Microsoft Office 365 Access Control Field Support Guide

by on ‎10-10-2016 08:12 AM - edited on ‎12-06-2016 07:10 AM by (28,486 Views)

Summary

Prerequisites

Office 365 Access Control and Existing Office 365 App-IDs

Securing Office 365 with Access Control

Leveraging Custom App-ID to Secure Office 365

Example Use Cases and Policies

Office 365 Access Control and Sharepoint Instance

Office 365 App-ID, AV/AS, IPS, WildFire & Decryption Support Matrix

 

Summary

As enterprises continue adopting Microsoft® Office 365™, there is continued focus on safely enabling it. Typically, enterprises want to achieve the following goals:

 

  1. To have visibility into enterprise and consumer use of Office 365 in their networks.
  2. To allow specific sanctioned instances of  Office 365 enterprise accounts while blocking unsanctioned access to  Office 365 either from unsanctioned enterprise accounts or consumer accounts.
  3. To have the ability to block consumer access to  Office 365 services.
  4. To control and limit cross-tenant sharing of “SharePoint-online”.

 

Palo Alto Networks is announcing the release of two new App-IDs and a new decode context that can be used in combination with custom application signatures and URL filtering to achieve all of the above-mentioned objectives.

 

New App-IDs:

  • Office 365-enterprise-access : This App-ID covers the business and enterprise offerings from Microsoft for Office 365. These include Office 365 Business Essentials, Office 365 Business, Office 365 Business Premium, Office 365 Enterprise E1, E3 and E5 plans.
  • Office 365-consumer-access: This App-ID covers the consumer offerings from Office. These include Office 365 Home, Office 365 Personal, Office 365 Home and Student.

New Decode Context for pattern match:

  • http-req-ms-subdomain: This will look for the domain name in the username for accessing Office 365 enterprise services.

Release Plan:

  • July 7th, 2016: Palo Alto Networks releases the new App-IDs and decode context but only as placeholders without enabling functionally. This will help our customers to understand this change and make the necessary policy changes to aid in policy migration for using this feature.
  • We have an extensive FAQ document to assist our customers with this change on the Live Community at https://live.paloaltonetworks.com/t5/Management-Articles/FAQ-Office-365-Access-Control/ta-p/94949
  • Week of August 29th, 2016: Palo Alto Networks functionally enables these two new App-IDs and decode context so that customers can start using this new capability.

 

1. Prerequisites

This capability will only work if traffic to Office 365 is decrypted.

 

2. Office 365 Access Control and Existing Office 365 App-IDs

Office 365 access control will work with all existing Office 365 App-IDs (shown below). It does not replace these App-IDs, but augments their capabilities to identify  not just the type of access (enterprise vs consumer) but also identify a specific enterprise account login instance.

 

Picture1.png

 

3. Securing Office 365 with Access Control

Typically, for any SaaS solution, when it comes to access, there are two notions, which are:

 

  • Where you are coming from: This means the login name you are using to access resources. For example, users in the company can have multiple accounts to access Office 365, which could be either their consumer accounts or an unsanctioned enterprise account they have purchased using personal emails. Many customers would like to allow access to Office 365 from only the sanctioned enterprise accounts.
  • Where you are getting to: This means the URL or the resources you are accessing. For example, someone in Company A can invite a user from Company B to a collobration folder using Microsoft Sharepoint. When it comes to Office 365, most customers want to control this activity by limiting the instances of Office 365 users should be able to get to. Microsoft refers to this by using the terminology of cross-tenant sharing using SharePoint.

4. Leveraging Custom App-ID to Secure Office 365

Customers can now create a custom App-ID for Office 365 logins, using the new decode context of “http-req-ms-subdomain”. This decode context looks for the domain name in the login name for accessing any Office 365 enterprise offering.

 

For example, customers can create a custom Office 365 App-ID that will allow logins to Office 365 only from usernames in the format of:

  • user@mydomain.com
  • user@mydomain.org
  • user@mydomain.onmicrosoft.com

 

Once created, this App-ID can then be used in policies with existing Office 365 App-IDs, limit access to only sanctioned Office 365 enterprise accounts while blocking access to unsanctioned Office 365 enterprise accounts and Office 365 consumer accounts.

 

Below, we have outlined the steps required to create such a custom App-ID. We have also provided some sample outputs of how such a security policy base might look like.

 

4.1 Creating Custom App-ID to secure Office 365

Please follow the steps outlined below to create a custom App-ID for Office 365 enterprise logins.

 

  1. Under Objects > Applications – click “Add” and configure as shown below:

    Picture2.png

  2. Click on "Signature" tab under Application and configure as shown below:
    Picture3.png

  3. Once created, you can use the custom App-ID in security policy, as shown below. The policy set below allows access to Office 365 enterprise offerings, only from sanctioned usernames for "mydomain".

 

 Picture4.png

 

  

5. Example Use Cases and Policies

 

Case 1:  Allow specific sanctioned instances of Office 365 enterprise accounts while blocking unsanctioned access to Office 365 from either unsanctioned enterprise accounts or consumer accounts.

 Picture5.png

Note: Rules 3 and 5 can also be combined into a single policy. These are shown here separately for providing clarity.

 

Case 2: Allow sanctioned and unsanctioned domain logins for Office 365 enterprise offerings while blocking access to Office 365 consumer offerings.

Picture6.png

Note: Rules 3 and 5 can also be combined into a single policy. These are shown here separately for providing clarity.

 

Case 3: Explicitly block access to Office 365 consumer offerings.

Picture7.png

 

6. Office 365 Access Control and SharePoint Instance

 

Cross-tenant sharing : Using SharePoint, a user from Company A can create a collaboration folder or share a file with another user from Company B. Let us say that Company B would not like its users to share anything outside Company B’s instance of SharePoint. Customers can follow the steps below to create a custom URL category and URL filtering profile to address this.

 

  1. Under Objects  > Custom Objects > URL Category, create a new custom URL category for any SharePoint access:
    Picture8.png

  2. Under Objects > Security Profiles > URL Filtering, create a new URL filtering profile like below:
    Picture9.png

  3. Use this profile in a security policy which allows sanctioned enterprise level access to Office 365 One example could be the security policy where we allowed the custom App-ID (see below):

 Picture10.png

 

 

7. Office 365 Access Control and existing Office 365 support matrix

The matrix below also applies to Office 365 Access Control as it has applied to Office 365 App-IDs.

App-ID

AV/AS

File  Ident

Vuln

Data Ident

File-Forward

SSL Decryption Capabilities

Web

Windows PC or Mac OS Client

Windows Tablet Client

iOS

Android

Reason for No

ms-office365-base

No

No

Yes

No

No

Yes

No

No

Yes

Yes

SSL Pinning

office-on-demand

Yes

Yes

Yes

Yes

Yes

Yes

No

No

N/A

N/A

SSL Pinning

ms-lync-online

No

No

Yes

No

No

Yes

No

No

Yes

Yes

SSL Client Auth

sharepoint-online

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

 

outlook-web-online

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

SSL Pinning

ms-lync-online-apps-sharing

No

No

Yes

No

No

Yes

No

No

Yes

Yes

SSL Pinning

ms-lync-online-file-transfer

Yes

Yes

Yes

No

Yes

Yes

No

No

Yes

Yes

SSL Client Auth

 

See also

FAQ - Office 365 Access Control

 

Send comments to @msandhu or @nasingh or leave a comment or question in the comments section below.

Ignite 2018
Ask Questions Get Answers Join the Live Community