Protect Office365 and Windows365 with Azure Firewall

Written by Yuval Perry (Azure Firewall Product Manager)

Office 365 customers are looking for the best cloud connectivity experience at scale to achieve end-to-end connectivity through the most optimized route possible. Traffic from the organization’s network to the required Office 365 endpoints should be managed and secured, which could be a time-consuming ongoing task. With the recent announcement of Azure Firewall integration with Office 365, you can now easily manage this traffic and leverage the firewall’s security features to secure it.

Office 365 endpoints requirements are built of hundreds of FQDNs and IP addresses, split across multiple Office 365 services and categories. Some required endpoints are sensitive to network performance, latency and availability, while others do not require any optimization or are even not hosted in Microsoft datacenters, thus can be treated as normal internet bound traffic. To add to that complexity, new endpoints are added from time to time to onboard new Office 365 features or due to other service changes.

With this new integration of Azure Firewall with Office 365, you can now manage the network requirements in a more convenient and efficient manner. Instead of allowing and securing traffic to specific IP addresses and FQDNs and updating your Azure Firewall Policy rules upon endpoints updates, you can now use the new built-in Service Tags and FQDN Tags. These tags group the required endpoints per Office 365 product and category and are updated periodically behind the scenes to eliminate maintenance.

Configuring Azure Firewall Policy to secure Office 365

The new built-in Office 365 Service Tags group the required IPv4 addresses by Office365 service and category. For instance, “Office365.Exchange.Optimize” Service Tag groups all IPv4 addresses required for Exchange connectivity, representing Office 365 scenarios that are the most sensitive to network performance, latency, and availability. You can use these service tags as a destination in Azure Firewall Network Rule, to allow and secure specific or all Office 365 traffic from your defined source IP addresses, range, or IP group. When creating the rule, ensure to define the required TCP / UDP ports.

Service Tags are updated automatically by Microsoft when addresses are added or changed. Any Service Tag defined in a network rule is constantly translated to the most updated list of IP addresses, with no further action required.

Similarly, the new built-in FQDN tags represent the required FQDNs, grouped by Office365 service and category. For instance, “Office365.SharePoint.Optimize” tag groups the FQDN endpoints required by SharePoint which are sensitive to network performance, latency and availability. You can use these FQDN tags as a destination in Azure Firewall Policy Application Rules, to allow and secure any or all Office 365 outbound traffic.

FQDN Tags are updated automatically by Microsoft when FQDNs are added or changed. Any FQDN Tag defined in an application rule is constantly translated to the most updated list of FQDNs, with no further action required.

Some of the required Office 365 endpoints, which are listed in “Default” category, can be treated as a normal outbound internet traffic. When allowing communication to these endpoints, you can leverage Azure Firewall Premium’s security features of IDPS and TLS Inspection as an additional layer of protection to this outbound traffic. You can decrypt the traffic to reveal any malicious or unwanted activity and monitor it with IDPS engine across tens of thousands of signatures provided by Azure Firewall.

Configuring Azure Firewall Policy to secure Windows 365

Azure Firewall integration with Windows 365 provides a simplified and more efficient way to allow and secure outbound traffic to Windows 365. Instead of creating policy rules with the specific FQDNs, you can now use the new built-in FQDN tag represents the required Windows 365 FQDNs and the required Azure Virtual Desktop FQDNs. Use this tag in your application rule to seamlessly protect Windows365 communications:

In addition to an Application Rule using the new Windows 365 FQDN tag, you might need to other rules to allow and secure all Windows 365 features. You can read more details here.

Next steps:

• Use Azure Firewall to protect Office 365 | Microsoft Learn
• FQDN tags overview for Azure Firewall | Microsoft Learn
• Overview of Azure Firewall service tags | Microsoft Learn
• Managing Microsoft 365 endpoints - Microsoft 365 Enterprise | Microsoft Learn