FAQ - Office 365 Access Control
In the week of August 29th, 2016 Palo Alto Networks released changes to App-ID for Microsoft® Office 365™. To allow our customers to prepare for this change and avoid any problems, Palo Alto Networks is releasing the following placeholder App-IDs and decode contexts as part of Application and Threat Update version 597. To ensure that existing Office 365 policies continue to work after the week of August 29th, 2016 we strongly encourage customers to read and fully understand this document.
New Applications (only placeholders for now):
New Decode Context for “Pattern Match” for Custom Application Signatures (only placeholder for now)
Frequently Asked Questions:
Q. Why is Palo Alto Networks making this change?
A. Currently, to safely enable Office 365, our customers use the “ms-office365” and “ms-onedrive” App-IDs. However, we have found that customers would also like to accomplish the following goals :
- To gain visibility into enterprise and consumer use of Office 365 in their networks.
- Allow specific sanctioned instances of Office 365 enterprise accounts while blocking unsanctioned access to Office 365, either from unsanctioned enterprise accounts or consumer accounts.
- To have the ability to block consumer access to Office 365 services.
- To have the ability to control and limit cross-tenant sharing of “sharepoint-online”.
Q. What new capabilities do I get because of this change?
A. Customers will get the following new capabilities because of this change:
- Visibility into enterprise and consumer use of Office365 in their networks.
- Create a “Custom Application” for their specific Office 365 enterprise logins. This App-ID will be based on the domain name used to login to Office 365 enterprise accounts. For example, if users login to Office 365 using login names like firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org then a “Custom Application” can be created to look for the domain name “mydomain”. Once created, this App-ID can be configured in policies along with the existing Office 365 App-IDs to limit access to Office 365 only using sanctioned enterprise wide accounts.
- Block access to the consumer edition of Office 365 services.
- Customers can selectively control cross-tenant sharing of “sharepoint-online” using URL filtering and custom App-IDs.
Q. Do I need to enable SSL-decryption to use this capability?
A. Yes, SSL decryption is required to have this capability.
Q. Am I affected by this change if I am not using SSL decryption for Office 365 traffic?
A. No, this change will not affect you if you are not using SSL decryption for Office 365 traffic.
Q. Am I affected by this change if a device upstream is performing SSL decryption and the firewall only gets decrypted traffic.
A. In this case, yes you will be affected by this change and you should make the changes suggested below.
Q. How can I create “Custom Application” for my specific instance of the Office365 account?
A. Step 1. Under Objects > Applications – click “Add” and configure the values as shown below.
Step 2. Click the “Signatures” tab and configure the values as shown below.
Step 3. Save. Commit config.
Q. How am I affected by this change? How do I guarantee operational continuity for safely enabling Office 365 Apps?
A. As of July 6th, 2016 with Content version 597, Palo Alto Networks is adding “office365-enterprise-access” and “office365-consumer-access” as placeholder App-IDs to our application catalog. These App-IDs are delivered as placeholders, thereby allowing our customers to make necessary policy changes to their firewalls ahead of time. These two placeholder App-IDs will not affect firewall policy processing, or any existing App-ID driven rules until the week of August 29th, 2016 when they are functionally enabled.
Palo Alto Networks will replace the placeholder App-ID with the formal App-IDs “office365-enterprise-access” and “office365-consumer-access” in the week of August 29th, 2016.
To facilitate this transition, Palo Alto Networks intends to follow the timeline outlined below:
- July 5th, 2016: Palo Alto Networks delivers placeholder App-IDs “office365-enterprise-access” and “office365-consumer-access” with weekly Content Apps and Threat Update 596. With this content version, Palo Alto Networks also releases a custom decode context of “http-req-ms-subdomain”. As illustrated above this can be used to create the required custom App-IDs for identifying specific sanctioned enterprise access to Office 365. These two App-IDs, in addition to the custom App-IDs can be used to safely update firewall policies and prepare for the announced changes.
- Example transitional policy to enable all Office 365 access.
- Example policy with Custom App-ID to “only” enable Office 365 access to sanctioned enterprise accounts.
- Example policy to “only” enable Office 365 access to any enterprise account.
- August 30th, 2016: Palo Alto Networks functionally enables the “office365-enterprise-access” and “office365-consumer-access” App-IDs. These App-IDs will be fully operational and the configured policy will be enforced on any traffic destined to Office 365 services. If the Security Policies have been updated as per the guidance above, customers will now have access control for Office 365 services.
Q. What happens if I do not add “office365-enterprise-access” or a custom App-ID created for enterprise logins to Office 365?
A. If “office365-enterprise-access” or an enterprise specific custom App-ID is not allowed, Office365 services will not work. We strongly recommend customers to incorporate the changes described above to prepare for the update we intend to deliver during the week of August 29th, 2016.
Q. What happens if I do not add “office365-consumer-access” App-IDs to my policies?
A. Without “office365-consumer-access” explicitly allowed, users will not be able to access the consumer edition of Office 365 services. We strongly recommend customers to incorporate the changes described above to prepare for the update we intend to deliver during the week of August 29th, 2016.
Q. How will this change affect the existing “ms-office365” and “ms-onedrive” App-IDs?
A. The existing App-IDs will continue to work until August 28th, 2016. But with the content update of the week of August 29th, 2016, a part of traffic related to user login will be identified as “office365-enterprise-access” or “office365-consumer-access” for all ms-office365 App-IDs. This means that these App-IDs should exist in the security policies as per the recommendations made above.
Q. What versions of PAN-OS will be affected by this change?
A. All currently supported versions of PAN-OS software that are updated to a version of Content and Threat Update delivered on or beyond the week of August 29th, 2016 may be affected by this change.
Q. I have made the changes suggested above but I do not see the new App-IDs or the custom App-ID being triggered.
A. These will only work after the Content Update of 29 August 2016 when these placeholder App-IDs and decode context will be functionally enabled. Till then the idea of these placeholder App-IDs and decode context is to assist our customers be ready for the change of 29 August 2016.