Application Guard for Office is now generally available!

As of today, Application Guard for Office is now generally available.


 


Files from the internet and other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your users’ computer and data. To help protect your users, Office opens files from potentially unsafe locations in Application Guard, a secure container that’s isolated from the device through hardware-based virtualization. When Office opens files in Application Guard, users can securely read, edit, print, and save those files without having to re-open files outside the container. This feature will be off by default.


 


Here is the installation guide to get started:
Application Guard for Office 365 for admins – Office 365 | Microsoft Docs


 


Customers will receive a Message center post on Wednesday, 1/27/2021. Microsoft 365 Roadmap Featured ID is 67101. Application Guard for Office is only available to organizations with a Microsoft 365 E5 or Microsoft 365 E5 Security license.

Deploy Microsoft 365 Apps to remote workers

Deploy Microsoft 365 Apps to remote workers

This blog post will address the enterprise IT admin’s challenge on how to deploy Microsoft 365 Apps to remote workers without saturating the company’s VPN connections. It will show you how to implement a tactical approach which allows an IT admin to stay in control and quickly relief the pain of VPN congestion by offloading content distribution to the Microsoft Content Delivery Network (CDN). Maybe you are in the process of moving off legacy versions of Office and want to keep the pace with e.g. the Office 2010 end-of-support approaching fast. There are multiple strategic solutions available (e.g. Intune and Windows Autopilot), but for now we focus on a quick fix.

 

Overview of blog post series

This blog post is part of a series, which is brought to you by the Office Rangers Team at Microsoft, a group of senior deployment experts. The series provides guidance on how to address scenarios around working-from-home across the lifecycle of an Microsoft 365 Apps installation:

 

We hope this will help you to minimize the impact of deploying, servicing and managing Microsoft 365 Apps on your own network and your user’s VPN connections.

 

The Concept

With the approach described below, we want to achieve two things:

  • Keep IT admins in control what happens when by continue using your enterprise management solution like Microsoft Endpoint Configuration Manager (formally known as System Center Configuration Manager (SCCM))
  • Offloading the content distribution to Microsoft’s CDN to allow remote user to leverage their local internet connection instead of pulling large source files from your ConfigMgr Distribution Points over VPN connections

We will walk you through the process on how to adjust an existing Microsoft 365 Apps deployment package for a hybrid approach, update your sources and ensure that the source file download will bypass your VPN.

 

Step 1 – Adjust your deployment package

To allow remote users to leverage their local internet connection for source file access, we have to remove the source files from the Configuration Manager application. Navigate to the folder which is holding your software sources, locate the “office” folder and delete it:

Deploy_O365PP_to_Remote_workers_2.jpg

In the above example, 11 Language Packs were included in the deployment package, bumping the size up to 6+ gigabytes. Keep the setup.exe as well as any configuration files located in the folder. This reduces the size of your deployment package to less than 10 megabyte. That’s a huge saving on your VPN connections.

In case you don’t have an Microsoft 365 Apps installation package yet, you can use the built-in wizard to create one. Maybe you want to adjust the handling of languages, instead of hard-coding those you might want to use MatchOS or MatchPreviousMSI. After that, apply the steps above.

 

Step 2 – Update the content sources

If your application was already synced to Distribution Points, those still have the larger package cached. Navigate to Software Library > Application Management > Applications, select your application, switch to the Deployment Types Tab, right-click the appropriate entry and click Update Content.

Deploy_O365PP_to_Remote_workers_3.jpg

This will re-sync any changes to your Distribution Points, so those will now also have the smaller deployment package ready to sync to devices.

 

Step 3 – Verify VPN configuration and deploy

Once a client has received the smaller deployment package through ConfigMgr and kicks off the installation, it will download the source files directly from the Microsoft CDN. It is important to ensure that your devices can actually reach out to those endpoints directly and don’t backhaul through the VPN tunnel. We published guidance on how to enable so-called VPN split-tunneling, the endpoints relevant for Microsoft 365 Apps source file download are listed at Office 365 URLs and IP address ranges as entry #92.

If you already have an active deployment of the newly-updated package, clients will start receiving it after the Distribution Points have finished syncing the changes. If you want to start with a fresh deployment, just follow the regular guidelines in your organization.

