It seems like everywhere you turn these days, someone’s showing off their new custom AI Action Figure. You know, a slightly terrifying mix between a superhero, a robot, and your Uncle Bob after two cups of coffee. And while some of these creations are harmless fun, in a work environment… maybe we don’t need everyone dropping everything to design the next AI SuperCatMan.
So, let’s talk about how we can keep the action figure madness under control and still allow a few creative breaks using Entra Internet Access.
Step 1: Flip the Switch Enable Internet Access
First things first: in Entra, head over to Global Secure Access > Traffic Forwarding > Internet Access Profile. Give that Internet Access Profile a nice little click and turn it on.
You’ll get a polite nudge to assign users or groups. Feel free to start with a pilot group if you’re feeling cautious, but me? I’m living on the edge and assigning it to All Users.
Step 2: Make Sure Your GSA Client Is Installed
If your client devices don’t have the Global Secure Access (GSA) Client yet, hit pause here. Get that installed first. I won’t dive into all the how-to here (you can check my previous blog for that), but trust me, it’s important. Like putting pants on before a big meeting is important.
Step 3: Build Your Great Wall of Web Filtering
Now comes the fun part: creating a Web Content Filtering Policy.
Then Create Policy.
We’ll call this first one Block – Restricted Categories.
We’ll pick categories we want to block from our digital kingdom like Alcohol, Criminal Activity, and (you guessed it) anything related to mass-producing questionable AI creations.
Then Create Policy.
Step 4: Make Room for the Exceptions
Let’s set up an Allow Rule like our VIP pass for Budweiser.com. Even though the Alcohol category is blocked, we’re specifically making room for *.budweiser.com. Why? Honestly, no deep reason just proving how easy it is to make exceptions when you need them.
In real-world environments, I like to group all my allowed sites together neatly for sanity’s sake.
The rule will be a FQDN this time, and not a category. I will specifically add *.budweiser.com to cover subdomains as well.
Step 5: Suit Up Create Your Security Profile
Time to create your Security Profile! This is what we’ll use to tie all this magic together with Conditional Access later.
The big thing here is setting a higher priority number, in my example 500. This will make a little more sense later in this blog post, but for now just know that the lower the number, the higher the priority. I’m using 500 to allow some room.
When linking your policies, priority numbers matter.
Set your Blocked Categories with a nice safe priority like 500.
Set your Allow Budweiser Exception with a lower number like 100. Remember: lower number = higher priority. It’s like seating VIPs closer to the stage.
The final product….
Step 6: Bring It All Together Conditional Access
Now, let’s create a Conditional Access policy to activate your master plan:
Target All Internet Resources.
Under Session Controls, pick the Security Profile you created earlier.
Step 7: Showdown Time
Let’s test it out:
Coors.com? Blocked.
Some “AI” sites like Copilot? Blocked.
Budweiser.com? Allowed because we allowed exceptions.
Bonus: Want to Let a Few Creators In?
Good news: you can use Access Packages to allow temporary access to restricted categories.
- Approvals?
- Time limits?
- All the action figures they can invent in an hour?
It’s the perfect way to keep things fun without opening the floodgates forever.
And there you have it!
A simple way to manage the AI action figure boom before your entire company is ruled by a fleet of pixelated superheroes. I will also add that PLEASE do not set up this rule thinking that your corporate data is now safe from AI. This was done for demo purposes only. Microsoft has a ton of additional tools in their arsenal to assist with this, that I’ll cover in a later blog post.
