During this current COVID-19 crisis, many organizations have had to rapidly implement a work-from-home model for the majority of their users. For many, this means an enormous increase in load to the VPN infrastructure as all traffic is traditionally sent via this path that was invariably not designed for the volume or type of traffic now reliant on it.
To improve performance, and also reduce load on the VPN infrastructure, many customers have achieved significant results by following the Microsoft guidance to implement split tunneling (or forced tunnel exceptions to use the correct technical term) on the Optimize-marked Office 365 endpoints. This traffic is high-volume and latency-sensitive traffic, and thus sending it directly to the service solves the problems outlined above and is also the designed best practice for these endpoints.
Microsoft 365 Live Events (Teams-produced live events and those produced with an external encoder via Teams, Stream, and Yammer) and on-demand Stream traffic are not currently listed within the Optimize category with the endpoints listed in the ‘Default’ category in the Office 365 URL/IP service. The endpoints are located in this category as they are hosted on CDNs that may also be used by other services, and as such customers generally prefer to proxy this type of traffic and apply any security elements normally done on diverse endpoints such as these.
In most organizations the traffic is internally routed via a network path that is designed to cope with the load and provide latency at a level that doesn’t impact service quality. With the switch to large scale remote working, many customers have asked for the information required to connect their users to Stream/Live Events directly from their local internet connection, rather than route the high-volume and latency-sensitive traffic via an overloaded VPN infrastructure. Typically, this is not possible without both dedicated namespaces and accurate IP information for the endpoints, which is not provided for the Default marked Office 365 endpoints.
Microsoft is working to provide more-defined and service-specific URL/IP data to help simplify connectivity to the service for the VPN connection model but as you can imagine for a global SaaS service like Office 365, this is not something which can be achieved overnight. Therefore, in the interim we’ve been working on interim methods to meet customer demand for this information. As a result of some changes we were able to perform relatively quickly, we are able to provide the following steps to allow for direct connectivity for the service from a client using a forced tunnel VPN.
This is slightly more complex than normal to implement (requiring an extra function in the PAC file) but should provide a comprehensive solution to this challenge until such time as we can rearchitect the endpoints so as to simplify connectivity requirements.
To implement the Forced tunnel exception for Teams Live Events and Stream, the following steps should be applied:
1. External DNS resolution.
The client needs external, recursive DNS resolution to be available for the following FQDNs so they can resolve host names to IPs.
It is important to note, it is not advised to just use these URLs to configure VPN offload even if technically possible in your VPN solution (eg if it works at the FQDN rather than IP). This is due to the fact some of these endpoints are shared with other elements outside of Stream/Live Events and as such the IPs provided below are not comprehensive for that FQDN, but are for Teams Live Events/Stream.
2. PAC file changes (Where required)
In most organizations, a PAC file will be used in a VPN scenario to configure the client to send traffic either direct, or via the internal proxy server. Normally this is achieved using FQDNs. However, with Stream/Live Events, the namespace provided currently includes wildcards such as *.azureedge.net, which also encompasses other elements for which it is not possible to provide full IP listings. Thus, if the wildcard is sent direct, traffic to these endpoints will be blocked as there is no route via the direct path for it in step 3.
To solve this, we’re able to provide the following IPs and use them in combination with the FQDNs in section 1 for Stream/Live Events in an example PAC file. The PAC file checks if the URL matches those used for Stream/Live Events and then if it does, it then also checks to see if the IP returned from a DNS lookup matches those provided for the service. If both match, then the traffic is routed direct. If either element (FQDN/IP) doesn’t match then the traffic is sent to the proxy. This way we ensure anything which resolves to an IP outside of the scope of Stream/Live Events will traverse the proxy via the VPN as normal.