 

Step 4 – Leverage peer caching to reduce on-prem traffic (optional)

The following step is not required, but highly recommended. In order to use the same deployment package for your remote and on-premises workers, we recommend to configure and enable Delivery Optimization for Office in combination with Connected Cache. This will enable your on-prem devices to share content which is no longer included in the deployment and greatly reduce the load on your corporate internet connection.

 

FAQ

Q: We usually controlled which build is installed by embedding the matching source files. How can I control this now?
A: By default, setup will fetch the latest build available for the specified update channel. You can use the version attribute in the configuration file to specify a build. This might be important if your organization is wants to deploy the older SAC feature release.

 

The Authors

This blog post is brought to you by  from the Microsoft 365 Apps Ranger Team at Microsoft. Feel free to share your questions and feedback in the comments below.

Network optimization tips for on-premises Office installs and updates

Network optimization tips for on-premises Office installs and updates

There are a variety of scenarios including but not limited to, installations of Office using Content Delivery Network (CDN), lean 2nd installs (removing the Office source files from the install packages), right-sized first install (only include most used language packs), and default behavior where Office stays up to date using CDN. Microsoft recommends optimizing these network operations because a device can get portions of the content from other devices on its local network instead of having to download the update completely from Microsoft CDN. The goal of this article is to provide solutions for challenges collected from customers in the field.  

 

Typical challenges we’ve heard from our customers

  • Office updates are too large.
  • Too many egress points within on-premises network when obtaining content.
  • In a remote work world, we need a solution to address on-premises and remote users.
  • Are there additional costs for this optimization?  (Spoiler…NO!)
  • Fear of increased complexity for office installs and updates. 
  • Can my compliance deadlines still be met?

Solution: Use Windows Delivery Optimization (DO) or if  available,  Microsoft Endpoint Configuration Manager Connected Cache

All of these above concerns can be addressed with this proposed solution.  You can use Delivery Optimization (DO) to reduce bandwidth consumption by sharing the work of downloading Office content among multiple Windows 10 devices in your deployment. DO can accomplish this because it is a self-organizing distributed cache that allows clients to download content from alternate sources (such as other peers on the network). Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that to use the peer-to-peer functionality of DO, devices must have access to the DO cloud service end points.

Optionally, customers who use Microsoft Endpoint Configuration Manager can take advantage of a feature called Configuration Manager Connected Cache which delivers a powerful combination of DO plus Connected Cache leading to high hit rates for content searches. If the cache doesn’t contain necessary files, Configuration Manager Site Server will download content to Distribution Point to populate cache, based on the client needs. In this way, customers have far more flexibility in terms of supporting different architectures and languages as manual downloads are no longer required as they’ve been replaced by a dynamic workflow as well as making use of existing capital investments.

Prerequisites for solution

  • At least Office Version 1808 for background updates
  • At least Office Version 1908 for installing or user-initiated updates
  • Windows 10 Delivery Optimization
    • For communication between clients and the Delivery Optimization cloud service:
      *.do.dsp.mp.microsoft.com.
      *.dl.delivery.mp.microsoft.com
      *.emdl.ws.microsoft.com

      Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don’t allow inbound traffic over port 7680, you can’t use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).

    • If you set up Delivery Optimization to create peer groups that include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets), it will use Teredo. For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a “NAT traversal” setting in your firewall to set this up.

      Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.

    • Recommended (if existing Configuration Manager customer, use Microsoft Connected Cache combined with Delivery Optimization) 

Implementation steps.

1. Operationally, stop any future software updates for Microsoft 365 Apps for enterprise using Configuration Manager

Group Policy or Configuration Manager Client Settings require setting “Management of Microsoft 365 Apps for enterprise” (formerly known as Office 365 Client Management) to Disabled in order to restore default functionality where software update workflow for Office updates uses CDN not Configuration Manager. When available, Connected Cache feature will be enabled but software updates workflow for Office using Configuration Manager will no longer be used.

