Unit 3: Deploy and Configure Microsoft Entra Internet Access

Deploying Microsoft Entra Internet Access follows four core steps. Each step builds toward enforcing identity-aware internet access.

Step 1 – Enable Microsoft Traffic Forwarding Profile

Enabling the Microsoft traffic profile allows Global Secure Access to capture traffic destined for Microsoft services such as:

• Exchange Online.
• SharePoint Online.
• OneDrive.
• Microsoft Entra ID.

When enabled, this automatically creates:

• Network routing policies.
• Linked Conditional Access policies.
• User and group assignments.

This step ensures Microsoft traffic is evaluated against Global Secure Access and Conditional Access policies.

Step 2 – Deploy the Global Secure Access Client

The Global Secure Access client captures network traffic from end-user devices.

Deployment options include:

• Microsoft Intune.
• Manual installation.
• Android deployment via Defender or Intune.

Once installed:

• Users authenticate with Entra ID.
• A green icon indicates secure connectivity.
• Traffic is routed through Microsoft’s secure network.

Step 3 – Configure Tenant Restrictions

Tenant restrictions control access to external tenants.

Administrators can:

• Allow access only to approved tenants.
• Block unsanctioned external organizations.
• Prevent token reuse across tenants.

Tenant restrictions are configured under cross-tenant access settings, moving control from network proxies to the identity plane.

Step 4 – Enable Enhanced Signaling and Conditional Access

Global Secure Access introduces the concept of a compliant network in Conditional Access.

This allows administrators to:

• Enforce network-based access without maintaining IP allow lists.
• Apply Conditional Access using verified network connectivity.
• Protect against token theft replay.

Continuous Access Evaluation (CAE) enhances this by enforcing policies during active sessions.