Merge pull request #232385 from vhorne/fw-protect-o365

v-dirichards · web-flow · commit 48d3d4a66ec5 · 2023-04-24T10:14:54.000-05:00
add protect office 365 article
diff --git a/articles/firewall/fqdn-tags.md b/articles/firewall/fqdn-tags.md
@@ -33,7 +33,7 @@ The following table shows the current FQDN tags you can use. Microsoft maintains
 |AzureHDInsight|Allows outbound access for HDInsight platform traffic. This tag doesn’t cover customer-specific Storage or SQL traffic from HDInsight. Enable these using [Service Endpoints](../virtual-network/tutorial-restrict-network-access-to-resources.md) or add them manually.|
 |WindowsVirtualDesktop|Allows outbound Azure Virtual Desktop (formerly Windows Virtual Desktop) platform traffic. This tag doesn’t cover deployment-specific Storage and Service Bus endpoints created by Azure Virtual Desktop. Additionally, DNS and KMS network rules are required. For more information about integrating Azure Firewall with Azure Virtual Desktop, see [Use Azure Firewall to protect Azure Virtual Desktop deployments](protect-azure-virtual-desktop.md).|
 |AzureKubernetesService (AKS)|Allows outbound access to AKS. For more information, see [Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments](protect-azure-kubernetes-service.md).|
-|Office365<br><br>For example: Office365.Skype.Optimize|Several Office 365 tags are available to allow outbound access by Office 365 product and category. For more information, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges).|
+|Office365<br><br>For example: Office365.Skype.Optimize|Several Office 365 tags are available to allow outbound access by Office 365 product and category. For more information, see [Use Azure Firewall to protect Office 365](protect-office-365.md).|
 |Windows365|Allows outbound communication to Windows 365, excluding network endpoints for Microsoft Intune. To allow outbound communication to port 5671, create a separated network rule. For more information, see Windows 365 [Network requirements](/windows-365/enterprise/requirements-network).|
 
 > [!NOTE]
diff --git a/articles/firewall/media/protect-office-365/application-rule-collection.png b/articles/firewall/media/protect-office-365/application-rule-collection.png
diff --git a/articles/firewall/media/protect-office-365/network-rule-collection.png b/articles/firewall/media/protect-office-365/network-rule-collection.png
diff --git a/articles/firewall/protect-office-365.md b/articles/firewall/protect-office-365.md
@@ -0,0 +1,54 @@
+---
+title: Use Azure Firewall to protect Office 365
+description: Learn how to use Azure Firewall to protect Office 365
+author: vhorne
+ms.service: firewall
+services: firewall
+ms.topic: how-to
+ms.date: 03/28/2023
+ms.author: yuvalpery
+---
+
+# Use Azure Firewall to protect Office 365
+
+You can use the Azure Firewall built-in Service Tags and FQDN tags to allow outbound communication to [Office 365 endpoints and IP addresses](/microsoft-365/enterprise/urls-and-ip-address-ranges).
+
+## Tags creation
+
+For each Office 365 product and category, Azure Firewall automatically retrieves the required endpoints and IP addresses, and creates tags accordingly:
+
+- Tag name: all names begin with **Office365** and are followed by:
+   - Product: Exchange / Skype / SharePoint / Common
+   - Category: Optimize / Allow / Default
+   - Required / Not required (optional)
+- Tag type:
+   - **FQDN tag** represents only the required FQDNs for the specific product and category that communicate over HTTP/HTTPS (ports 80/443) and can be used in Application Rules to secure traffic to these FQDNs and protocols.
+   - **Service tag** represents only the required IPv4 addresses and ranges for the specific product and category and can be used in Network Rules to secure traffic to these IP addresses and to any required port.
+
+You should accept a tag being available for a specific combination of product, category and required / not required in the following cases:
+- For a Service Tag – this specific combination exists and has required IPv4 addresses listed.
+- For an FQDN Rule – this specific combination exists and has required FQDNs listed which communicate to ports 80/443.
+
+Tags are updated automatically with any modifications to the required IPv4 addresses and FQDNs. New tags might be created automatically in the future as well if new combinations of product and category are added.
+
+Network rule collection:
+:::image type="content" source="media/protect-office-365/network-rule-collection.png" alt-text="Screenshot showing Office 365 network rule collection.":::
+
+Application rule collection:
+:::image type="content" source="media/protect-office-365/application-rule-collection.png" alt-text="Screenshot showing Office 365 application rule collection.":::
+
+## Rules configuration
+
+These built-in tags provide granularity to allow and protect the outbound traffic to Office 365 based on your preferences and usage. You can allow outbound traffic only to specific products and categories for a specific source. You can also use [Azure Firewall Premium’s TLS Inspection and IDPS](premium-features.md) to monitor some of the traffic. For example, traffic to endpoints in the Default category that can be treated as normal Internet outbound traffic. For more information about Office 365 endpoint categories, see [New Office 365 endpoint categories](/microsoft-365/enterprise/microsoft-365-network-connectivity-principles#new-office-365-endpoint-categories).
+
+When you create the rules, ensure you define the required TCP ports (for network rules) and protocols (for application rules) as required by Office 365. If a specific combination of product, category and required/not required have both a Service Tag and an FQDN tag, you should create representative rules for both tags to fully cover the required communication.
+
+## Limitations
+
+If a specific combination of product, category and required/not required has only FQDNs required, but uses TCP ports that aren't 80/443, an FQDN tag isn't be created for this combination. Application Rules can only cover HTTP, HTTPS or MSSQL. To allow communication to these FQDNs, create your own network rules with these FQDNs and ports. 
+For more information, see [Use FQDN filtering in network rules](fqdn-filtering-network-rules.md).
+
+## Next steps
+
+- Learn more about Office 365 network connectivity: [Microsoft 365 network connectivity overview](/microsoft-365/enterprise/microsoft-365-networking-overview)
+
diff --git a/articles/firewall/service-tags.md b/articles/firewall/service-tags.md
@@ -21,7 +21,7 @@ Azure Firewall service tags can be used in the network rules destination field.
 Azure Firewall supports the following Service Tags to use in Azure Firewall Network rules:
 
 - Tags for various Microsoft and Azure services listed in [Virtual network service tags](../virtual-network/service-tags-overview.md#available-service-tags).
-- Tags for the required IP addresses of Office365 services, split by Office365 product and category. You must define the TCP/UDP ports specified in the [Office 365 documentation](/microsoft-365/enterprise/urls-and-ip-address-ranges) inside your rules. 
+- Tags for the required IP addresses of Office365 services, split by Office365 product and category. You must define the TCP/UDP ports in your rules. For more information, see [Use Azure Firewall to protect Office 365](protect-office-365.md).
 
 ## Configuration
 
diff --git a/articles/firewall/toc.yml b/articles/firewall/toc.yml
@@ -143,6 +143,8 @@ items:
       href: protect-azure-virtual-desktop.md
     - name: Protect Azure Kubernetes Service (AKS)
       href: protect-azure-kubernetes-service.md
+    - name: Protect Office 365
+      href: protect-office-365.md
     - name: DNS settings
       href: dns-settings.md
     - name: Monitor diagnostic logs