Table 1: IP addresses for Live Events & Stream
To implement this in a PAC file you can use the following example which sends the Office 365 Optimize traffic direct (which is recommended best practice) via FQDN, and the critical Stream/Live Events traffic direct via a combination of the FQDN and also the returned IP address. Contoso would need to be edited to your specific tenant name where contoso is from contoso.onmicrosoft.com
Example PAC file
function FindProxyForURL(url, host)
var direct = “DIRECT”;
var proxyServer = “PROXY 10.1.2.3:8081”;
//Office 365 Optimize endpoints direct
|| shExpMatch(host, “outlook.office365.com”)
|| shExpMatch(host, “contoso.sharepoint.com”)
|| shExpMatch(host, “contoso-my.sharepoint.com”))
/* Don’t proxy Stream/Live Events traffic*/
|| shExpMatch(host, “*.azureedge.net”)
|| shExpMatch(host, “*.media.azure.net”))
var resolved_ip = dnsResolve(host);
if (isInNet(resolved_ip, ‘220.127.116.11’, ‘255.255.255.255’) ||
isInNet(resolved_ip, ‘18.104.22.168’, ‘255.255.255.255’) ||
isInNet(resolved_ip, ‘22.214.171.124’, ‘255.255.255.255’) ||
isInNet(resolved_ip, ‘126.96.36.199’, ‘255.255.255.255’) ||
isInNet(resolved_ip, ‘188.8.131.52’, ‘255.255.255.255’) ||
isInNet(resolved_ip, ‘184.108.40.206’, ‘255.255.255.255’) ||
isInNet(resolved_ip, ‘220.127.116.11’, ‘255.255.255.255’))
// Default Traffic Forwarding.
It’s worth stressing again, it is not advised to attempt to perform the VPN offload using just the FQDNs, utilizing both the FQDNs and the IPs in the function helps scope the use of this offload to just Stream/Live Events. The way the function is structured means that only if the FQDN matches those listed, do we perform a DNS lookup for it i.e DNS does not have to be performed for all namespaces used by the client.
3. Configure routing on the VPN to enable direct egress
The final element is to add a direct route for the Live Event IPs in Table 1 into the VPN configuration to ensure the traffic is not sent via the forced tunnel into the VPN. Detailed information on how to do this for the Office 365 Optimize endpoints can be found in this article, and the process is exactly the same for the Stream/Live Events IPs listed in this document.
Question: Will this send all my traffic for the service direct?
Answer: No, this will send the latency-sensitive streaming traffic for a Live Event or Stream video direct, any other traffic will continue to use the VPN tunnel if they do not resolve to the IPs published.
Question: Do I need to use the IPv6 Addresses?
Answer: No, the connectivity can be IPv4 only if required.
Question: Why are these IPs not published in the Office 365 URL/IP service?
Answer: Microsoft has strict controls around the format and type of information that is in the service to ensure customers can reliably use the information to implement secure and optimal routing based on endpoint category.
The default endpoint category has no IP information provided for numerous reasons, such as it being outside of the control of Microsoft, is too large, or changes too frequently, or is in blocks shared with other elements. For this reason Default marked endpoints are designed to be sent via FQDN to an inspecting proxy, like normal web traffic.
In this case, the above endpoints are CDNs that may be used by other elements other than Live Events or Stream, and thus sending the traffic direct will also mean anything else which resolves to these IPs will also be sent direct from the client. Due to the unique nature of the current global crisis and to meet the short-term needs of our customers, Microsoft has provided the information above for customers to use as they see fit.
Microsoft is working to reconfigure the Live Events endpoints to allow them to be included in the Allow/Optimize endpoint categories at a later date.
Question: Do I only need to allow access to these IPs?
Answer: No, access to all of the ‘Required’ marked endpoints in the URL/IP service is essential for the service to operate. In addition, any Optional endpoint marked for Stream (ID 41-45) are required.
Question: What scenarios will this advice cover?
1. Live events produced within the Teams App
2. Viewing Stream hosted content
3. External device (encoder) produced events
When a working on a new confidential project, you need to make sure that collaboration (inside and outside your organization) is secured.
in this short 12 minutes video we walk you through the process of creating new sensitive information type, creating a new sensitivity label, configuring SPO and Teams site as well as configuring an Insider Risk policy.
Attached to this post is the video.
This is the first in a series of videos that we are releasing in order to help our customers understand how they can protect their sensitive information using Microsoft 365 tools.
