SSL Inspection and Microsoft 365


There are a number of features in Microsoft 365 that do not work if SSL Inspection (also known as TLS Interception) is enabled on your device or network provider. You need to disable the listed URLs that Microsoft provides in its documentation. The problem is there is a lot of disconnected documentation!

This blog post was written with the help of AI (Copilot in Edge). I hoped it would be more helpful than it was, but it wasn’t really! The hope was that if I asked “what urls must I never ssl inspect for microsoft 365” it would work out that “microsoft 365” included Defender, Intune and more and provide a lot of links. It didn’t and I still needed to ask about Defender and Intune myself. ChatGPT provided a similar answer, but did not pull together different products included in Microsoft 365, and indeed returned me results from this very website!

So as there is not one list, I thought I would compile one here. This was last updated November 2023 and could be out of date. Please check the sources for more, and let me know in the comments if you find other URLs that should bypass SSL Inspection.

To ensure optimal performance and avoid connectivity issues, Microsoft recommends bypassing SSL decryption for the Optimize and Allow endpoint categories of Microsoft 365

Microsoft have a list of URLs for the endpoints to their service, where they are categorised as Default, Allow or Optimize. The URLs that are Allow or Optimize are incompatible with SSL inspection.

The endpoint list is found at https://support.office.com/en-us/article/managing-office-365-endpoints-99cab9d4-ef59-4207-9f2b-3728eb46bf9a#webservice and the JSON for this can be downloaded, as well as a PowerShell script to return the IPs and URLs.

  1. Office 365 URLs (and IPs for Teams):
    • outlook.office.com
    • outlook.office365.com
    • *.sharepoint.com
    • “13.107.64.0/18”, “52.112.0.0/14”, “52.122.0.0/15”, “2603:1063::/38”
    • smtp.office365.com
    • *.protection.outlook.com
    • *.lync.com
    • *.teams.microsoft.com
    • teams.microsoft.com
    • *.officeapps.live.com
    • *.online.office.com
    • office.live.com
    • *.auth.microsoft.com
    • *.msftidentity.com
    • *.msidentity.com
    • account.activedirectory.windowsazure.com
    • accounts.accesscontrol.windows.net
    • adminwebservice.microsoftonline.com
    • api.passwordreset.microsoftonline.com
    • autologon.microsoftazuread-sso.com
    • becws.microsoftonline.com
    • ccs.login.microsoftonline.com
    • clientconfig.microsoftonline-p.net
    • companymanager.microsoftonline.com
    • device.login.microsoftonline.com
    • graph.microsoft.com
    • graph.windows.net
    • login.microsoft.com
    • login.microsoftonline.com
    • login.microsoftonline-p.com
    • login.windows.net
    • logincert.microsoftonline.com
    • loginex.microsoftonline.com
    • login-us.microsoftonline.com
    • nexus.microsoftonline-p.com
    • passwordreset.microsoftonline.com
    • provisioningapi.microsoftonline.com
    • *.compliance.microsoft.com
    • *.protection.office.com
    • *.security.microsoft.com
    • compliance.microsoft.com
    • defender.microsoft.com
    • protection.office.com
    • security.microsoft.com
    • Your organization’s Security Token Service (STS) (For federated domains)
  2. Intune:
    • manage.microsoft.com
    • a.manage.microsoft.com
    • *.dm.microsoft.com
  3.  Defender and Defender for Endpoint
  4. Microsoft Entra Private Access

Microsoft have a test tool for SSL Break and Inspect meeting the recommendations published at https://connectivity.office.com. It will test all Optimize and Allow category endpoints and list any which have SSL Break and Inspect.

Use the Test Device Registration Connectivity script to validate if your devices can access the required Microsoft resources under the system account.

Photo by Markus Spiske: https://www.pexels.com/photo/light-road-landscape-sign-226460/

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.