App-Based Office 365 Integration with Explicit Proxy
Focus
Focus
Prisma Access

App-Based Office 365 Integration with Explicit Proxy

Table of Contents

App-Based Office 365 Integration with Explicit Proxy

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Mobile user license
Learn how to integrate the browser-based version of Office 365 with Explicit Proxy.

App-Based Office 365 Integration with Explicit Proxy (Strata Cloud Manager)

Learn about how to use app-based version of Microsoft Office 365.
Prisma Access Explicit Proxy supports the browser-based and app-based version of Office 365 (M365), including Office Online (office.com). Web-based (browser-based) Office 365 is supported with no additional configuration required on Explicit Proxy. This task focuses on the configuration required on Prisma Access to use app-based Office 365 through Prisma Access Explicit Proxy.
You can use one of the following methods to access Office 365 from the endpoint to the Explicit Proxy.
  • PAC (Proxy Auto Configuration)
  • GlobalProtect in Proxy mode
PAC based Deployment
To add the domains to the authentication bypass list, go to WorkflowPrisma Access SetupExplicit ProxyAdvanced Security SettingsDomains Used in Authentication Flow.
For PAC-based deployments, add these domains to the authentication bypass list to use app-based Office 365 applications from the endpoint:
  • css.login.microsoftonline.com
  • *.live.com
  • *.auth.microsoft.com
  • *.msftidentity.com
  • *.msidentity.com
  • account.activedirectory.windowsazure.com
  • accounts.accesscontrol.windows.net
  • adminwebservice.microsoftonline.com
  • api.passwordreset.microsoftonline.com
  • autologon.microsoftazuread-sso.com
  • becws.microsoftonline.com
  • *.azure.com
  • *.msauth.net
  • *.microsoftazuread-sso.com
  • *.msftauth.net
  • *.microsoft.com
  • *.office.net
  • *.microsoftonline.com
  • *.outlook.com
  • outlook.com
  • outlook.office365.com
  • *.notifications.skype.com
Since the above domains are bypassed from the authentication, no user attribution for the above-added domains in the insights.
GlobalProtect based Deployment
Prerequisites
  • Prisma Access 5.1 version
  • GlobalProtect 6.3 version
  • DNS resolution for internet destination on the endpoints for GlobalProtect in Proxy mode.
Set Office 365 domains to Prisma Access Explicit Proxy through GlobalProtect Proxy mode.
  1. Create a new forwarding profile or edit the existing profile with the type Global Protect Proxy. Configure a forwarding rule, add Name, User Location, add Destination as Microsoft Client Authentication Domains, and select the Proxy as Global Proxy or Regional Proxy.
  2. Define DIRECT for Office 365 domains in the PAC file to get the traffic intercepted by the GlobalProtect agent. To modify the PAC file, Save the forwarding profile and Push the configuration.
  3. Select the created or edited forwarding profile and then select View PAC File.
  4. Download the PAC file and modify the return statement to DIRECT for the Office 365 domains.
  5. Enable the PAC File Upload and upload the updated PAC file.
  6. When the PAC file upload process is complete, Save to save your changes.
  7. Select and open the PAC file to verify the changes.
  8. Go to Destination, select Prisma Access Service Domains and add your proxy FQDN proxy1.proxy.prismaaccess.com to the destination group. Save and Push Config to push the configuration.
    To see your proxy FQDN, go to Prisma Access SetupExplicit ProxyInfrastructure Settings.
  9. Configure the GlobalProtect App settings:
    1. Go to WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App App SettingsAdd App Settings.
    2. Under App Configuration, click Show Advanced Options and then select Proxy.
    3. Under Agent Mode for Prisma Access, select Proxy or Tunnel and Proxy based on your requirement.
    4. Enable Forwarding Profiles and select the configured forwarding profile to start accessing Microsoft Teams and Outlook applications through the Explicit Proxy.
Decryption Rule
Enable the predefined Exclude O365 Optimized Endpoints- IPs and Exclude O365 Optimized Endpoints- URLs decryption rules as recommended by Microsoft. Zero-touch synchronization automatically keeps endpoint lists up to date with Microsoft, providing customers an overall control over relevant Microsoft endpoints.
  1. To add a decryption policy rule, go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption.
  2. Select the pre-defined rule for O365 and Enable it.
  3. Push Config and save your changes to Prisma Access.
Security Policy Rule
Complete the following steps to enable security policy rule:
  1. To add a decryption policy rule, go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy.
  2. Select the pre-defined rule for O365 and Enable it.
  3. Push Config and save your changes to Prisma Access.