 

2. Configure Group Policy for Microsoft Office 2016 (Machine)/Updates

Enable Automatic Updates Enabled
Hide option to enable or disable updates Enabled
Management of Microsoft 365 Apps for enterprise Disabled
Update Deadline 3 (Deadline count starts once content download has completed on client)

 

3. Configure Group Policy for Microsoft Office 2016 (Machine)/Updates

Allow uploads while the device is on battery while under set Battery level (Percentage) Enabled (60)
Delay background download from http (in secs) Enabled *Higher time will increase likelihood of finding peer but slow background update. Example (240)
Delay foreground download from http (in secs) Enabled (60)
Download Mode Enabled (Group 2)
Enable Peer Caching while the device connects via VPN Disabled
Minimum Peer Caching Content File Size (in MB) Enabled (1)
Select a method to restrict Peer Selection Enabled (subnet)
Set Business Hours to Limit Background Download Bandwidth Enabled

 

4. (optionally) Configure Connected Cache for Microsoft Endpoint Configuration Manager

Navigate using Configuration Manger Console to AdministrationOverviewDistribution Points and select properties of Distribution Point. Enable Connected Cache by checking box and designate LUN to host cached content.

LUN.png

Navigate using Configuration Manger Console to panel AdministrationOverviewHierarchy ConfigurationBoundary Groups. Select each on-premises boundary group and enable selection highlighted below. (toggle on other selections based on your environment preferences)

allowpeers.png

Finally, using Configuration Manger Console Navigate to AdministrationOverviewClient Settings, enable options below.

ClientSettings.png

 

How to verify DO and Connected Cache are working?

1. Deploy Office to validation machine where per Update history for Microsoft 365 Apps (listed by date) build is N-2.
For example, at the time of this writing, today is “Patch Tuesday” so August 2020 Monthly Enterprise Channel is Version 2006 (Build 13001.20520). The reference machine should have June 2020 Version 2004 (Build 12730.20430) installed. This should result in Office moving to N-1 or N (depending on CDN throttle).

 

2. Allow up for 24 hours for scheduled task Office Automatic Updates 2.0 to detect and perform Office update.
For accelerated lab testing consider moving system clock forward by one day prior to running scheduled task.

 

3. [Client] Use PowerShell on Windows client to verify Office content used DO and Conncted Cache.

  1. PS C:Windowssystem32> Get-DeliveryOptimizationStatus
  2. Search for field FileID from the list which contains string STREAM_X64_X_NONE or STREAM_X86_X_NONE for details which contains the build. (this is largest file containing Office).  For the test, your looking for FileId is 95D2EE60-C9D3-45E4-876D-BAE16D758A87_16_0_13001_20520_STREAM_X64_X_NONE. 
  3. Search for fields under FileID such as FileSize, TotalBytesDownloaded, BytesFromPeers, BytesFromHttp and BytesFromCacheServer.  In my lab, the FileSize was 1863339050 bytes or 1.86 GB. Referencing TotalBytesDownloaded, the Office client using DO only downloaded 516967466 bytes or 517 MB because only the necessary pieces were downloaded not the entire Office build. Further, using BytesFromCacheServer I can confirm the 517 MB was downloaded from Configuration Manager connected cache, not egress to internet.
    *In the example the client was N-2 plus Office was a new version which contributed to larger download.

4. [Server] Check the Configuration Manager Connected Cache disk for build.

  1. Browse the Connect Cache disk and explore content under officecdn.microsoft.com.edgesuite.net to find dynamically populated content for latest Monthly Enterprise Channel 16.0.13001.20520

DOINC.png

Conclusion:

Delivery Optimization and Microsoft Connected Cache provide a powerful and low cost of ownership method for Office installations and updates using peer to peer sharing technologies.

 

FAQ

Are there some additional references for Delivery Optimization and its capabilities?

Are there some additional references for Configuration Manager and Connected Cache?

Where can I obtain more information about VPN and remote configuration options?

Can we use a third-party Configuration Manager alternate content provider with this solution?

No, alternate content providers typically depend on Configuration Manager software update workflow which won’t be used in scenario above.

 

For the UpdateDeadline GPO, how does that impact the end user experience?

Please see section “User Experience when updating from CDN” from blog posting Understanding Office 365 ProPlus Updates for IT Pros (CDN vs SCCM)

 

The Authors

This blog post is brought to you by  and , two Office Rangers at Microsoft. We’re looking forward to your questions and feedback in the comments below.

Boost security of your remote workers with confidence using Security Policy Advisor

Boost security of your remote workers with confidence using Security Policy Advisor

When it comes to securing the Microsoft 365 Apps using policies, IT Pros often face a challenge: You want to tighten security as much as possible to keep the bad guys out, but at the same time you do not want to impact your user’s productivity. And you would like to be able to evaluate the potential impact of a security config change before fully enforcing it. Sounds familiar? Then this blog post is for you!

This post will show you how to leverage the Security Policy Advisor (SPA) to identify slack in your security configuration, make changes to your policy settings and validate the new config first before enforcing them, reducing the risk to impact user productivity. The data-driven service allows you to make decisions based on facts like actual feature usage or if your users are already under attack by e.g. malicious Office documents being sent to them, rather than just guessing what the impact of a change might be.

 

Overview

With more people working from home, traditional security layers like working on a trusted network or trusted device are going away. It becomes more important to meet the user where they are and providing a secure setup without affecting their productivity. The Security Policy Advisor (SPA) is a service hosted in your tenant, so you can put it to work within minutes. No need for any on-prem infrastructure.

 

SPA uses the Office cloud policy service (OCPS) to enforce security policies in the Office applications. Such policies are bound to the AzureAD user identity, independent from the actual device used or how this device is managed (if at all). When a user signs into an Office application using their work credentials, SPA and OCPS will ensure that the policies are applied, at home or at work, on corporate and personal devices.

SPA currently supports several security policies, but in the following article we will focus on one policy which can drastically reduce your exposure to attacks targeting Office: VBA Macro Notification Settings. If you are an Office Desktop Admin, it is likely that you have had to deal with this dilemma: Restrict macro execution to protect your users and enterprise from malware attacks like this one or leave it enabled so you don’t risk impacting users productivity? Sounds familiar? OK, let’s look at an example on how you could tackle this challenge.

 

Step 1 – Review requirements and create policy configurations

There are only two requirements for using Security Policy Advisor:

  • Devices must run at least version 1908 of Microsoft 365 Apps for enterprise.
  • Apps must be allowed to send required service data for Office.

Use the Office cloud policy service (OCPS) to create a policy configuration. You are not required to configure any policies in this configuration to receive recommendations. Have a look at our OCPS walkthrough guide for further guidance on using OCPS.

 

Step 2 – Enable Security Policy Advisor

Next step is to enable SPA. Navigate to config.office.com, sign in with Global Administrator, Security Administrator, or Office Apps Admin permissions and click on Security. Toggle the switch to On.

Tighten_Security_w_SPA1a.png

That’s it. If you have policy configurations created in OCPS, SPA will now start generating recommendations for those. This happens quickly, typically within minutes. You can also create a policy configuration from Security Policy Advisor using the Create a policy configuration button.

 

Step 3 – Review recommendations and tighten up security

Once Security Policy Advisor has finished analyzing data, it will inform you of new recommendations. You can click through the policies and see a full list of settings to consider:
Tighten_Security_w_SPA5.PNG
For each policy you can review more details by clicking on it. It will give you more information on how many users have actually used the feature and for specific settings (macros) also data on any attacks through this vector targeted at users in the group. Here’s an example of how the data might look like for the VBA Macro Notification Settings policy recommendation.

Tighten_Security_w_SPA6.PNG

So in this case, you can see that no user has actually opened Excel documents with macros (Total users), but all users have been targeted by malicious macros. So there is a big opportunity to boost security without impacting the user’s productivity. SPA provides you the information you need to justify this change and take it through a change management process.

 

That’s one of two features which give you confidence when using SPA: You will get historical data based on the actual usage of the Office apps as well as any attacks detected by Office 365 Advanced Threat Protection (ATP). No more guessing if a certain user group is actually using a feature and is at risk by not restricting it. You get actionable data and should act on it.

 

Perhaps you still have reservation acting on these recommendations and data. This is where the second feature comes in handy: You can set a policy, but allow the user to override it. The above example strongly suggests to disable VBA notifications as users are not using this feature and are under attack. But we might want to flight this new setting to users first and monitor impact.

 

So in this example you would review the data for each of the VBA Notifications settings (there is one per application), accept the recommendation to disable VBA macros, but set Override to Enabled.

Tighten_Security_w_SPA7.PNG

After clicking Apply, the new policy is set and will disable VBA macros for all targeted users. In case a user opens a document with macros embedded, a notification is shown that the VBA macro was disabled. In addition, the user is given an option to override this policy and still enable macros. When they do, this information is captured and surfaced back to you in the admin portal.

Tighten_Security_w_SPA11.PNG

This approach combines the power of having insights into historical data, but also safely try out a more restrictive security configuration.

 

Step 4 – Monitor productivity impact and adjust configuration

After a given time, e.g. two weeks, you can review how often users have actually used the option to override the setting. Log into the SPA UI, select the policy and switch to the Applied policies tab. Clicking on the individual setting will bring up the policy details and you can review how many users have overridden the setting.

Tighten_Security_w_SPA12a.png
In the above example, you could go forward with confidence and disable the override to boost overall app security. You first must roll back the policy, select the policy from the recommendations tab again and re-deploy with user override disabled.

 

In case users opted to override the setting, you might want to move these users to another Azure AD security group and targeted them with a less strict security configuration using OCPS.

 

Step 5 – Iterate

A common statement in IT security is “Security is not a one-time activity, it is a process” and this is also true when it comes to securing Office applications. After deploying the VBA notification setting, you should start looking at the other available policies like:

  • Block macros in Office files from the internet
  • Disable All ActiveX
  • Check ActiveX objects
  • Blocking legacy file formats

We recommend that you first check if there are any recorded attack attempts for the Block macros in Office files from the internet settings. If yes, you might want to focus on these first to quickly reduce your attack surface. Then work your way through the list over time. This will boost your security stance step-by-step by removing any slack. Revisit the dashboard on a regular base to monitor impact and adjust policies where needed.

 

By default, we will show recommendations with a low productivity impact first. You can switch the Show all recommendations toggle to get a full view:

Tighten_Security_w_SPA13.png

It is key to find the right balance between being restrictive and still allowing people to do their job. If security is too restrictive, users often start to work around these limitations and this might be a greater impact to your security posture then having a configuration which is not cranked up to the maximum.

 

About the Authors

For this blog post the Microsoft 365 Apps Ranger Team at Microsoft partnered with the engineering team behind Security Policy Advisor. Feel free to share your questions in the comment section. For feedback on SPA, please use the feedback functionality in the config.office.com portal, it will get routed directly to the SPA team.

 

FAQ

Q: SPA is not generating any recommendations, what could be wrong?
A: Double check if required diagnostic data is enabled in your environment and devices can upload the data to the required endpoints.

 

Q: Required diagnostic data is enabled, still nothing. What else could be the cause be?
A: SPA needs a certain share of users to report data back to generate recommendations per group. Double-check if most users in a targeted group are active Microsoft 365 Apps users and have diagnostic data enabled.

Changes to the Office 365 Groups Tech Community

As we announced last month, to reflect the fact that Office 365 Groups power collaboration across Microsoft 365, Office 365 Groups will become Microsoft 365 Groups. These changes will happen over time and will be reflected in all the connected endpoints over the next couple of quarters. 

 

To align the Tech Community with the name change, we are also creating a new Community Hub called Microsoft 365 Groups. This new Hub will replace the existing Office 365 Groups community. Folks who are existing members of the Office 365 Groups Community Hub will be automatically joined as members of the new Hub. In addition, content from the conversation spaces in the Office 365 Groups Community Hub will be migrated to the Microsoft 365 Groups Hub, and the Office 365 Groups Hub will be redirected to the new Microsoft 365 Groups Hub. By migrating membership and content to the new Community Hub, we are making this move seamless and transparent for you, although you will need to update your bookmarks/favorites, as the URL will be changing. 

 

We are making the transition on June 30, 2020and we wanted to give everyone notice before doing so. The new Microsoft 365 Groups community will be your place to discuss best practices, news, and the latest topics related to Microsoft 365 Groups. It is intended as a place for sharing information and discussions. 

 

Thanks for your help keeping the Office 365 Groups community a vibrant and useful place, and we look forward to seeing you in the new Microsoft 365 Groups community in the future! 

–The Microsoft 365 Groups team 

How to Optimize Stream & Live Events traffic in a VPN scenario

During this current COVID-19 crisis, many organizations have had to rapidly implement a work-from-home model for the majority of their users. For many, this means an enormous increase in load to the VPN infrastructure as all traffic is traditionally sent via this path that was invariably not designed for the volume or type of traffic now reliant on it.

 

To improve performance, and also reduce load on the VPN infrastructure, many customers have achieved significant results by following the Microsoft guidance to implement split tunneling (or forced tunnel exceptions to use the correct technical term) on the Optimize-marked Office 365 endpoints. This traffic is high-volume and latency-sensitive traffic, and thus sending it directly to the service solves the problems outlined above and is also the designed best practice for these endpoints.

 

Microsoft 365 Live Events (Teams-produced live events and those produced with an external encoder via Teams, Stream, and Yammer) and on-demand Stream traffic are not currently listed within the Optimize category with the endpoints listed in the ‘Default’ category in the Office 365 URL/IP service. The endpoints are located in this category as they are hosted on CDNs that may also be used by other services, and as such customers generally prefer to proxy this type of traffic and apply any security elements normally done on diverse endpoints such as these.

 

In most organizations the traffic is internally routed via a network path that is designed to cope with the load and provide latency at a level that doesn’t impact service quality. With the switch to large scale remote working, many customers have asked for the information required to connect their users to Stream/Live Events directly from their local internet connection, rather than route the high-volume and latency-sensitive traffic via an overloaded VPN infrastructure. Typically, this is not possible without both dedicated namespaces and accurate IP information for the endpoints, which is not provided for the Default marked Office 365 endpoints.

 

Microsoft is working to provide more-defined and service-specific URL/IP data to help simplify connectivity to the service for the VPN connection model but as you can imagine for a global SaaS service like Office 365, this is not something which can be achieved overnight. Therefore, in the interim we’ve been working on interim methods to meet customer demand for this information. As a result of some changes we were able to perform relatively quickly, we are able to provide the following steps to allow for direct connectivity for the service from a client using a forced tunnel VPN.

This is slightly more complex than normal to implement (requiring an extra function in the PAC file) but should provide a comprehensive solution to this challenge until such time as we can rearchitect the endpoints so as to simplify connectivity requirements. 

 

To implement the Forced tunnel exception for Teams Live Events and Stream, the following steps should be applied:

 

1. External DNS resolution.

 

The client needs external, recursive DNS resolution to be available for the following FQDNs so they can resolve host names to IPs.

 

  • *.streaming.mediaservices.windows.net
  • *.azureedge.net
  • *.media.azure.net

It is important to note, it is not advised to just use these URLs to configure VPN offload even if technically possible in your VPN solution (eg if it works at the FQDN rather than IP). This is due to the fact some of these endpoints are shared with other elements outside of Stream/Live Events and as such the IPs provided below are not comprehensive for that FQDN, but are for Teams Live Events/Stream. 

 

2. PAC file changes (Where required)

 

In most organizations, a PAC file will be used in a VPN scenario to configure the client to send traffic either direct, or via the internal proxy server. Normally this is achieved using FQDNs. However, with Stream/Live Events, the namespace provided currently includes wildcards such as *.azureedge.net, which also encompasses other elements for which it is not possible to provide full IP listings. Thus, if the wildcard is sent direct, traffic to these endpoints will be blocked as there is no route via the direct path for it in step 3.

 

To solve this, we’re able to provide the following IPs and use them in combination with the FQDNs in section 1 for Stream/Live Events in an example PAC file. The PAC file checks if the URL matches those used for Stream/Live Events and then if it does, it then also checks to see if the IP returned from a DNS lookup matches those provided for the service. If both match, then the traffic is routed direct. If either element (FQDN/IP) doesn’t match then the traffic is sent to the proxy. This way we ensure anything which resolves to an IP outside of the scope of Stream/Live Events will traverse the proxy via the VPN as normal.

 

Table 1: IP addresses for Live Events & Stream

 

IPv4

IPv6

72.21.81.200

2606:2800:011F:17A5:191A:18D5:0537:22F9

152.199.19.161

2606:2800:133:206E:1315:22A5:2006:24FD

117.18.232.200

2606:2800:0147:120F:030C:1BA0:0FC6:265A

192.16.48.200

2606:2800:0157:1508:1539:0174:1A75:1191

93.184.215.201

2606:2800:11F:7DE:D31:7DB:168F:1225

68.232.34.200

2606:2800:133:F17:19E8:2356:251B:02A9

192.229.232.200

2606:2800:0147:0FF8:129B:22EB:020B:1347

 

To implement this in a PAC file you can use the following example which sends the Office 365 Optimize traffic direct (which is recommended best practice) via FQDN, and the critical Stream/Live Events traffic direct via a combination of the FQDN and also the returned IP address. Contoso would need to be edited to your specific tenant name where contoso is from contoso.onmicrosoft.com

 

Example PAC file

 

function FindProxyForURL(url, host)

 

{

    var direct = “DIRECT”;

     var proxyServer = “PROXY 10.1.2.3:8081”;

   

   //Office 365 Optimize endpoints direct

   if(shExpMatch(host, “outlook.office.com”)

   || shExpMatch(host, “outlook.office365.com”)

   || shExpMatch(host, “contoso.sharepoint.com”)

   || shExpMatch(host, “contoso-my.sharepoint.com”))

 

{

   return direct;

}

 

 /* Don’t proxy Stream/Live Events traffic*/

   

 

 if(shExpMatch(host, “*.streaming.mediaservices.windows.net”)

 || shExpMatch(host, “*.azureedge.net”)

 || shExpMatch(host, “*.media.azure.net”))

 

 

{

 var resolved_ip = dnsResolve(host);

 

if (isInNet(resolved_ip, ‘72.21.81.200’, ‘255.255.255.255’) ||

isInNet(resolved_ip, ‘152.199.19.161’, ‘255.255.255.255’) ||

isInNet(resolved_ip, ‘117.18.232.200’, ‘255.255.255.255’) ||

isInNet(resolved_ip, ‘192.16.48.200’, ‘255.255.255.255’) ||

isInNet(resolved_ip, ‘93.184.215.201’, ‘255.255.255.255’) ||

isInNet(resolved_ip, ‘68.232.34.200’, ‘255.255.255.255’) ||

isInNet(resolved_ip, ‘192.229.232.200’, ‘255.255.255.255’))

 

 

{

 return direct;

}

}

 

 

// Default Traffic Forwarding.

return proxyServer;

        

}

 

 

It’s worth stressing again, it is not advised to attempt to perform the VPN offload using just the FQDNs, utilizing both the FQDNs and the IPs in the function helps scope the use of this offload to just Stream/Live Events. The way the function is structured means that only if the FQDN matches those listed, do we perform a DNS lookup for it i.e DNS does not have to be performed for all namespaces used by the client.

 

3. Configure routing on the VPN to enable direct egress

 

The final element is to add a direct route for the Live Event IPs in Table 1 into the VPN configuration to ensure the traffic is not sent via the forced tunnel into the VPN. Detailed information on how to do this for the Office 365 Optimize endpoints can be found in this article, and the process is exactly the same for the Stream/Live Events IPs listed in this document.

 

 

FAQ:

 

Question:  Will this send all my traffic for the service direct?

Answer:    No, this will send the latency-sensitive streaming traffic for a Live Event or Stream video direct, any other traffic will continue to use the VPN tunnel if they do not resolve to the IPs published.

 

Question:  Do I need to use the IPv6 Addresses?

Answer:     No, the connectivity can be IPv4 only if required.

 

Question:  Why are these IPs not published in the Office 365 URL/IP service?

Answer:    Microsoft has strict controls around the format and type of information that is in the service to ensure customers can reliably use the information to implement secure and optimal routing based on endpoint category.

 

The default endpoint category has no IP information provided for numerous reasons, such as it being outside of the control of Microsoft, is too large, or changes too frequently, or is in blocks shared with other elements. For this reason Default marked endpoints are designed to be sent via FQDN to an inspecting proxy, like normal web traffic.

 

In this case, the above endpoints are CDNs that may be used by other elements other than Live Events or Stream, and thus sending the traffic direct will also mean anything else which resolves to these IPs will also be sent direct from the client. Due to the unique nature of the current global crisis and to meet the short-term needs of our customers, Microsoft has provided the information above for customers to use as they see fit.

 

Microsoft is working to reconfigure the Live Events endpoints to allow them to be included in the Allow/Optimize endpoint categories at a later date.

 

 

Question:   Do I only need to allow access to these IPs? 

Answer:     No, access to all of the ‘Required’ marked endpoints in the URL/IP service is essential for the service to operate. In addition, any Optional endpoint marked for Stream (ID 41-45) are required. 

 

Question:   What scenarios will this advice cover?

Answer: 

 

1. Live events produced within the Teams App

2. Viewing Stream hosted content

3. External device (encoder) produced events

 

 

 

 

 

 

Re: How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infras

 

I thought to use rule like following to be able to impact only audio/video streams:

if(shExpMatch(host, "*.streaming.mediaservices.windows.net"))
{
	var host_ip = dnsResolve(host);
 
	/* Check if Stream services are targets */
	if (isInNet(host_ip, '72.21.81.200', '255.255.255.255') ||
	isInNet(host_ip, '152.199.19.161', '255.255.255.255') ||
	isInNet(host_ip, '117.18.232.200', '255.255.255.255') ||
	isInNet(host_ip, '192.16.48.200', '255.255.255.255') ||
	isInNet(host_ip, '93.184.215.201', '255.255.255.255') ||
	isInNet(host_ip, '68.232.34.200', '255.255.255.255') ||
	isInNet(host_ip, '192.229.232.200', '255.255.255.255'))
	{
		returndirect;
	}

    return proxyServer;                
}

 

Then I could minimize the DNS queries. And above code is just a snap, not full .PAC file 🙂

 

 

 

Re: How to manage Office 365 ProPlus Channels for IT Pros

Hi  

 

   I just tested this, and it works exactly as you’ve outlined. On my clients Updates Enabled is set to True, so really, I think the only difference in the configuration you provided was the Accept EULA. I didn’t have that in mine, so I guess that’s why it wasn’t working? (I am using the latest ODT client) If the accept EULA is required, can we add that to the channel change example templates? As far as I can tell, that’s what was throwing me off. I appreciate you taking the time to provide detailed responses here. It’s been super helpful.

 

Have a great day!

Re: Understanding Office 365 ProPlus Updates for IT Pros (CDN vs SCCM)

 , I’m taking the lazy approach. Let the C2R do its job, Microsoft improved a lot here and it is working smoothly. Via collections I’m identifying the amount of clients under each major version and if I see higher amount of clients stuck in older version I’ll dig into it. 

 

We had SCCM management in place where the source was DFS share, not happy with it, always to keep the sources up-to-date. We thought about SCCM/CDN but we asked ourselves why to administrate SCCM to tell C2R what to do as C2R is already grown up and can handle it on its own.

We’re installing all O365 applications, language packs and proofing tools through CDN/DO, why not doping it with the updates, too.

 

SCCM has of course the monitoring and reporting capabilities, I’m missing those in the cloud but rumors say they are coming at some point.

So far relying on the hardware inventory is ok with me.

 

I’m interested to hear from your experience with SCCM/DO

 

 

Re: Whiteboard in Teams meetings integration, ink grab and ink beautification are here!

I am evaluating Whiteboard, its position in the Office 365 functionality landscape and how viable it is.

The desktop app has some great features (some in preview) while the web version seems a bit basic still.

 

How active is the development?

Do you know if the roadmap is up-to-date?

I’d e.g. love to see

  • a clearer integration to Teams allowing whiteboards to created for a channel and/or be displayed as a tab
  • embedding/integrating whiteboard to SharePoint or other webs
  • organising whiteboards in some way

I’m ready to be amazed.