Zscaler provides the following features to support Office 365 traffic:
If your organization uses any of the Office 365 applications, you can send all Office 365 traffic from all your locations, including road warrior traffic, through the Zscaler service to the Microsoft cloud. To learn about forwarding Office 365 traffic to the Zscaler service and the recommended deployment options and guidelines, see About Office 365.
When Office 365 applications are used within a web browser, most of the browser-based Office 365 traffic is handled by the Zscaler service when authentication is enabled, allowing the Zscaler service to enforce corporate compliance policies, such as Security, DLP and Bandwidth Controls policies, on Office 365 traffic. When the Zscaler outbound firewall is also enabled, the Zscaler service can also handle non-web ports and protocols to provide granular access control and visibility for all Office 365 traffic. However, enterprises prefer to deploy native Office 365 applications such as Outlook, Skype for Business, and OneDrive, instead of using these applications within a web browser. While these native applications provide a better user experience, they also present additional challenges from a security solutions viewpoint.
Microsoft recommends avoiding SSL interception for Office 365 domains and IP ranges. In the past, Zscaler has tried doing selective SSL and authentication bypass by adding domains to both and mapping them to the One Click configuration in the admin portal. However, when Microsoft unveils new changes to infrastructure or adds new applications, Office 365 applications tend to break as appropriate IP ranges are missing.
Enabling the Microsoft-Recommended Office 365 One Click Configuration option allows Zscaler to map all Microsoft IP ranges and domains for all Office 365 apps listed here.
To enable the Microsoft-Recommended Office 365 One Click Configuration, log in to the admin portal and do the following:
Once you turn on this option, the following will occur:
You're only able to edit the rule’s order.
With the Office 365 One Click Configuration feature, the Zscaler service automatically configures authentication exemption and decryption exemption rules required for the service to seamlessly support and secure your Office 365 traffic. Additionally, because the service fingerprints all Office 365 applications, you won't have to worry about any URL changes in the Office 365 applications.
If Office 365 One Click Configuration is enabled, the service automatically does not decrypt the following URLs:
The service also automatically exempts the following URLs from cookie-based authentication, in case your organization does not deploy Kerberos:
To enable the Office 365 configuration, log into the admin portal and do the following:
Zscaler does not automatically include the following URL in the authentication exemption list when the Office 365 One Click feature is enabled. Depending on your business requirements, you can manually add the following URL to the authentication exemption list as described in the next section:
Alternatively, if you do not want to automatically add the Office 365 URLs to both the authentication and decryption exemption lists with the Office 365 One Click feature, you can manually add the Office 365 apps to either the authentication or decryption exemption list. For example, if your organization uses Kerberos, you do not need to exempt any of the Office 365 apps. Therefore, you may want to add Office 365 to the decryption exemption list, but not the authentication list.
To add Office 365 URLs and apps to the authentication exemption list, log in to the admin portal and do the following:
To add the Office 365 apps to the decryption exemption list, log in to the admin portal and do the following: