

This configuration blocks AI agent traffic to social networking sites while allowing browser and application users to access the same sites.

Configure HTTP method request filtering (preview)

HTTP method request filtering lets you block or allow specific HTTP methods for matching traffic. You can enforce least-privilege access by restricting write operations while permitting read-only access.

Supported HTTP methods

Configure the HTTP method request condition

1. In the web content filtering rule configuration, locate the HTTP method request field.
2. Enable the HTTP method request field to include it in the rule.
3. Select the HTTP methods to include in the rule.

Example: Block AI agent write operations

To prevent AI agents from performing write operations (PUT, PATCH, and DELETE) on enterprise resources:

1. Create a web content filtering policy rule.
2. Select the destination URLs, FQDNs, or web categories you want to protect.
3. Enable Source type and select Agent.
4. Enable HTTP method request and select PUT, PATCH, and DELETE.
5. Set the policy action to Block.

This configuration blocks AI agent traffic from performing write operations on the specified destinations while allowing GET and other read-only methods.

Combine source traffic type and HTTP method conditions

You can use source traffic type and HTTP method request conditions independently or together in a single rule:

• Source type only: Apply a rule to all traffic from a specific source type regardless of HTTP method.
• HTTP method request only: Apply a rule to specific HTTP methods regardless of traffic source.
• Both conditions: Apply a rule only when both the source traffic type and the HTTP method match.

When you configure both conditions in a rule, a request must match both the specified source traffic type and the specified HTTP method for the rule to apply. Conditions are evaluated using AND logic across attributes.

Policy evaluation and precedence

Policy evaluation follows the existing web content filtering policy framework ordering and precedence rules:

• Within the same attribute: OR logic. Matching any selected value triggers the condition.
• Across attributes: AND logic. All configured conditions must match.
• Conflicting actions: When multiple policies match with conflicting actions, the most restrictive action wins (block over allow).

Create a security profile

Security profiles are a grouping of filtering policies. You can assign, or link, security profiles with Microsoft Entra Conditional Access policies. One security profile can contain multiple filtering policies. And one security profile can be associated with multiple Conditional Access policies.

In this step, you create a security profile to group filtering policies. Then you assign, or link, the security profiles with a Conditional Access policy to make them user or context aware.

1. Browse to Global Secure Access > Secure > Security profiles.
2. Select Create profile.
3. Enter a name and description for the policy and select Next.
4. Select Link a policy and then select Existing policy.
5. Select the web content filtering policy you already created and select Add.
6. Select Next to review the security profile and associated policy.
7. Select Create a profile.
8. Select Refresh to refresh the profiles page and view the new profile.

Create and link Conditional Access policy

Create a Conditional Access policy for end users or groups and deliver your security profile through Conditional Access Session controls. Conditional Access is the delivery mechanism for user and context awareness for Internet Access policies. For more information about session controls, see Conditional Access: Session.

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Entra ID > Conditional Access > Policies.
3. Select New policy.
4. Give your policy a name. Organizations should create a meaningful standard for the names of their policies.
5. Under Assignments, select Users or workload identities.
   1. Under Include, select All users
6. Select Target resources and All internet resources with Global Secure Access.
7. Select Session > Use Global Secure Access security profile and choose a security profile.
8. Select Select.
9. In the Enable policy section, ensure On is selected.
10. Select Create.

Enable web content filtering for remote network traffic

Remote network connectivity allows you to connect branch offices and other remote locations to Global Secure Access without installing the client on individual devices. For more information about remote network connectivity, see Global Secure Access remote network connectivity.

You can use the baseline security profile to apply tenant-wide web content filtering policies to all remote network traffic. The baseline profile enforces policies at the lowest priority in the policy stack and applies to all Internet Access traffic routed through the service, making it ideal for securing remote network locations.

For more information on applying security policies to remote networks, see Apply security policies to remote network traffic.

Internet Access flow diagram

This example demonstrates the flow of Microsoft Entra Internet Access traffic when you apply web content filtering policies.

The following flow diagram illustrates web content filtering policies blocking or allowing access to internet resources.

User and group assignments

You can scope the Internet Access profile to specific users and groups. For more information about user and group assignment, see How to assign and manage users and groups with traffic forwarding profiles.

Verify end user policy enforcement

When traffic reaches Microsoft's Secure Service Edge, Microsoft Entra Internet Access performs security controls in two ways. For unencrypted HTTP traffic, it uses the Uniform Resource Locator (URL). For HTTPS traffic encrypted with Transport Layer Security (TLS), it uses the Server Name Indication (SNI).

Use a Windows device with the Global Secure Access client installed. Sign in as a user that is assigned the Internet traffic acquisition profile. Test that navigating to websites is allowed or restricted as expected.

1. Right-click on the Global Secure Access client icon in the task manager tray and open Advanced Diagnostics > Forwarding profile. Ensure that the Internet access acquisition rules are present. Also, check if the hostname acquisition and flows for the users Internet traffic are being acquired while browsing.

2. Navigate to allowed and blocked sites and check if they behave properly. Browse to Global Secure Access > Monitor > Traffic logs to confirm traffic is blocked or allowed appropriately.

3. To verify source traffic type and HTTP method request rules, generate traffic from different source types. For example, use an AI agent to send a PATCH request to a protected resource, and confirm the rule enforces correctly in Traffic logs.

The current blocking experience for all browsers includes a plaintext browser error for HTTP traffic and a "Connection Reset" browser error for HTTPS traffic.

Related content

• Create a content policy to filter network file content
• Learn about the traffic dashboard
• Known limitations for Global Secure Access