I thought to use rule like following to be able to impact only audio/video streams:
var host_ip = dnsResolve(host);
/* Check if Stream services are targets */
if (isInNet(host_ip, '18.104.22.168', '255.255.255.255') ||
isInNet(host_ip, '22.214.171.124', '255.255.255.255') ||
isInNet(host_ip, '126.96.36.199', '255.255.255.255') ||
isInNet(host_ip, '188.8.131.52', '255.255.255.255') ||
isInNet(host_ip, '184.108.40.206', '255.255.255.255') ||
isInNet(host_ip, '220.127.116.11', '255.255.255.255') ||
isInNet(host_ip, '18.104.22.168', '255.255.255.255'))
Then I could minimize the DNS queries. And above code is just a snap, not full .PAC file 🙂
The Advanced eDiscovery solution in Microsoft 365 builds on the existing eDiscovery and analytics capabilities in Office 365. This new solution, called Advanced eDiscovery, provides an end-to-end workflow to preserve, collect, review, analyze, and export content that’s responsive to your organization’s internal and external investigations. It also lets legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.
This webinar was presented on Tue May 14th, 2020, and the recording can be found here.
Attached to this post are:
- The FAQ document that summarizes the questions and answers that came up over the course of both Webinars; and
- A PDF copy of the presentation.
Thanks to those of you who participated during the two sessions and if you haven’t already, don’t forget to check out our resources available on the Tech Community.
@Adam Bell on behalf of the MIP and Compliance CXE team
Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:
Around the world in 80 days… come on, Jules Verne. We’ll do it in 5! Let us leave Phileas out in the Fogg as the virtual train (with world-class trainers) is set to whistle away from the station in ~ two weeks’ time.
GlobalCon2 – full steam ahead (soon).
Jeff “Globe Trotter” Teper (CVP, Microsoft) will be giving a keynote that’ll be multi-geographical for sure, plus Microsoft speakers delivering breakout sessions among thought leaders and members of the community from around the world. Review all sessions and start your own globetrotting today.
What: GlobalCon2 to learn more | Get your ticket today
When: June 15-19, 2020 – unique content throughout the week; full agenda
Speaker ambassadors: 37 sessions – all top-notch speakers (MVPs, RDs, Microsoft and community members)
Cost: Free during the week; Paid to get all on-demand + 10 free eBooks + content from the recent Microsoft teams event.
Primary Twitter hashtag: #GlobalCon2 (join in) & follow @Collab365
GlobalCon2 – June 15-19, 2020 (online training)
Each session will be a collectible stamp in your virtual passport. GlobalCon2 has something for everyone in all reaches of the Microsoft 365 world. The world, online, is indeed flat! You’ll find no corner of the map uncharted: Microsoft 365, Microsoft Teams, SharePoint, OneDrive, Yammer, Stream, Power Platform, Azure & much more. Passports please.
Below is a list of the Microsoft sessions – including Jeff’s keynote:
- The latest innovations in SharePoint, OneDrive, and Office for content collaboration [Microsoft keynote] | by Jeff Teper
- Microsoft 365 Live Events and remote work | by Lorena Huang Liu & Christina Torok
- Knowledge and Project Cortex – the Microsoft 365 Vision | by Naomi Moneypenny and Chris McNulty
- Share and track your information with lists across Microsoft 365 | by Lincoln DeMaris
- Design productivity apps with SharePoint lists and libraries, Power Apps, and Power Automate | by Chaks Chandran
- Connect the workplace with engaging, dynamic experiences across your intranet | by Debjani Mitra and Brad McCabe
- Content collaboration with SharePoint, Planner, and Microsoft Teams | by Mark Kashman
- The New Yammer | by Jason Mayans
- Architecting Your Intranet | by Melissa Torres
- OneDrive powers intelligent file experiences across Microsoft 365 | by Randy Wong
- Collaboration and external file sharing across Microsoft 365 | by Ankita Kirti
- Migration to SharePoint, OneDrive, and Microsoft Teams in Microsoft 365, free and easy | by Hani Loza & Eric Warnke
- Security and compliance in SharePoint and OneDrive | by Sesha Mani
- SharePoint developer overview | by Luca Bandinelli
- Jump start your projects with community projects from Patterns and Practices (PnP) | by Vesa Juvonen
Shout out to community “train conductor” members Helen Jones, Mark Jones, and the #GlobalCon2 crew who are navigating this conference by the light of the web-stars and moon, supporting and promoting the knowledge and expertise that reaffirms this: Microsoft 365 has the best tech community in the world – one that spans and chugga-chugga-choo-choos across geographies.
