December 2, 2022

Using third-party network devices or solutions on Office 365 traffic


Recently, Microsoft has posted a support advisory which cautioned against the use of third-party security products with Microsoft products. What is happening here?

According to the Microsoft bulletin reproduced below, the use of any third-party security product is prohibited. Microsoft’s security is so good that there’s no need for third-party security products anyway, is their point.

Savvy customers are begging to differ. The fox guarding the chicken coop is a fallacious argument that has been debunked. At first glance, Microsoft’s bulletin implies that any third-party firewalls, anti-virus systems, secure web gateways, DLP engines, or virtually any product not supplied by Microsoft is suspect. And as a catch-all, the list includes “other network and cloud services.”

Bitglass proxies millions of corporate users in and out of Office 365 and other cloud applications on a daily basis, to enforce corporate data protection policies and prevent threats from entering. Any of these users can access the cloud from any device, and Bitglass automatically enforces corporate data protection policies on what data can be accessed, where, by whom. and on what type of device. Additionally, in partnership with Cylance, Bitglass inspects uploads to the cloud from these devices to block threats.

Consider these most basic security requirements.

  • If a user signs in to Office365 from a kiosk, do you want the user to expire after, say, 5 minutes of inactivity?
  • Do you prefer third-party AV agents over bare-bones devices?
  • Do you want to prevent users from accessing third-party Office 365 tenants on your network?

If you are reading this blog, chances are your answers are YES to some, if not all of the above questions, you need third-party security products with Office 365. In fact, Microsoft recommend using a third-party proxy gateway for the third element.

In other words, we all know the fox can’t keep the chicken coop. Eeven Microsoft does it!


Microsoft Office 365 is software as a service that provides opportunities for productivity and collaboration through a distributed set of cloud-hosted applications and services.

The quality and performance of a user’s Office 365 experience is directly influenced by the type of network solutions that users have on their way between the user and Office 365. Third-party network devices and services that perform advanced processing at the Protocol level and at the data level and network optimization can interfere with Office 365 client connectivity and affect the availability, performance, interoperability, and support of Office 365 for users.

This article presents Microsoft’s recommendations and support position for Office 365 users who plan to use advanced network solutions that perform decryption, filtering, inspection, and other protocol-level actions. or content about Office 365 user traffic. These solutions include:

  • WAN acceleration and optimization
  • Traffic redirection and inspection devices
  • Proxy solutions
  • Cloud Access Security Brokers (CASB)
  • Secure Web Gateways (SWG)
  • Data Leak Prevention Systems (DLP)
  • Other network and cloud services

The provisions in this article focus on Office 365 cloud applications and services, and these provisions do not apply to on-premises versions of Microsoft products. Office 365 users may see different effects if these provisions are not met, depending on the type of Office 365 service.

For more information, see this Office 365 blog post.

More information

The following guidelines apply to network devices and solutions that act as intermediary, man-in-the-middle, or proxy services that handle Office 365 user traffic:

  • Microsoft does not require or recommend the use of third-party WAN optimization solutions, traffic redirection or inspection devices, or any other network solution that decrypts, inspects, or performs protocol-level actions or content about Office 365 user traffic. Microsoft does not support the integration of such solutions with the Office 365 service.
  • Although Microsoft does not currently prevent users from using such solutions, these devices are not tested by Microsoft for compatibility, interoperability, or performance with Office 365. Microsoft cannot comment on current or future effectiveness. of these network solutions for Office 365 scenarios or if these network solutions will continue to be functional after future features and protocol changes of Office 365. Due to the differences between the protocols, features and architectures of Office 365, the functionality of these network solutions in Microsoft on-premises products should not be used as a reference. .
  • Network technologies mentioned on Office 365 application protocol stacks may introduce additional interoperability, availability, and performance issues into the Office 365 service, and may hamper a user’s ability to optimize Office 365 connectivity and user experience in accordance with Microsoft recommendations.
  • Third-party solutions capable of intercepting and decrypting network requests may have functionality to modify, clean, or block decrypted content. Applying these features to Office 365 user traffic results in changes to Office 365 protocols and data flows (outside of standard and documented APIs). Therefore, this behavior is not supported by Microsoft and may violate the terms of use.
  • Users should be aware that, with the exception of documented public Office 365 API cases, Microsoft reserves the right to change any details of the application protocol, authentication methods, topologies, and data structures without notifying thirds of the change. Microsoft is not responsible for any problems that may be caused by such a third-party solution as a result of these changes.
  • Microsoft will not delay innovation, functionality, and service changes in the Office 365 cloud to allow third-party network solutions performing specific decryption and application protocol actions on Office 365 traffic to make changes to design and configuration to their solution and solve specific problems. using third-party batteries. Any third-party solutions that rely heavily on specific Office 365 application protocol stacks may experience failure or reduced performance.
  • Microsoft requires users to disclose when using the mentioned solutions to create support cases in Office 365. In order for Microsoft to provide support for issues regarding Office 365, users will need to turn off decryption of Office 365 traffic affected by these. solutions and bypass or enable disable this solution for Office 365 traffic for troubleshooting until the issue is fully resolved and the user’s Office 365 experience is no longer impacted.
  • Microsoft provides support for the Office 365 service and components that are under its direct management and operational control. Network devices and third-party network services are considered part of the user’s network landscape. Users should contact their network provider or solution provider for any support needs associated with their products.
  • These policies apply to the mentioned third-party network solutions that are operated in a user’s on-premises environment, provided by third parties as cloud services, or built by users or network providers in IaaS data centers. . This includes solutions integrated with Microsoft Azure.

Most of the features and outcomes for which users use advanced third-party networking and security solutions that perform decryption, inspection, and modification of network traffic are natively available through Office 365 and the Microsoft cloud architecture, the service commitments, customer-facing functionality and documented integration APIs. We strongly recommend that users evaluate the native features provided by Microsoft and remove or bypass duplicate network processing layers for Office 365 traffic.

In addition to these strategies, here are some general recommendations for optimizing connectivity to Office 365:

  • For the best Office 365 user experience and optimal performance, we strongly recommend that users provide direct, non-restrictive distributed connectivity for Office 365 traffic from the user’s or customer’s location to points of presence or locations. pairs closest to the Microsoft global network. Minimizing the network distance (travel time latency (RTT)) between the user and the peering point closest to the Microsoft network allows users to take advantage of the service’s gateway infrastructure highly distributed Office 365 and ensures that Office 365 user connections are served as quickly and as close to the user as possible (often in the user’s own metro location). Building user network solutions based on the location of the Office 365 user’s tenant instead of the user’s location can reduce the benefits of distributed Office 365 front door optimizations and lead to performance suboptimal or poor.
  • In general, the best way to optimize the user experience and prevent the network from becoming a performance bottleneck is to use the following methods:
    • Use local internet egress (which may be limited to Office 365 traffic)
    • Use an Internet Service Provider (ISP) that has direct peering with the Microsoft Global Network near the user’s location
    • Bypass network traffic inspection and decryption devices for trusted Office 365 destinations
  • To help users plan and implement their connectivity to Office 365, Microsoft has established four principles of connectivity. The Office 365 Endpoint Categorization Guide can help users prioritize which Office 365 application flows and URLs will benefit the most from these recommendations.

Source link