Management Articles

Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >

FAQ - Office 365 Access Control

by msandhu on ‎07-06-2016 01:27 PM - edited on ‎01-17-2017 10:23 AM by (40,727 Views)

In the week of August 29th, 2016 Palo Alto Networks released changes to App-ID for Microsoft® Office 365™. To allow our customers to prepare for this change and avoid any problems, Palo Alto Networks is releasing the following placeholder App-IDs and decode contexts as part of Application and Threat Update version 597. To ensure that existing Office 365 policies continue to work after the week of August 29th, 2016 we strongly encourage customers to read and fully understand this document.

 

New Applications (only placeholders for now):

  • office365-enterprise-access
  • office365-consumer-access 

New Decode Context for “Pattern Match” for Custom Application Signatures (only placeholder for now)

  • http-req-ms-subdomain

 

Frequently Asked Questions:

 

Q. Why is Palo Alto Networks making this change?

A. Currently, to safely enable Office 365, our customers use the “ms-office365” and  “ms-onedrive” App-IDs. However, we have found that customers would also like to accomplish the following goals :  

 

  • To gain visibility into enterprise and consumer use of Office 365 in their networks.
  • Allow specific sanctioned instances of Office 365 enterprise accounts while blocking unsanctioned access to Office 365, either from unsanctioned enterprise accounts or consumer accounts.
  • To have the ability to block consumer access to Office 365 services.
  • To have the ability to control and limit cross-tenant sharing of “sharepoint-online”.

 

Q. What new capabilities do I get because of this change?

A. Customers will get the following new capabilities because of this change:

  • Visibility into enterprise and consumer use of Office365 in their networks.
  • Create a “Custom Application” for their specific Office 365 enterprise logins. This App-ID will be based on the domain name used to login to Office 365 enterprise accounts. For example, if users login to Office 365 using login names like user@mydomain.org, user@mydomain.com, or user@mydomain.onmicrosoft.com then a “Custom Application” can be created to look for the domain name “mydomain”. Once created, this App-ID can be configured in policies along with the existing Office 365 App-IDs to limit access to Office 365 only using sanctioned enterprise wide accounts.
  • Block access to the consumer edition of Office 365 services.
  • Customers can selectively control cross-tenant sharing of “sharepoint-online” using URL filtering and custom App-IDs.

 

Q. Do I need to enable SSL-decryption to use this capability?

A. Yes, SSL decryption is required to have this capability.

 

Q. Am I affected by this change if I am not using SSL decryption for Office 365 traffic?

A. No, this change will not affect you if you are not using SSL decryption for Office 365 traffic.

 

Q. Am I affected by this change if a device upstream is performing SSL decryption and the firewall only gets decrypted traffic.

A. In this case, yes you will be affected by this change and you should make the changes suggested below.

 

Q. How can I create “Custom Application” for my specific instance of the Office365 account?

AStep 1. Under Objects > Applications – click “Add” and configure the values as shown below.

  Screen Shot 2016-07-06 at 10.04.13 AM.png

 

   Step 2. Click the “Signatures” tab and configure the values as shown below.

 

Screen Shot 2016-07-06 at 10.07.24 AM.png

 

Step 3. Save. Commit config.

 

Q. How am I affected by this change? How do I guarantee operational continuity for safely enabling Office 365 Apps?

A. As of July 6th, 2016 with Content version 597, Palo Alto Networks is adding “office365-enterprise-access” and “office365-consumer-access” as placeholder App-IDs to our application catalog. These App-IDs are delivered as placeholders, thereby allowing our customers to make necessary policy changes to their firewalls ahead of time. These two placeholder App-IDs will not affect firewall policy processing, or any existing App-ID driven rules until the week of August 29th, 2016 when they are functionally enabled.

 

Palo Alto Networks will replace the placeholder App-ID with the formal App-IDs “office365-enterprise-access” and “office365-consumer-access” in the week of August 29th, 2016.

           

To facilitate this transition, Palo Alto Networks intends to follow the timeline outlined below:

  • July 5th, 2016: Palo Alto Networks delivers placeholder App-IDs “office365-enterprise-access” and “office365-consumer-access” with weekly Content Apps and Threat Update 596. With this content version, Palo Alto Networks also releases a custom decode context of “http-req-ms-subdomain”. As illustrated above this can be used to create the required custom App-IDs for identifying specific sanctioned enterprise access to Office 365. These two App-IDs, in addition to the custom App-IDs can be used to safely update firewall policies and prepare for the announced changes.
  • Example transitional policy to enable all Office 365 access.

 Screen Shot 2016-07-06 at 10.09.18 AM.png

 

  • Example policy with Custom App-ID to “only” enable Office 365 access to sanctioned enterprise accounts.

  example2.png  

 

  • Example policy to “only” enable Office 365 access to any enterprise account.

 example3.png

 

  •  August 30th, 2016: Palo Alto Networks functionally enables the “office365-enterprise-access” and “office365-consumer-access” App-IDs. These App-IDs will be fully operational and the configured policy will be enforced on any traffic destined to Office 365 services. If the Security Policies have been updated as per the guidance above, customers will now have access control for Office 365 services.

 

Q. What happens if I do not add “office365-enterprise-access” or  a custom App-ID created for enterprise logins to Office 365?

A. If “office365-enterprise-access” or an enterprise specific custom App-ID is not allowed, Office365 services will not work. We strongly recommend customers to incorporate the changes described above to prepare for the update we intend to deliver during the week of August 29th, 2016.

 

Q. What happens if I do not add “office365-consumer-access” App-IDs to my policies?

A. Without “office365-consumer-access” explicitly allowed, users will not be able to access the consumer edition of Office 365 services. We strongly recommend customers to incorporate the changes described above to prepare for the update we intend to deliver during the week of August 29th, 2016.

 

Q. How will this change affect the existing “ms-office365” and “ms-onedrive” App-IDs?

A. The existing App-IDs will continue to work until August 28th, 2016. But with the content update of the week of August 29th, 2016, a part of traffic related to user login will be identified as “office365-enterprise-access” or “office365-consumer-access” for all ms-office365 App-IDs. This means that these App-IDs should exist in the security policies as per the recommendations made above.

 

Q. What versions of PAN-OS will be affected by this change?

A. All currently supported versions of PAN-OS software that are updated to a version of Content and Threat Update delivered on or beyond the week of August 29th, 2016 may be affected by this change.

 

Q. I have made the changes suggested above but I do not see the new App-IDs or the custom App-ID being triggered.

A. These will only work after the Content Update of 29 August 2016 when these placeholder App-IDs and decode context will be functionally enabled. Till then the idea of these placeholder App-IDs and decode context is to assist our customers be ready for the change of 29 August 2016.

 

See also

Microsoft Office 365 Access Control Field Support Guide

 

Send comments to @msandhu or @nasingh or leave a comment or question in the comments section below.

Comments
by clynch
‎07-08-2016 05:06 AM - edited ‎07-08-2016 05:11 AM

So if I don't have decryption enabled, will the firewall continue processing user logins as ms-office365? The two statements I'm pasting below seem to conflict a bit.

Q. Am I affected by this change if I am not using SSL decryption for Office 365 traffic?

A. No, this change will not affect you if you are not using SSL decryption for Office 365 traffic.

Q. How will this change affect the existing “ms-office365” and “ms-onedrive” App-IDs?

A. The existing App-IDs will continue to work until August 28th, 2016. But with the content update of the week of August 29th, 2016, a part of traffic related to user login will be identified as “office365-enterprise-access” or “office365-consumer-access” for all ms-office365 App-IDs. This means that these App-IDs should exist in the security policies as per the recommendations made above.

by DJGilm
on ‎07-14-2016 07:43 AM

It's saying that if you have policies defined with those applications (“ms-office365” and “ms-onedrive”). If you are not decrypting, your firewall would only see SSL. Any changes to those app-id's won't apply since it would apply policies to the app-id "ssl", not “ms-office365” or “ms-onedrive”.

by INSHAJ
on ‎07-23-2016 06:43 PM

How can we get all Microsoft office365 IP list dynamically downloaded via DBL to route O365 traffic over a specific link (PBF) ?

is there any specific link to add to the Dynamic IP block list?

thanks

inshaj

by TheRealDiz
on ‎07-25-2016 03:45 AM

Hi @INSHAJ,

 

Could you confirm that, don't I need to change anything if I am NOT using SSL-Decryption?

 

Just a confirmation,

BR

Luca

by
on ‎07-25-2016 01:17 PM

 @LucaDiLeo,

What it is saying, that if you are not using SSL Decryption, you will NOT see the Office 365 app and the changes. 

 

If you have your policy setup for SSL traffic (not decrypted), then you will not get this new feature, and you will not have to change anything.

 

I hope this clarifies.

 

BTW, nice last name, but mine is slightly different. :) =)

-Joe Delio

by Asaki
on ‎07-25-2016 08:53 PM

Hi
I've asked TAC about it and they too confirmed that one who use ms-onedrive/ms-office365 without SSL decryption aren't affected by this change. One exception is, if you have 3rd party appliance like F5, Blucoat, and A10 outside the box and they are working as SSL decrypter instead of PAN-OS, you have to take this article into consideration.

 

Saki A.

 

 

by TheRealDiz
on ‎07-26-2016 01:44 AM

Hi @Asaki & @jdelio ,

 

Thanks both for your confirmation about this.

 

 

PS

For @jdelio (I'm Italian, so my last name is obviously better than yours :P haha)

 

Best Regards

Luca

by petter.stenstadvold@sfj.no
on ‎07-26-2016 11:20 PM

Hi @jdelio and @DJGilmore

You stated:

"What it is saying, that if you are not using SSL Decryption, you will NOT see the Office 365 app and the changes".

"If you are not decrypting, your firewall would only see SSL."

 

This is not quite true or slightly misleading:

We do see the App-IDs and subcategories without SSL Decryption today. It is possible that the login process is different; thus the specific process of login (not visible as a sub-category today) will, with SSL decryption enabled and the new App-IDs, be visible.

But, the old App-IDs and sub categories will still work as before (I sincerely hope), identifying the different application sub categories as before, for setups not using SSL decryption and where one do not need to differentiate between the logon methods or enterprise/consumer.