App-Based Office 365 Integration with Explicit Proxy (Panorama)

Prisma Access Explicit Proxy supports the browser-based version of Office 365 (M365), including Office Online (office.com). Follow
these steps
to integrate the browser-based version of Office 365 with Explicit Proxy.
While Explicit Proxy does not support the app-based version of Office 365, you can follow
these guidelines
to use Explicit Proxy with Office 365 app-based policies.

Set up Browser-Based Office 365 Integration with Prisma Access Explicit Proxy

If you use the browser-based version of Office 365, complete the following task to integrate Office 365 with Explicit Proxy.
  1. (Optional) if you want to use tenant-based restrictions (restrict access control to Office 365 for only a certain number of tenants), use HTTP header insertion with a Custom URL category to allow specific tenants access to Office 365.
  2. Add decryption policies for the URLs that are used for Office 365.
    1. Select ObjectsCustom ObjectsURL Category and Add a Custom URL Category.
      Be sure that you are in the Explicit_Proxy_Device_Group.
    2. Specify a Type of URL List.
    3. Add the list of sites to enable Office 365 integration.
      To simplify the uploading of the URLs, you can copy the list of Office 365 URLs at https://saasedl.paloaltonetworks.com/feeds/m365/worldwide/any/all/url, save those URLs to a file, and Import the file to the Custom URL category.
    4. Select PoliciesDecryptionPre Rules and Add a decryption policy rule.
    5. Specify the URL Category you created.
  3. Add decryption policies for Data and Threat Protection capabilities such as Enterprise Data Loss Prevention (Enterprise DLP), WildFire, Threat Prevention, or SaaS Security.

Set up App-Based Office 365 Integration with Explicit Proxy

Explicit Proxy does not support the full client-based (app) version of Office 365, because Office 365 uses non-web ports and protocols and pinned certificates, which prevents the use of decryption. If you need to secure traffic from Office 365 client apps, you can use one of the following Prisma Access capabilities to do so:
  • Deploy a Mobile Users—GlobalProtect deployment with Explicit Proxy and use GlobalProtect split tunnel options to route traffic from the Office 365 apps to the GlobalProtect tunnel, while specifying other internet traffic to be sent to the GlobalProtect tunnel, direct to the internet, or to Explicit Proxy, based on your PAC file and GlobalProtect tunnel include and exclude options.
  • If your organization requires that internet-bound traffic go through an Explicit Proxy, or if your network does not have a default route, you can deploy a Remote Network deployment with Explicit ProxyRemote Network deployment with Explicit Proxy. In this deployment, Explicit Proxy provides you with a list of Anycast and unicast addresses, and you configure your CPE to route traffic through those addresses to the remote network and, from there, to Explicit Proxy and to the internet.
    To use Office 365 with this deployment type, specify PAC file rules to bypass the non-web Office 365 directly to the internet.
  • If you are not able to deploy GlobalProtect or a Prisma Access Remote Network in your environment, you can configure the Explicit Proxy PAC file to bypass Office 365 traffic. Use the
    URL list
    to bypass.

List of URLs to Enable Office 365 Integration with Prisma Access Explicit Proxy

One option you can use to integrate non-browser Office 365 apps with Explicit Proxy is to specify the Office 365-related URLs and bypass those URLs in the Explicit Proxy PAC file. Use one of the following methods to obtain the list of URLs to bypass: