Loading...

Protect Office365 and Windows365 with Azure Firewall

Protect Office365 and Windows365 with Azure Firewall

Written by Yuval Perry (Azure Firewall Product Manager)

 

Office 365 customers are looking for the best cloud connectivity experience at scale to achieve end-to-end connectivity through the most optimized route possible. Traffic from the organization’s network to the required Office 365 endpoints should be managed and secured, which could be a time-consuming ongoing task. With the recent announcement of Azure Firewall integration with Office 365, you can now easily manage this traffic and leverage the firewall’s security features to secure it.

 

Office 365 endpoints requirements are built of hundreds of FQDNs and IP addresses, split across multiple Office 365 services and categories. Some required endpoints are sensitive to network performance, latency and availability, while others do not require any optimization or are even not hosted in Microsoft datacenters, thus can be treated as normal internet bound traffic. To add to that complexity, new endpoints are added from time to time to onboard new Office 365 features or due to other service changes.

 

With this new integration of Azure Firewall with Office 365, you can now manage the network requirements in a more convenient and efficient manner. Instead of allowing and securing traffic to specific IP addresses and FQDNs and updating your Azure Firewall Policy rules upon endpoints updates, you can now use the new built-in Service Tags and FQDN Tags. These tags group the required endpoints per Office 365 product and category and are updated periodically behind the scenes to eliminate maintenance.

 

gusmodena_0-1684421142264.png

 

Configuring Azure Firewall Policy to secure Office 365

 

The new built-in Office 365 Service Tags group the required IPv4 addresses by Office365 service and category. For instance, “Office365.Exchange.Optimize” Service Tag groups all IPv4 addresses required for Exchange connectivity, representing Office 365 scenarios that are the most sensitive to network performance, latency, and availability. You can use these service tags as a destination in Azure Firewall Network Rule, to allow and secure specific or all Office 365 traffic from your defined source IP addresses, range, or IP group. When creating the rule, ensure to define the required TCP / UDP ports.

 

Service Tags are updated automatically by Microsoft when addresses are added or changed. Any Service Tag defined in a network rule is constantly translated to the most updated list of IP addresses, with no further action required.

 

gusmodena_1-1684421199773.png

 

Similarly, the new built-in FQDN tags represent the required FQDNs, grouped by Office365 service and category. For instance, “Office365.SharePoint.Optimize” tag groups the FQDN endpoints required by SharePoint which are sensitive to network performance, latency and availability. You can use these FQDN tags as a destination in Azure Firewall Policy Application Rules, to allow and secure any or all Office 365 outbound traffic.

 

FQDN Tags are updated automatically by Microsoft when FQDNs are added or changed. Any FQDN Tag defined in an application rule is constantly translated to the most updated list of FQDNs, with no further action required.

 

Some of the required Office 365 endpoints, which are listed in “Default” category, can be treated as a normal outbound internet traffic. When allowing communication to these endpoints, you can leverage Azure Firewall Premium’s security features of IDPS and TLS Inspection as an additional layer of protection to this outbound traffic. You can decrypt the traffic to reveal any malicious or unwanted activity and monitor it with IDPS engine across tens of thousands of signatures provided by Azure Firewall.

 

gusmodena_2-1684421250373.png

 

Configuring Azure Firewall Policy to secure Windows 365

 

Azure Firewall integration with Windows 365 provides a simplified and more efficient way to allow and secure outbound traffic to Windows 365. Instead of creating policy rules with the specific FQDNs, you can now use the new built-in FQDN tag represents the required Windows 365 FQDNs and the required Azure Virtual Desktop FQDNs. Use this tag in your application rule to seamlessly protect Windows365 communications:

 

gusmodena_3-1684421466929.png

 

In addition to an Application Rule using the new Windows 365 FQDN tag, you might need to other rules to allow and secure all Windows 365 features. You can read more details here.

 

Next steps:

 

Published on:

Learn more
Azure Network Security Blog articles
Azure Network Security Blog articles

Azure Network Security Blog articles

Share post:

Related posts

Microsoft Viva: Viva Glint – Zero downtime for Viva Glint releases

Viva Glint releases previously needed several hours of downtime. With this feature, future releases will be transparent to customers, requirin...

17 hours ago

Microsoft 365 app: Microsoft Loop – Add a Loop Workspace to your Teams Channel

Channels in Microsoft Teams streamline collaboration by bringing people, content, and apps together and helping to organize them by project or...

17 hours ago

Microsoft Copilot (Microsoft 365): Clipchamp Copilot video creator

Create a video draft on any topic by providing a prompt. Clipchamp will create a video using stock video and music with an AI-generated voiceo...

17 hours ago

New deployments of Microsoft 365 desktop client apps to include new Outlook

Microsoft 365 desktop client apps’ new deployments will now include new Outlook. Rollout starts late February 2025, with completion by e...

18 hours ago

Microsoft 365 (Office) apps: The “Tags” feature will retire

The “Tags” feature in Microsoft 365 apps will be retired between January 6 and January 10, 2025. Users can use the “Favorite...

18 hours ago

Microsoft 365 admin center: Enhancements to Copilot administration page

The Microsoft 365 admin center’s Copilot page will be updated with an enhanced Overview section and a new Health section. Rollout starts...

18 hours ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy