Entra Internet Access: Secure Web Gateway in the Cloud

7 min read

I’ve spent more time than I’d like to admit troubleshooting traditional proxy servers and on-premises web gateways over the years. PAC file issues, certificate problems, users complaining their internet is slow because everything’s hairpinning through the datacentre — you know the drill. So when Microsoft started building a cloud-native Secure Web Gateway directly into the identity platform, I was immediately interested.

That’s what Entra Internet Access is, and having worked with it across a few environments now, I wanted to share where I think it stands and where it fits.

If you’ve been following my earlier posts on Entra SSE, you’ll know this sits within the broader Microsoft Security Service Edge (SSE) solution alongside Entra Private Access. This post focuses on the Internet Access component specifically — its role as a Secure Web Gateway (SWG).

What Is Entra Internet Access?

Put simply, Entra Internet Access routes your users’ internet-bound traffic through Microsoft’s cloud-based security stack. You get web content filtering, threat protection, and TLS inspection, all delivered as a cloud service. No on-premises proxy infrastructure needed.

The key components:

Web content filtering — block or allow access to websites based on categories (gambling, social media, malware, etc.) or specific FQDNs
TLS inspection — decrypt and inspect HTTPS traffic for threats (with the usual certificate deployment headaches)
Threat protection — blocks access to known malicious sites and phishing pages
Traffic forwarding profiles — control which traffic gets routed through the service

For the full picture, the Microsoft Entra Internet Access documentation is your best starting point.

The Conditional Access Integration

This is where it gets properly interesting. Traditional SWG solutions operate independently of your identity platform. Entra Internet Access is built on top of Entra ID. That means your web filtering policies can tie directly into Conditional Access.

Think about what that actually gives you:

Different web filtering policies based on user group, device compliance state, or sign-in risk level
Requiring compliant devices before users can access the internet through the gateway
Authentication context to step up security for specific web categories
Session controls driven by real-time risk signals

With a traditional proxy, you’d need to wire up integration with your identity provider through SAML or some custom connector just to get basic user-aware filtering. Here, it’s native. Your web security policies live alongside your access policies in the same portal, using the same identity signals.

It’s a proper step forward from the “IP-based user identification” approach that most traditional proxies still rely on. I spent a full afternoon once trying to debug why a Zscaler policy wasn’t matching the right user because of a NAT issue. That kind of thing just goes away here.

The Global Secure Access Client

To route traffic through Entra Internet Access, you deploy the Global Secure Access client on your endpoints. It’s available for Windows, macOS, iOS, and Android. The client establishes a secure tunnel to the nearest Microsoft point of presence and forwards traffic based on the configured traffic forwarding profiles.

Those profiles let you control exactly what gets routed:

Microsoft traffic profile — routes Microsoft 365 traffic (Exchange, SharePoint, Teams, etc.) through the service
Internet access profile — routes general internet traffic through the web filtering stack
Private access profile — routes traffic to your private applications (this is the Entra Private Access piece)

You can enable these independently, which is handy for a phased rollout. A lot of organisations start with just the Microsoft traffic profile, then expand to internet access once they’re comfortable with how the client behaves.

The client works alongside existing VPN solutions, though you’ll want to test thoroughly to avoid routing conflicts. I’d strongly recommend a pilot before going wide. Microsoft provides detailed guidance on coexistence.

How It Compares to Traditional SWG

Having worked with Zscaler, Cisco Umbrella, and various on-premises proxy solutions over the years, I can see the appeal of Entra Internet Access. But it’s only fair to be balanced about where it’s strong and where it still has ground to cover.

Where Entra Internet Access shines:

Integration with Entra ID and Conditional Access. The killer feature, frankly. No other SWG has this level of native identity integration with Microsoft’s ecosystem.
No on-premises infrastructure. No proxy servers to maintain, no PAC files to manage, no hairpinning traffic back to a datacentre.
Unified portal. Managing web security, identity, and access policies in one place simplifies operations a lot.
Microsoft 365 optimisation. Routing Microsoft 365 traffic through their own network is always going to be well-optimised.

Where it’s still maturing:

Web content filtering granularity. The category list and filtering options are decent but not yet as fine-grained as the established SWG vendors. If you need very specific URL filtering or custom category definitions, you might hit gaps.
Reporting and analytics. Getting better, but still behind what you’d get from a Zscaler or Netskope dashboard. If your compliance team needs detailed web usage reports, this could be a sticking point right now.
Advanced threat protection. Solid for blocking known bad sites, but the sandboxing and zero-day protection you’d get from a dedicated SWG vendor is more mature.
Global edge network. Microsoft’s network is massive, but the number of Global Secure Access points of presence is still growing. Worth checking that coverage is adequate for your user locations before committing.

When Does It Make Sense?

From what I’ve seen, Entra Internet Access makes the most sense for organisations that:

Are heavily invested in the Microsoft ecosystem (Entra ID, Microsoft 365, Defender XDR)
Want to consolidate vendors and trim down the number of security tools in play
Don’t have overly complex web filtering requirements
Are moving away from on-premises proxy kit and want a cloud-native replacement
Value the Conditional Access integration for identity-aware web security

It might not be the right fit yet if you:

Need advanced inline threat protection with sandboxing
Have complex multi-tenant or multi-region requirements that need a more mature global edge
Rely on very granular URL filtering with custom categories
Need deep reporting and analytics for compliance that goes beyond what’s currently on offer

Getting Started

If you want to evaluate Entra Internet Access, you’ll need:

Microsoft Entra ID P1 licences (minimum)
Microsoft Entra Internet Access licences (part of the Microsoft Entra Suite or standalone)
The Global Secure Access client deployed to test endpoints
A traffic forwarding profile configured for internet access

I’d recommend starting with a pilot group. Enable the Microsoft traffic profile first, then expand to internet access filtering once you’ve confirmed the client is behaving itself in your environment.

The Global Secure Access documentation has a solid quickstart guide that walks you through initial setup.

The direction of travel here is clear — Microsoft is building a full SSE platform, and Entra Internet Access is a key piece of that. It’s not a like-for-like replacement for every traditional SWG out there yet, but for organisations deep in the Microsoft stack, it’s getting harder to ignore. Definitely one to keep an eye on.

If you’ve got experience running Entra Internet Access in production, I’d be keen to hear how you’re finding it. Drop a comment or reach out on LinkedIn.