Summary
Prerequisites
Office 365 Access Control and Existing Office 365 App-IDs
Securing Office 365 with Access Control
Leveraging Custom App-ID to Secure Office 365
Example Use Cases and Policies
Office 365 Access Control and Sharepoint Instance
Office 365 App-ID, AV/AS, IPS, WildFire & Decryption Support Matrix
Summary
As enterprises continue adopting Microsoft® Office 365™, there is continued focus on safely enabling it. Typically, enterprises want to achieve the following goals:
- To have visibility into enterprise and consumer use of Office 365 in their networks.
- To allow specific sanctioned instances of Office 365 enterprise accounts while blocking unsanctioned access to Office 365 either from unsanctioned enterprise accounts or consumer accounts.
- To have the ability to block consumer access to Office 365 services.
- To control and limit cross-tenant sharing of “SharePoint-online”.
Palo Alto Networks is announcing the release of two new App-IDs and a new decode context that can be used in combination with custom application signatures and URL filtering to achieve all of the above-mentioned objectives.
New App-IDs:
- Office 365-enterprise-access : This App-ID covers the business and enterprise offerings from Microsoft for Office 365. These include Office 365 Business Essentials, Office 365 Business, Office 365 Business Premium, Office 365 Enterprise E1, E3 and E5 plans.
- Office 365-consumer-access: This App-ID covers the consumer offerings from Office. These include Office 365 Home, Office 365 Personal, Office 365 Home and Student.
New Decode Context for pattern match:
- http-req-ms-subdomain: This will look for the domain name in the username for accessing Office 365 enterprise services.
Release Plan:
- July 7th, 2016: Palo Alto Networks releases the new App-IDs and decode context but only as placeholders without enabling functionally. This will help our customers to understand this change and make the necessary policy changes to aid in policy migration for using this feature.
- We have an extensive FAQ document to assist our customers with this change on the Live Community at https://live.paloaltonetworks.com/t5/Management-Articles/FAQ-Office-365-Access-Control/ta-p/94949
- Week of August 29th, 2016: Palo Alto Networks functionally enables these two new App-IDs and decode context so that customers can start using this new capability.
1. Prerequisites
This capability will only work if traffic to Office 365 is decrypted.
2. Office 365 Access Control and Existing Office 365 App-IDs
Office 365 access control will work with all existing Office 365 App-IDs (shown below). It does not replace these App-IDs, but augments their capabilities to identify not just the type of access (enterprise vs consumer) but also identify a specific enterprise account login instance.
3. Securing Office 365 with Access Control
Typically, for any SaaS solution, when it comes to access, there are two notions, which are:
- Where you are coming from: This means the login name you are using to access resources. For example, users in the company can have multiple accounts to access Office 365, which could be either their consumer accounts or an unsanctioned enterprise account they have purchased using personal emails. Many customers would like to allow access to Office 365 from only the sanctioned enterprise accounts.
- Where you are getting to: This means the URL or the resources you are accessing. For example, someone in Company A can invite a user from Company B to a collobration folder using Microsoft Sharepoint. When it comes to Office 365, most customers want to control this activity by limiting the instances of Office 365 users should be able to get to. Microsoft refers to this by using the terminology of cross-tenant sharing using SharePoint.
4. Leveraging Custom App-ID to Secure Office 365
Customers can now create a custom App-ID for Office 365 logins, using the new decode context of “http-req-ms-subdomain”. This decode context looks for the domain name in the login name for accessing any Office 365 enterprise offering.
For example, customers can create a custom Office 365 App-ID that will allow logins to Office 365 only from usernames in the format of:
- user@mydomain.com
- user@mydomain.org
- user@mydomain.onmicrosoft.com
Once created, this App-ID can then be used in policies with existing Office 365 App-IDs, limit access to only sanctioned Office 365 enterprise accounts while blocking access to unsanctioned Office 365 enterprise accounts and Office 365 consumer accounts.
Below, we have outlined the steps required to create such a custom App-ID. We have also provided some sample outputs of how such a security policy base might look like.
4.1 Creating Custom App-ID to secure Office 365
Please follow the steps outlined below to create a custom App-ID for Office 365 enterprise logins.
- Under Objects > Applications – click “Add” and configure as shown below:
- Click on "Signature" tab under Application and configure as shown below. Please note the pattern is case-sensitive. You can configure a case-insensitive pattern in PAN-OS 10.0+, see below:
PAN-OS pre-10.0
PAN-OS 10.0+
- Once created, you can use the custom App-ID in security policy, as shown below. The policy set below allows access to Office 365 enterprise offerings, only from sanctioned usernames for "mydomain".
5. Example Use Cases and Policies
Case 1: Allow specific sanctioned instances of Office 365 enterprise accounts while blocking unsanctioned access to Office 365 from either unsanctioned enterprise accounts or consumer accounts.
Note: Rules 3 and 5 can also be combined into a single policy. These are shown here separately for providing clarity.
Case 2: Allow sanctioned and unsanctioned domain logins for Office 365 enterprise offerings while blocking access to Office 365 consumer offerings.
Note: Rules 3 and 5 can also be combined into a single policy. These are shown here separately for providing clarity.
Case 3: Explicitly block access to Office 365 consumer offerings.
6. Office 365 Access Control and SharePoint Instance
Cross-tenant sharing : Using SharePoint, a user from Company A can create a collaboration folder or share a file with another user from Company B. Let us say that Company B would not like its users to share anything outside Company B’s instance of SharePoint. Customers can follow the steps below to create a custom URL category and URL filtering profile to address this.
- Under Objects > Custom Objects > URL Category, create a new custom URL category for any SharePoint access:
- Under Objects > Security Profiles > URL Filtering, create a new URL filtering profile like below:
- Use this profile in a security policy which allows sanctioned enterprise level access to Office 365 One example could be the security policy where we allowed the custom App-ID (see below):
7. Office 365 Access Control and existing Office 365 support matrix
The matrix below also applies to Office 365 Access Control as it has applied to Office 365 App-IDs.
App-ID
|
AV/AS
|
File Ident
|
Vuln
|
Data Ident
|
File-Forward
|
SSL Decryption Capabilities
|
Web
|
Windows PC or Mac OS Client
|
Windows Tablet Client
|
iOS
|
Android
|
Reason for No
|
ms-office365-base
|
No
|
No
|
Yes
|
No
|
No
|
Yes
|
No
|
No
|
Yes
|
Yes
|
SSL Pinning
|
office-on-demand
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
No
|
No
|
N/A
|
N/A
|
SSL Pinning
|
ms-lync-online
|
No
|
No
|
Yes
|
No
|
No
|
Yes
|
No
|
No
|
Yes
|
Yes
|
SSL Client Auth
|
sharepoint-online
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
| |
outlook-web-online
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
No
|
Yes
|
Yes
|
SSL Pinning
|
ms-lync-online-apps-sharing
|
No
|
No
|
Yes
|
No
|
No
|
Yes
|
No
|
No
|
Yes
|
Yes
|
SSL Pinning
|
ms-lync-online-file-transfer
|
Yes
|
Yes
|
Yes
|
No
|
Yes
|
Yes
|
No
|
No
|
Yes
|
Yes
|
SSL Client Auth
|
See also
FAQ - Office 365 Access Control
Send comments to @msandhu or @nasingh or leave a comment or question in the comments section below.