Ready to global trot, Mark
The above is kindly provided by the Microsoft Tech Community!
I just tested this, and it works exactly as you’ve outlined. On my clients Updates Enabled is set to True, so really, I think the only difference in the configuration you provided was the Accept EULA. I didn’t have that in mine, so I guess that’s why it wasn’t working? (I am using the latest ODT client) If the accept EULA is required, can we add that to the channel change example templates? As far as I can tell, that’s what was throwing me off. I appreciate you taking the time to provide detailed responses here. It’s been super helpful.
Have a great day!
Collaborated with @Ricky Simpson.
Almost everyone has had their work-life routines interrupted by the COVID-19 pandemic. Many people are working from home for the first time, leaving vast numbers of workplaces sitting empty. It’s vital that organizations continue to protect the resources that reside on-premises. As we’ve seen already, attackers are using COVID-19 to extract information from people by preying on their fears.
Two notable trends have emerged:
First, the necessity of remote work has led organizations to quickly reevaluate how staff access information. They cannot guarantee the efficacy of their users’ home network security, and a big part of how risk was identified before – as a user trying to access resources remotely – is now part of the norm post-pandemic. Organizations must balance the demands of a remote workforce as well as the appropriate security considerations.
Second, IT teams are under enormous amounts of pressure to maintain business continuity and spin up new technologies to enable remote work. A sudden shift in priorities could increase the risk of attacks on on-premises resources going unnoticed, especially if the attacks are more subtle in nature, like network reconnaissance.
How can we continue to monitor risk based on user activity, and how can we continue to protect on-premises resources when we’re nearly all using cloud technologies to work through this period of uncertainty?
Protection with Azure Advanced Threat Protection
As organizations shift to remote work, remote users could be connecting directly to on-premises resources, leaving open connections to corporate assets. Routers without proper and secure configuration are vulnerable. Attackers can take advantage of these and use reconnaissance techniques to, map all the users in the organization, move laterally in search of users and assets to exfiltrate, and ultimately gain persistence in the environment.
Organizations need to strengthen their cloud defense strategy during COVID-19; however, it is important to protect on-premises environments as well. Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that leverages on-premises Active Directory (AD) signals to protect on-premises identities, detect and investigate lateral movement of on-premises attacks, and identify compromised identities and malicious insiders.
Azure ATP can identify account enumeration reconnaissance and provide details about the resource being accessed, providing the necessary evidence and data enrichment. The attack can be quickly remediated by changing the user’s password and enforcing multi-factor authentication (MFA) before further damage can be done.
In addition, Azure ATP’s identity security posture assessments recognize common misconfigurations, legacy components, and dormant entities that can expose the organization. For example, Azure ATP identifies dormant accounts that have been disabled or expired in Active Directory. Organizations who fail to secure dormant user accounts are leaving the door unlocked for their sensitive users.
Azure ATP also provides remediation and action plans to improve the organization’s security posture. Now more than ever, when administrators have limited visibility into on-premises apps and services that could introduce new vulnerabilities, it should be top of mind to reduce the attack surface.
For example, a common vector attackers can use to compromise identities are legacy protocols such as NTLMv1. Azure ATP uncovers internal entities and applications that leverage these protocols and helps admins review the impacted entities and take the proper actions, including disabling the protocols.
Attacks play out in phases: discovery, credential access, lateral movement, and persistence. Azure ATP leverages network traffic, trace data, and events to find anomalies quickly, using a combination of behavioral known attack techniques and security signals. This provides visibility at each stage of an attack and clearly outlines the investigation and remediation steps throughout.
