App-Based Office 365 Integration with Explicit Proxy (Strata Cloud Manager)

Prisma Access Explicit Proxy supports the browser-based and app-based version of Office 365 (M365), including Office Online (office.com). Web-based (browser-based) Office 365 is supported with no additional configuration required on Explicit Proxy. This task focuses on the configuration required on Prisma Access to use app-based Office 365 through Prisma Access Explicit Proxy.

You can use one of the following methods to access Office 365 from the endpoint to the Explicit Proxy.

• PAC (Proxy Auto Configuration)
• GlobalProtect in Proxy mode

To add the domains to the authentication bypass list, go to WorkflowPrisma Access SetupExplicit ProxyAdvanced Security SettingsDomains Used in Authentication Flow.

For PAC-based deployments, add these domains to the authentication bypass list to use app-based Office 365 applications from the endpoint:

• css.login.microsoftonline.com
• *.live.com
• *.auth.microsoft.com
• *.msftidentity.com
• *.msidentity.com
• account.activedirectory.windowsazure.com
• accounts.accesscontrol.windows.net
• adminwebservice.microsoftonline.com
• api.passwordreset.microsoftonline.com
• autologon.microsoftazuread-sso.com
• becws.microsoftonline.com
• *.azure.com
• *.msauth.net
• *.microsoftazuread-sso.com
• *.msftauth.net
• *.microsoft.com
• *.office.net
• *.microsoftonline.com
• *.outlook.com
• outlook.com
• outlook.office365.com
• *.notifications.skype.com

Set Office 365 domains to Prisma Access Explicit Proxy through GlobalProtect Proxy mode.

1. Create a new forwarding profile or edit the existing profile with the type Global Protect Proxy. Configure a forwarding rule, add Name, User Location, add Destination as Microsoft Client Authentication Domains, and select the Proxy as Global Proxy or Regional Proxy.

   

2. Define DIRECT for Office 365 domains in the PAC file to get the traffic intercepted by the GlobalProtect agent. To modify the PAC file, Save the forwarding profile and Push the configuration.
3. Select the created or edited forwarding profile and then select View PAC File.
4. Download the PAC file and modify the return statement to DIRECT for the Office 365 domains.

   

5. Enable the PAC File Upload and upload the updated PAC file.

   

6. When the PAC file upload process is complete, Save to save your changes.
7. Select and open the PAC file to verify the changes.

   

8. Go to Destination, select Prisma Access Service Domains and add your proxy FQDN proxy1.proxy.prismaaccess.com to the destination group. Save and Push Config to push the configuration.
   To see your proxy FQDN, go to Prisma Access SetupExplicit ProxyInfrastructure Settings.

   

9. Configure the GlobalProtect App settings:
   1. Go to WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App App SettingsAdd App Settings.
   2. Under App Configuration, click Show Advanced Options and then select Proxy.
   3. Under Agent Mode for Prisma Access, select Proxy or Tunnel and Proxy based on your requirement.
   4. Enable Forwarding Profiles and select the configured forwarding profile to start accessing Microsoft Teams and Outlook applications through the Explicit Proxy.

      

Enable the predefined Exclude O365 Optimized Endpoints- IPs and Exclude O365 Optimized Endpoints- URLs decryption rules as recommended by Microsoft. Zero-touch synchronization automatically keeps endpoint lists up to date with Microsoft, providing customers an overall control over relevant Microsoft endpoints.

1. To add a decryption policy rule, go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption.

   

2. Select the pre-defined rule for O365 and Enable it.
3. Push Config and save your changes to Prisma Access.

Complete the following steps to enable security policy rule:

1. To add a decryption policy rule, go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy.

   

2. Select the pre-defined rule for O365 and Enable it.
3. Push Config and save your changes to Prisma Access.