App-Based Office 365 Integration with Explicit Proxy (Strata Cloud Manager)

1. Visit the EDL Hosting Service and identify the Feed URL for your SaaS application.

   Review the Microsoft 365 documentation for more information which Feed URL is best for your use case. Additionally, consider the SaaS application and location of users accessing the SaaS application when identifying a Feed URL to use. For example, if you have a branch in Germany that only needs to access Exchange Online, select a Feed URL from the Service Area: Exchange Online for Germany.
2. (Best Practices) Create a certificate profile to authenticate the EDL Hosting Service.

   1. Download the GlobalSign Root R1 certificate.
   2. Convert the GlobalSign Root R1 Certificate to PEM Format.
   3. Import the GlobalSign Root R1 certificate from Cloud Managed Prisma Access.

      1. In Prisma Access (Managed by Strata Cloud Manager), go to ManageConfigurationNGFW and Prisma AccessObjectsCertificate Management, set the configuration scope to Prisma AccessMobile Users ContainerExplicit Proxy, and Import a new certificate.

      2. Enter a descriptive Certificate Name.
      3. For the Certificate File, select Choose File and select the certificate you converted in the previous step.
      4. For the file Format, select Base64 Encoded Certificate (PEM).
      5. Save your changes.

   4. Create a certificate authority (CA) certificate profile.

      1. Add Profile in the Certificate Profiles area.

      2. Enter a descriptive Name.
      3. For the CA Certificate, Add the certificate you imported in the previous step.
      4. Save your changes.

3. Create an EDL using a Feed URL from the EDL Hosting Service.

   1. Go to ManageConfigurationNGFW and Prisma AccessObjectsExternal Dynamic Lists and Add External Dynamic List. Set the configuration scope to Prisma AccessMobile Users ContainerExplicit Proxy.
   2. Enter a descriptive Name for the EDL.
   3. Select a Type of URL List.
   4. (Optional) Enter a Description for the EDL
   5. Enter the Feed URL as the EDL Source.

      Enforce all endpoints within a specific Feed URL. Adding an excluding a specific endpoint from a Feed URL can cause connectivity issues to the SaaS application.
   6. (Best Practices) Select the Certificate Profile you created in the previous step.
   7. Specify the frequency the firewall should Check for updates to match the update frequency of the Feed URL.

      For example, if the Feed URL is updated daily by Palo Alto Networks then configure the EDL to check for updates Daily.

      Palo Alto Networks displays the update frequency for each Feed URL in the EDL Hosting Service. Feed URLs are automatically updated with any new endpoints.
   8. Save your changes.

4. Add a decryption policy to prevent decryption for the EDL Feed URLs.

   1. Select go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption and Add Rule. Set the configuration scope to Prisma AccessMobile Users ContainerExplicit Proxy.

   2. Enter a descriptive Name for the policy.
   3. In the Services and URLs area, Add External Dynamic Lists and specify the EDL you created in an earlier step.
   4. Select an Action and Advanced Inspection of Do Not Decrypt.

5. Add a security policy rule to allow traffic from the EDL Feed URLs.

   1. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDecryption and Add Rule. Set the configuration scope to Prisma AccessMobile Users ContainerExplicit Proxy
   2. Enter a descriptive Name for the policy.
   3. In the URL Category Entities area, Add External Dynamic Lists and specify the EDL you created in an earlier step.
   4. Select an Action and Advanced Inspection of Allow.

6. Push Config to save your changes to Prisma Access.