Microsoft-Recommended One Click Office 365 Configuration

Microsoft strongly recommends that any proxy should transparently forward end user Office 365 traffic to their cloud. This means Zscaler identifies all Office 365 application traffic based on IP address and fully qualified domain name (FQDN). To learn more, see New Office 365 Endpoint Categories.

The Microsoft-Recommended Office 365 One Click Configuration option allows Zscaler to map all Microsoft IP ranges and domains for most Office 365 apps listed in Office 365 URLs and IP Address Ranges. Zscaler leverages the REST-based web service published by Microsoft to keep this mapping up to date.

• Enabling the Microsoft-Recommended Office 365 One Click Configuration

  To enable this option, the Office 365 One Click Configuration option should be disabled.

  To enable the Microsoft-Recommended Office 365 One Click Configuration option:

  1. Go to Policies > Access Control > Internet & SaaS > Advanced Settings.
  2. In the Advanced Policy Settings tab, select Enable Microsoft-Recommended One Click Office 365 Configuration.
  3. Click Save, and then activate the changes.

  If you get an error message after trying to enable this option, this relates to your admin rank. We compare your admin rank to that of two existing custom Firewall and DNS rules with top order. If your admin rank is less than those two ranks, you don’t have permission to enable the option.

  Close
• Effects of Enabling the Microsoft-Recommended Office 365 One Click Configuration

  After this option is enabled, the following effects occur:

  • The Enable Office 365 One Click Configuration option is grayed out.
  • A pre-defined Office 365 One Click Rule is enabled in the following policies:
    • SSL Inspection Policy

      The rule isn't configurable and can't be deleted. If this rule is enabled, any Office 365 traffic is exempted from SSL inspection and other web policies, such as URL Filtering and Cloud App Control. For example, if you created a URL policy to block OneDrive, Sharepoint, etc., it's not applied.

      Close
    • Firewall Control Policy

      The rule isn't configurable and can't be deleted. It's automatically created to handle Office 365 traffic through our Firewall module without inspecting the traffic. The rule allows Office 365 traffic whose destination IP matches Office 365 categories.

      • If your admin rank is greater than or equal to that of the Firewall rule with top order, then the rule appears at rule order one with your rank. Going forward, only an admin with an equal or higher rank than yours can edit the rule order.
      • If admin rank is disabled, then the rule appears at rule order one with rank 7.

      Close
    • DNS Control Policy

      The rule allows DNS traffic destined to Office 365. The rule isn't configurable and can't be deleted, but its rule order can be changed, if necessary.

      • If your admin rank is greater than or equal to that of the DNS rule with top order, then the rule appears at rule order one with your rank. Going forward, only an admin with an equal or higher rank than yours can edit the rule order.

      Close
    • Cloud App Control Policy

      A pre-defined rule is created, under each of the following cloud app categories, on the Cloud App Control Policy page:

      • Collaboration & Online Meetings: The predefined rule in this category allows the Cloud App Control traffic destined to the following Office 365 cloud applications.
        • Yammer
        • SharePoint Online
        • Microsoft Teams
        • Microsoft Sway
      • Productivity and CRM Tools: The predefined rule in this category allows the Cloud App Control traffic destined to the following Office 365 cloud applications.
        • Common Office 365 Applications
        • Microsoft Dynamics 365
        • Microsoft Delve
        • Microsoft Power BI
        • Microsoft Planner
      • File Sharing: The predefined rule in this category allows the Cloud App Control traffic destined to the OneDrive cloud application.
      • Hosting Providers: The predefined rule in this category allows the Cloud App Control traffic destined to the Microsoft Azure cloud application.
      • IT Services: The predefined rule in this category allows the Cloud App Control traffic destined to the following Office 365 cloud applications.
        • Microsoft Azure AD
        • Microsoft Intune
      • Webmail: The predefined rule in this category allows the Cloud App Control traffic destined to the Outlook cloud application.

      The rules aren't configurable and can't be deleted, but their rule order can be changed, if necessary.

      If your admin rank is greater than or equal to that of the Cloud App Control rule with top order, then the rules appear at rule order one with your rank. Going forward, only an admin with an equal or higher rank than yours can edit the rule order.

      Close
  • When Office 365 traffic is sent to the Firewall, the service fingerprints the application. All the fingerprinted information is logged and is viewable on the Office 365 dashboard.
  • Zscaler overrides the destination IP of Office 365 traffic with the closest CDN destination for the Office 365 application and leverages DNS servers at each of our data centers to provide a better user experience and improved application performance.
    • DNS optimization is done automatically when the Microsoft-Recommended Office 365 One Click Configuration option is enabled.
    • Microsoft's peering partnership with Zscaler allows for minimal hops into the Microsoft backbone for Office 365 traffic, resulting in a better user experience.
    • Zscaler exempts some IP, FQDN, or URLs from One Click if they are part of the Default category. Default category endpoints can be treated like regular destinations, which allows customers to apply the appropriate security controls. To learn more about Microsoft categories, see New Office 365 endpoint categories.

  Close

To learn about enabling Microsoft Tenant Restrictions, see Adding Tenant Profiles.

Office 365 One Click Configuration

The following configuration was built prior to Microsoft's current connectivity principals and recommendations. Microsoft advises using the Microsoft-Recommended One Click Office 365 Configuration detailed in the previous section.

With the Office 365 One Click Configuration feature, the Zscaler service automatically configures authentication exemption and decryption exemption rules required for the service to seamlessly support and secure your Office 365 traffic. If this option is enabled, the Zscaler service exempts select Office 365 applications from TLS/SSL inspection. These exemptions are continuously evaluated based on Zscaler’s assessment of risk exposure and to ensure that anything exempted is as specific as possible to the delivery of Office 365 for corporate users and no wider.

Zscaler does not publish the complete list of IP address ranges and FQDNs or wildcard domain names exempted from TLS/SSL inspection. If further exemptions are required, you can define TLS/SSL inspection rules.

• Enabling the Office 365 One Click Exception Configuration

  To enable this option, the Microsoft-Recommended Office 365 One Click Configuration should be disabled.

  To enable the Office 365 One Click Exception Configuration:

  1. Go to Policies > Common Configuration > Advanced > Advanced Settings.
  2. Scroll down and select Enable Office 365 One Click Configuration.
  3. Click Save, and then activate the changes.

  Close