App-Based Office 365 Integration with Explicit Proxy (Strata Cloud Manager)
Learn about how to use app-based version of Microsoft Office 365.
Prisma Access Explicit Proxy supports the browser-based and app-based version of Office 365
(M365), including Office Online (office.com). Web-based (browser-based) Office 365 is
supported with no additional configuration required on Explicit Proxy. This task
focuses on the configuration required on Prisma Access to use app-based Office
365 through Prisma Access Explicit Proxy.
You can use one of the following methods to access Office 365 from the endpoint to
the Explicit Proxy.
PAC (Proxy Auto Configuration)
GlobalProtect in Proxy mode
PAC based Deployment
To add the domains to the authentication bypass list, go to WorkflowPrisma Access SetupExplicit ProxyAdvanced Security SettingsDomains Used in Authentication Flow.
For PAC-based deployments, add these domains to the authentication bypass
list to use app-based Office 365 applications from the endpoint:
css.login.microsoftonline.com
*.live.com
*.auth.microsoft.com
*.msftidentity.com
*.msidentity.com
account.activedirectory.windowsazure.com
accounts.accesscontrol.windows.net
adminwebservice.microsoftonline.com
api.passwordreset.microsoftonline.com
autologon.microsoftazuread-sso.com
becws.microsoftonline.com
*.azure.com
*.msauth.net
*.microsoftazuread-sso.com
*.msftauth.net
*.microsoft.com
*.office.net
*.microsoftonline.com
*.outlook.com
outlook.com
outlook.office365.com
*.notifications.skype.com
Since the above domains are bypassed from the
authentication, no user attribution for the above-added domains in the
insights.
GlobalProtect based Deployment
Prerequisites
Prisma Access 5.1 version
GlobalProtect 6.3 version
DNS resolution for internet destination on the endpoints for GlobalProtect
in Proxy mode.
Set Office 365 domains to Prisma Access Explicit Proxy through GlobalProtect
Proxy mode.
Create a new forwarding profile or edit the existing profile with
the type Global Protect Proxy. Configure a forwarding
rule, add Name, User Location,
add Destination as Microsoft Client
Authentication Domains, and select the
Proxy as Global Proxy or
Regional Proxy.
Define DIRECT for Office 365 domains in the PAC file to get the
traffic intercepted by the GlobalProtect agent. To modify the PAC file,
Save the forwarding profile and
Push the configuration.
Select the created or edited forwarding profile and then select
View PAC File.
Download the PAC file and modify the return statement to DIRECT for
the Office 365 domains.
Enable the PAC File Upload and upload the updated PAC
file.
When the PAC file upload process is complete, Save to
save your changes.
Select and open the PAC file to verify the changes.
Go to Destination, select Prisma Access
Service Domains and add your proxy FQDN
proxy1.proxy.prismaaccess.com to the destination group.
Save and Push Config to
push the configuration.
To see your proxy FQDN,
go to Prisma Access SetupExplicit ProxyInfrastructure Settings.
Configure the GlobalProtect App settings:
Go to WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App App SettingsAdd App Settings.
Under App Configuration, click
Show Advanced Options and then select
Proxy.
Under Agent Mode for Prisma Access, select
Proxy or Tunnel and
Proxy based on your requirement.
Enable Forwarding Profiles and select the
configured forwarding profile to start accessing Microsoft Teams and
Outlook applications through the Explicit Proxy.
Decryption Rule
Enable the predefined Exclude O365 Optimized Endpoints- IPs and
Exclude O365 Optimized Endpoints- URLs decryption rules as recommended by
Microsoft. Zero-touch synchronization automatically keeps endpoint lists up to date
with Microsoft, providing customers an overall control over relevant Microsoft
endpoints.
To add a decryption policy rule, go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption.
Select the pre-defined rule for O365 and Enable
it.
Push Config and save your changes to Prisma Access.
Security Policy Rule
Complete the following steps to enable security policy rule:
To add a decryption policy rule, go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy.
Select the pre-defined rule for O365 and Enable
it.
Push Config and save your changes to Prisma Access.
App-Based Office 365 Integration with Explicit Proxy (Panorama)
Prisma Access Explicit Proxy supports the browser-based version of Office 365 (M365),
including Office Online (office.com). Follow
these steps
to integrate the browser-based version of
Office 365 with Explicit Proxy.
While Explicit Proxy does not support the app-based version of Office 365, you can
follow
these guidelines
to use Explicit Proxy with
Office 365 app-based policies.
Set up Browser-Based Office 365 Integration with Prisma Access Explicit Proxy
If you use the browser-based version of Office 365, complete the following task
to integrate Office 365 with Explicit Proxy.
(Optional) if you want to use tenant-based restrictions (restrict
access control to Office 365 for only a certain number of tenants), use
HTTP header insertion with a Custom URL
category to allow specific tenants access to Office 365.
Add decryption policies for the URLs that are used for Office 365.
Select ObjectsCustom ObjectsURL Category and Add a Custom URL
Category.
Be sure that you are in the
Explicit_Proxy_Device_Group.
Specify a Type of URL
List.
Add the list of sites to enable Office 365
integration.
Set up App-Based Office 365 Integration with Explicit
Proxy
Explicit Proxy does not support the full client-based (app) version of Office
365, because Office 365 uses non-web ports and protocols and pinned
certificates, which prevents the use of decryption. If you need to secure
traffic from Office 365 client apps, you can use one of the following Prisma
Access capabilities to do so:
Deploy a Mobile
Users—GlobalProtect deployment with Explicit Proxy and use
GlobalProtect split tunnel options to route
traffic from the Office 365 apps to the GlobalProtect tunnel, while
specifying other internet traffic to be sent to the GlobalProtect
tunnel, direct to the internet, or to Explicit Proxy, based on your PAC
file and GlobalProtect tunnel include and exclude options.
If your organization requires that internet-bound traffic go through an
Explicit Proxy, or if your network does not have a default route, you
can deploy a Remote Network deployment
with Explicit ProxyRemote Network deployment with
Explicit Proxy. In this deployment, Explicit Proxy provides
you with a list of Anycast and unicast addresses, and you configure your
CPE to route traffic through those addresses to the remote network and,
from there, to Explicit Proxy and to the internet.
To use Office 365 with this deployment type, specify PAC file rules to
bypass the non-web Office 365 directly to the internet.
If you are not able to deploy GlobalProtect or a Prisma Access Remote
Network in your environment, you can configure the Explicit Proxy PAC
file to bypass Office 365 traffic. Use the
URL list
to bypass.
List of URLs to Enable Office 365 Integration with Prisma Access Explicit
Proxy
One option you can use to integrate non-browser Office 365 apps with Explicit
Proxy is to specify the Office 365-related URLs and bypass those URLs in the
Explicit Proxy PAC file. Use one of the following methods to obtain the list
of URLs to bypass:
Use the EDL URL from the Palo Alto Networks EDL Hosting Service for
Microsoft 365 apps.
Using the hosting service eases the operational burden of securing
traffic to your SaaS applications by utilizing a Feed URL as the EDL
source. When a SaaS provider adds a new endpoint for a SaaS
application, the corresponding Feed URL is updated.