 

In any case, since we are not using SSL decryption, I expect we are not affected by the change.

 

by msandhu
on ‎08-10-2016 10:41 AM

Added a new question to the FAQ . @AsakiThanks for highlighting this scenario. 

 

Q. Am I affected by this change if a device upstream is performing SSL decryption and the firewall only gets decrypted traffic.

A. In this case, yes you will be affected by this change and you should make the changes suggested below.

by Sistemas_SanLucar
on ‎08-12-2016 03:20 AM

Hi,

 

Sorry, It is not clear to me.I followed your instructions.


1º. I created a "Custom Application" for nt specific instance of the Office365 account
2º I created a rule to allow all trafic Office365-mydomain, Office365-Consumer and Office365-consumer.

When I made a commit , it shows:

vsys1: Rule 'Allowed-Office365' application dependency warning:

Application 'office365-enterprise-access' requires 'ssl' be allowed

Application 'office365-enterprise-access' requires 'web-browsing' be allowed

Application 'office365-consumer-access' requires 'ssl' be allowed

Application 'office365-consumer-access' requires 'web-browsing' be allowed


I have not configured SSL decryption

I read:

Q. Am I affected by this change if I am not using SSL decryption for Office 365 traffic?

A. No, this change will not affect you if you are not using SSL decryption for Office 365 traffic.


will I have a problem if not active decrypt ssl?


I think I understood that if not active decrypt ssl should not have done nothing and leave everything as it was

Thank you

Regards

by
on ‎08-12-2016 09:06 AM

@Sistemas_SanLucar,

The reason you are getting those errors have to deal with Application Dependancy, not decryption.

For a LOT of detail on this, please see the following articles, as these should clear up any confusion here:

Tips & Tricks: What is Application Dependency?

How to Check if an Application Needs Explicitly Allowed Dependency Apps

 

by max.strzelecki
‎08-22-2016 09:46 AM - edited ‎08-22-2016 09:53 AM

I think this article needs to be more clear about the dependancy settings.

 

If I create a new policy with "office365-enterprise" and I also add "ssl" and "web-browsing" applications, that policy also allow ALL ssl and web-browsing. That would require a deny rule right after it, but then everything except 365 gets blocked...

 

by
on ‎08-23-2016 12:02 AM

Hi @max.strzelecki

 


The dependencies do not need to be in the same security policy for the application to work, they just need to be allowed somewhere in the security policy so the initial connection, which is web based, is allowed to pass.

If you already have a web browsing security policy with URL filtering and security profiles, this will satisfy the dependency and no additional applications need to be added to the office365 policy

by daurelianc
‎09-13-2016 03:57 AM - edited ‎09-13-2016 03:58 AM

 Custom App-ID decode context http-req-ms-subdomain cannot do short domain names. Is there a plan accomodate short domains like bt.com or mod.uk or any workaround at this moment?

by max.strzelecki
‎11-21-2016 09:14 AM - edited ‎11-21-2016 09:15 AM

 @reaper I noticed the example dependancy policy is not using "application-default" for the SSL and web-browsing. Is there any reason not to?

by stevicus
on ‎12-02-2016 11:12 AM

The issue I've seen with O365 and SSL decryption is when it comes to Skype for Business. Turning on SSL Decryption essentially breaks the connection.

by max.strzelecki
on ‎12-02-2016 11:59 AM

We don't have any issues with Skype for Business anymore. Initially we had the same problem as you mentioned, and adding lync.com to our no-decrypt category resolved it. But I think Palo added it to their no-decrypt list, because I've removed lync.com months ago and it's been fine

by DaveBall
4 weeks ago
by stevicus
on ‎12-02-2016 11:12 AM

The issue I've seen with O365 and SSL decryption is when it comes to Skype for Business. Turning on SSL Decryption essentially breaks the connection

 
by max.strzelecki
on ‎12-02-2016 11:59 AM

We don't have any issues with Skype for Business anymore. Initially we had the same problem as you mentioned, and adding lync.com to our no-decrypt category resolved it. But I think Palo added it to their no-decrypt list, because I've removed lync.com months ago and it's

_____________________________________________________________

 

 

This is our problem.  To get Skype for Business to work, we have an SSL decryption Exemption URL category that is literally 7 pages long.  By not decrypting any of that MS traffic, we're left with URL filtering, which does NOT work with Microsoft's silly URL/IP/Round-robin/whatever-IP-space-we-feel-like-using-today architecture.  

 

You're saying that you can "Do not Decrypt" *ONLY* lync.com, and decrypt the rest, and it works?  I know Skype for Business is on the DND list, but we still have to create the exemptions.  And I desperatly need a way to filter O365 traffic.  


by jeff6strings
2 weeks ago

 I'm concerned with a destination in the Security Policy. What is everyone else doing for destination? The list of IP addresses for Office 365 Business products is long and ever changing or can a URL Category be used in the Security Policy using the published FQDNs in the link below?

Appreciate any feedback.

Jeff

 

Office 365 IPs and URLs

Register now
Ask Questions Get Answers Join the Live Community