During this pandemic we’ve seen organizations deploy Azure ATP on-premises and begin protecting their identities during this pandemic. It’s easy to deploy even in large environments with numerous domain controllers, and it can be done within hours, to provide immediate value and help organizations identify the attacker’s steps.
To protect your on-premises identities, identify attackers, and reduce your attack surface, deploy Azure ATP on all your domain controllers. Throughout these unprecedented times protect hybrid and on-premise environments and ensure users are protected and can successfully work remotely uninterrupted.”
For more information on Azure ATP, please find all documentations here. To begin a trial of Azure ATP, click here. To find out how to set up your Azure ATP instance, click here.
Azure ATP also feeds into Microsoft Threat Protection, Microsoft’s end-to-end experience that integrates and correlates signals from Microsoft 365 security products, including Office 365 ATP, Microsoft Defender ATP, and Microsoft Cloud App Security, responding to attacks and healing affected assets across user identities, endpoints, cloud applications, and email and collaboration tools. Click here to see how SecOps teams can use signals from across Microsoft’s security portfolio to advance their threat protection capabilities.
Announcing the private preview of improved sensitive information types (aka classification depth preview) in M365 Services. This preview will include multiple features over the course of the program while we introduce improvements to the sensitive information types and how they can be used. The initial feature for preview is the introduction of 65 new/improved sensitive types for EU GDPR (57 SITs) and APAC (8 SITs).
The easiest way to test these types will be:
We are currently reviewing release cycles to plan when these will be available to additional clients (such as Microsoft 365 Apps – formerly Office 365 Pro Plus).
An important aspect of this preview is sharing the results of your testing with our preview team.
The private preview will begin rolling out this week. You can sign up to express your interest in joining this preview program by completing the following form.
Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:
Every month, tens of millions of people turn to SharePoint lists to track and manage critical business and team data. Lists enable organizations and teams to store and visualize rows of data to share and collaborate on scenarios like inventory management, status reporting, deal milestones and more. They are easy to use, secure, with high capacity up to 30 million items in a single list.
Today, we’re pleased to announce lists from Excel is now rolled out worldwide to customers in Microsoft 365. This is a new way to create a list, saving you time while putting the data in a location that opens new scenarios.
Let’s dive into the details…
Lists from Excel
To create a list from Excel, you can select a table from the Excel files in the SharePoint site, or from your device. You can change the field type of the column if needed, and all your table data will be copied to the new list.
When you create a list from Microsoft Excel, you map table data to a new list – adjusting column types before you click Create.
A quick step-by-step ‘how to’
- From within your SharePoint site, click the upper-right gear icon and select Site contents*
- At the top of the Site contents page, Click New > List
- Click the From Excel tab
- Enter a name for your new list
- Click Upload file to select from your local device or pick from files already in Microsoft 365
- Update the column type headers; for example, change “Number” to Date and time; choice fields work, too, automatically aggregating unique values.
- Click Create to import the Excel table data and create a new SharePoint list
Adjust the SharePoint column types before you import the Excel table data into Microsoft 365.
Your Excel data is now intact; your SharePoint list ready to extend in numerous ways:
- Further assign and adjust data types to columns in your list
- Enhance visuals by designing list row and column formatting
- Use conditional formatting rules to make the list data intuitive and helpful
- Set reminders on list items
- Build productivity apps with Power Automate (custom flows) and Power Apps (custom forms); your list becomes the foundational data source.
Further refine your list with conditional formatting on rows and columns.
Note: You can analyze SharePoint list items from a view of the list to Excel – to work with the data in a spreadsheet; simply click Export to Excel. Note: Excel creates an Excel table with a one-way data connection based on a web query file. To bring a fresh copy of the SharePoint list to Excel, select Refresh All on the Data tab from within Excel. Changes made to the Excel table will not be sent to the SharePoint list. Learn more how to export to Excel from SharePoint.
