Microsoft Entra Internet Access for Small Businesses in Berlin
Small businesses in Berlin increasingly rely on cloud services, SaaS applications, and remote work. Traditional network security — a perimeter firewall, VPN concentrator, and on-premises proxy — was designed for a world where users worked inside an office and data lived in on-premises servers. Microsoft Entra Internet Access extends your Conditional Access policies to cover internet-bound traffic from any device, anywhere, without requiring a VPN or hardware appliance.
What Global Secure Access Is
Global Secure Access is Microsoft’s Security Service Edge (SSE) offering, built into Entra ID. It has two components: Entra Internet Access, which secures all internet-bound traffic from managed devices, and Entra Private Access, which replaces VPN for access to on-premises resources. Together, they deliver a cloud-native SASE (Secure Access Service Edge) architecture that operates entirely through Microsoft’s global network edge — no data centre proxy hardware required.
Entra Internet Access works through a lightweight client installed on Windows, macOS, Android, and iOS devices managed by Intune. The client tunnels internet-bound traffic through Microsoft’s edge network, where it is inspected, filtered, and subject to your Conditional Access policies before being forwarded to its destination. The key difference from a traditional proxy is that the filtering decisions are identity-aware — policy applies based on who the user is and what device they’re on, not just the source IP address.
Web Content Filtering
Web content filtering lets you block access to specific categories of websites across your organization. Categories include malicious domains, phishing sites, command-and-control infrastructure, gambling, adult content, and peer-to-peer file sharing. You can configure baseline filtering policies that apply to all users, and override policies for specific user groups — allowing the security team access to threat intelligence sites that are blocked for general staff, for example.
Unlike DNS-based filtering, Entra Internet Access filtering applies to HTTPS traffic and evaluates the full URL path, not just the domain. This means you can block specific paths on an otherwise permitted domain — blocking file upload paths on cloud storage services while allowing read access, for instance. All filtering decisions are logged in the Microsoft Entra admin center with full user and device context, providing an audit trail for compliance purposes.
Conditional Access for Internet Traffic
The most powerful capability of Entra Internet Access is the ability to apply Conditional Access policies to internet-bound traffic. This means you can require that users accessing specific categories of sites — financial services, cloud storage, code repositories — must be on a compliant device and have completed MFA in the last hour. If the Conditional Access evaluation fails, the traffic is blocked at the edge, before it reaches the destination.
This model extends the zero-trust principle — verify explicitly, use least privilege, assume breach — beyond Microsoft 365 to the entire internet. A user on a personal, unmanaged device cannot bypass policy by using a browser outside of Microsoft 365 applications. Internet-bound traffic from that device is blocked or restricted at the network layer, not just the application layer.
Universal Tenant Restrictions
Tenant Restrictions v2, enforced through Entra Internet Access, prevents users from signing into personal or unauthorized Microsoft accounts (consumer Office 365, competitor tenants) from company-managed devices. This directly addresses one of the most common data exfiltration vectors: a user copying files to their personal OneDrive or signing into a competitor’s Microsoft 365 tenant on a company laptop.
With Universal Tenant Restrictions enabled, every Microsoft 365 authentication request from a managed device passes through your Global Secure Access tenant, where Entra ID injects a custom header that restricts the sign-in to your corporate tenant only. Users see an error if they try to authenticate to a different Microsoft 365 tenant — even if they use a browser incognito window or clear their browser cache.
Deployment with Intune
The Global Secure Access client is deployed through Intune as a managed application, with configuration profiles that enable the specific traffic forwarding profiles you want — internet access, Microsoft 365 traffic optimization, or private access. Deployment takes 15-20 minutes per device and requires no user interaction after the initial sign-in. The client reconnects automatically after network changes, device sleep, or reboots, with no VPN connection dialog for users to manage.
Microsoft 365 traffic forwarding — routing Microsoft 365 traffic through the Global Secure Access network for optimized routing and Tenant Restrictions enforcement — can be enabled independently of the full Internet Access filtering profile. This lets you start with the Microsoft 365 use case (tenant restriction enforcement, optimized routing) before expanding to full web content filtering, reducing change risk during rollout.
Practical Value for Berlin SMBs
For a small Berlin business with 20-150 employees working from multiple locations, home offices, and client sites, Entra Internet Access replaces three separate on-premises systems: the VPN concentrator, the web proxy, and the DNS filtering appliance. Monthly cost is included in the Microsoft Entra ID P1 licence that most Microsoft 365 Business Premium customers already hold. The operational overhead is minimal — no hardware to rack, patch, or replace, no proxy PAC files to maintain, no VPN profile updates to push.
The security benefit extends beyond cost: when all internet traffic from managed devices is routed through your policy engine, you gain complete visibility into what your users are accessing, from which devices, and whether those devices meet your compliance requirements. This visibility is a direct input to your risk assessments and supports the logging and monitoring requirements under ISO 27001 and GDPR Article 32.
Related Articles
- Conditional Access: Entra Internet Access extends Conditional Access to internet-bound traffic — require compliant devices and completed MFA before users reach cloud storage, financial services, or any web destination you designate as sensitive
- Microsoft Entra Private Access: Pair Internet Access with Entra Private Access for complete SASE coverage — Internet Access secures all outbound web traffic, Private Access replaces VPN for on-premises resource access, both enforced through the same policy engine
- Microsoft Defender for Endpoint: Combine Global Secure Access with MDE for layered endpoint protection — Internet Access filters web traffic at the network layer while MDE inspects process behavior on the device, blocking threats that bypass URL filtering