As part of the Microsoft Global Secure Access (GSA) Security Service Edge (SSE) solution, Microsoft Entra Internet Access is an identity-centric Secure Web Gateway (SWG) that provides secure access to the public Internet, SaaS applications, AI apps and agents, and web resources. It delivers cloud-native protection with deep integration into Microsoft Entra ID, enabling granular, context-aware policies while minimizing the risks associated with direct Internet access.

Introduction

Microsoft Entra Internet Access provides identity-driven secure access to internet and SaaS resources without relying on traditional web proxy infrastructure. By combining web content filtering, Conditional Access, threat protection, and cloud-native management, organizations can improve security, simplify operations, and accelerate Zero Trust adoption.

Identity-Centric Secure Web Gateway

Unlike legacy proxies or basic firewalls that rely on IP addresses or network rules, Entra Internet Access leverages user and device identity as the foundation for every access decision. Administrators can enforce rich Conditional Access policies that consider user risk, device compliance, location, and more, even for destinations that are not Entra ID-integrated.

Web Content Filtering

The core capability of Entra Internet Access is web content filtering, which provides granular control over web categories and specific FQDNs. You can explicitly allow or block inappropriate, malicious, or unsafe sites, protecting users whether they are working remotely or on the corporate network.

TLS Inspection

Most web traffic is encrypted, which limits what security services can see without TLS inspection. By default, Entra Internet Access can make policy decisions for HTTPS traffic based on TLS metadata, such as Server Name Indication (SNI). However, enabling TLS inspection allows Global Secure Access to decrypt, inspect, and re-encrypt HTTPS traffic at Microsoft’s service edge.

TLS inspection improves visibility into full URLs, web content, file uploads and downloads, and HTTP request details. This enables more granular web content filtering, better threat detection, custom block pages, and more effective policy enforcement for encrypted traffic. Organizations should plan TLS inspection carefully, including certificate deployment, privacy requirements, bypass rules, and application compatibility.

Conditional Access Integration

Entra Internet Access tightly integrates with Microsoft Entra ID, extending universal Conditional Access across all Internet and SaaS destinations. This includes support for device compliance, sign-in risk, user risk, multifactor authentication, and phishing-resistant credentials. When used with other Microsoft security services, organizations can benefit from additional protections such as token protection, data security controls, and safeguards for generative AI applications.

Security Profiles and Policy Logic

Security profiles group web filtering policies and are applied through Conditional Access. Policies within a profile are processed in order of priority (lower numbers = higher priority), with a baseline profile serving as a catch-all for routed Internet traffic. This unified approach simplifies policy management: a single engine handles identity, risk, and network security without requiring separate tools or consoles.

No On-Premises Infrastructure

Entra Internet Access is fully cloud-delivered. Administrators deploy the lightweight Global Secure Access client on endpoints (no full VPN tunnel required) and optionally configure remote network connectors for branch/office traffic. There are no on-premises proxies, complex certificate infrastructures, or inbound firewall rules to manage.

Global Secure Access Client

The GSA client runs as a network filter driver, selectively forwarding Internet-bound traffic according to defined profiles while leaving other traffic untouched.

Cross-Platform Support

The GSA client supports Windows, macOS, iOS, and Android for broad endpoint coverage. Entra Internet Access works across major platforms, making it suitable for diverse workforces and hybrid environments.

Summary

Microsoft Entra Internet Access delivers a modern, identity-centric Secure Web Gateway that secures access to the Internet, SaaS applications, AI tools, and web resources. By combining deep Entra ID integration, Conditional Access, web content filtering, optional TLS inspection, and detailed logging, it provides comprehensive protection with simplified operations and reduced infrastructure overhead.

Organizations gain unified Zero Trust security across private (via Entra Private Access) and public resources, all managed by the Microsoft Entra admin center. This approach minimizes risks, improves visibility, boosts productivity, and accelerates the transition to a true Security Service Edge (SSE) model.

Ready to Modernize Your Internet and SaaS Access Strategy?

Schedule a free one-hour consultation to review your current remote access, web security, and Zero Trust posture. We’ll assess readiness for Entra Internet Access (and Entra Private Access), discuss architecture, licensing, deployment options, and migration paths tailored to your environment with no obligation. Fill out the form below to request more information and schedule your free consultation.