Creating a Custom Bypass
So, you’ve enabled TLS inspection in Microsoft Entra Internet Access. Everything looks good on paper—traffic is being decrypted, inspected, and re-encrypted like a Zero Trust supposed to do. But then… some SaaS apps start acting weird. Devboxes won’t connect. SAP throws certificate errors, and Slack just silently fails.
This is one of those “gotchas” that hits you right after you flip the switch on TLS inspection. And the fix? You’ll need to create a custom bypass rule. Something Microsoft thankfully makes possible, but the location is not always obvious.
Let’s walk through the why, the what, and the how.
Why TLS Inspection Breaks Some Apps
TLS inspection works by intercepting HTTPS traffic, decrypting it, inspecting it, and then re-encrypting it with a trusted certificate. But some applications—especially those that use certificate pinning don’t like this at all.
Apps like:
- Zoom
- Dropbox
- Slack
- Some banking or financial services
These apps expect a very specific certificate chain. If they see anything else (like your inspection proxy’s cert), they throw a fit. And that’s when things break.
The Fix: Custom TLS Inspection Bypass
Microsoft Entra Internet Access (via Global Secure Access) lets you define custom bypass rules. These rules tell the inspection engine: “Don’t inspect this traffic, just let it through.”
Here’s how to set one up.
Step-by-Step: Creating a Custom Bypass Rule
1. Identify What Needs to Be Bypassed
Start by figuring out which domains or services are breaking. You can use:
- Traffic logs in Global Secure Access
- Vendor documentation (e.g., Zoom’s list of domains)
- Good old-fashioned trial and error
Important note: As of now, regular expressions (regex) are not supported in custom bypass rules. You can only use wildcards (e.g., *.zoom.us). So if you’re hoping to match complex patterns, not yet possible
Let’s say you want to bypass Zoom. You’ll need to bypass domains like:
*.zoom.us
*.zoom.com
2. Head to the Admin Center
Go to the Microsoft Entra Admin Center and navigate to:
Global Secure Access > Connect > Traffic Forwarding > Internet Access Profile
Pick the Internet Access Profile and under “Internet acces policies” click View
3. Add a Custom Bypass Rule
Scroll down to Custom Bypass Rules and click + Add Rule.
Fill in the details:
- Match Type:
FQDN - Destination:
*.zoom.us - Ports: 80,443
- Protocol: TCP
Action: Bypass
Click Save.
Repeat this for each domain you want to bypass.
4. Test It
Once the rule is in place, test the app again. If it works—great! If not, check the traffic logs in Global Secure Access.
Go to the Microsoft Entra Admin Center and navigate to
Global Secure Access > Monitor > Traffic Logs
Go to the Transactions tab
On the Columns tab, add the column “TLS action”
Now find the URL that is still being intercepted, and double-check whether it falls within the wildcard range of your bypass rule.
If it looks like this, the traffic is still being intercepted.
If the bypass is working as intended it should look like this:
Final Thoughts
TLS inspection is a powerful tool, but it’s not one-size-fits-all. Some traffic just doesn’t play nice with it—and that’s okay. With custom bypass rules, you can strike the right balance between security and functionality.
Got a tricky app that keeps breaking even after a bypass? Or want to automate rule creation across multiple tenants? Let’s talk—I’d love to hear how you’re handling TLS inspection in your environment.