It is easier than ever to get started with SharePoint lists – using Excel as shown above or based on existing lists. No matter how you start, it’s then easy to further configure lists by using views, filters, rules and reminders to increase the usefulness of your data – especially as data changes or is missing.
You can further customize lists, too. It is possible to further extend with native integrations leveraging Power Apps and Power Automate. And when your forms and workflows get more complex or pull from multiple sources lean on the Power Platform tools directly available from your list.
Note | We recently announced Microsoft Lists and how it is an evolution of SharePoint lists. For the list from Excel announcement above, we want to emphasize that you will be able to create a list from Microsoft Excel today and in the future when Microsoft Lists begins to roll out and broaden the lists story.
Learn more about how to create a list from Microsoft Excel.
Want to see it in action? Click into the SharePoint list: “Create list from Excel” click-thru demo.
Thanks, Mark Kashman, senior product manager – Microsoft
*Frequently Asked Question
Q: When will I see the new list creation user interface from a team site home page (New > List) drop-down menu?
A: We are planning to include the New > List entry point from a site home page early Summer 2020. Until then, you can accomplish the above actions from the site’s Site Contents page, accessed from the upper-right gear icon menu.
The above is kindly provided by the Microsoft Tech Community!
Microsoft runs on trust. With digital data growing exponentially, online threats becoming very sophisticated, and remote work necessary, it is more important than ever to safeguard your corporate data.
At Microsoft, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your enterprise – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. With Microsoft Information Protection, we are building a unified set of capabilities for classification, labeling, and protection across Microsoft 365 apps (Word, PowerPoint, Excel, Outlook) and productivity services like OneDrive, SharePoint, Teams, and Exchange.
Sensitivity labels are central to how your business-critical data can be protected using Microsoft Information Protection. You can create a sensitivity label and associate it with protection like encryption and visual marking. Label-applied protection will persist with the file wherever it goes.
You can start by empowering your users to manually label documents and emails in Office apps across a wide range of platforms (e.g. Windows, Mac, iOS, Android and online). Learn more here on how to enable this manual classification. However, users may forget to label manually or label sensitive data inaccurately. Relying on users alone to manually classify corporate data using labels is not sufficient. The scalable approach is to automatically discover, label, and protect sensitive data. To help you achieve that, we are excited to announce the general availability of automatic classification with sensitivity labels in SharePoint, OneDrive, and Exchange.
You can create an auto-labeling policy with rules tailored for your organization’s sensitive data, targeting specific locations in your enterprise. A policy can either be in simulation or active mode. You can run the policy first in simulation mode and if the results satisfy your organization’s needs then you can proceed and publish the policy.
Figure 1. Auto label policy across two modes: simulation and active modes
With our 100+ out-of-the-box sensitive information types and ability to create custom ones, you have the flexibility to tailor the auto-labelling policy to specific sensitive information types. You can also scope the policy to a specific SharePoint site or OneDrive account or Exchange mailbox.
Policy Simulator provides insight into policy effectiveness and enables you to simulate in your production environment with real data with no impact on end users until the policy is published.
Figure 2. Auto labelling policy simulation mode results
Auto classification with sensitivity labels, along with Policy Simulator, is a powerful capability that enable organizations to automatically designate eligible Excel, PowerPoint, Word files, and emails as sensitive in a scalable way.
Your users can search for content within these protected documents, coauthor using Office web apps and be assured that the protection will persist even after the documents are downloaded. This way your security needs are in harmony with your user’s productivity needs.
Figure 3. Document library experience in SharePoint showing files automatically labelled
As a Microsoft 365 customer, you can turn on this feature in Microsoft 365 compliance center. To learn more about this feature, please read our online documentation. This advanced capability is included with Microsoft 365 SKUs (E5, E5 Compliance and E5 Information Protection & Governance) and Office 365 E5 SKU. You can learn more about our licensing here.
If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.
As you navigate this challenging time, we have additional resources to help. For more information about securing your organization in this time of crisis, visit our Remote Work site. We’re here to help in any way we can.
Sesha Mani, Principal Group Product Manager, Microsoft
Tony Themelis, Principal PM Manager, Microsoft