FQDN Tags.

Jessie 85

Due to a change in Policy, we recently disabled internet access from our environment and are now not able to connect to SharePoint, and authentication to Micrsosoftonline also fails.

We are in favor of setting up Azure firewall Application rules that points to specific Sharepoint endpoints using FQDN tags, given the complexities with maintaining specific FQDNs.

However, we are unsure of which FQDN tags in the list available in Azure allows us to achieve both connecting to SharePoint and authenticating to Microsoftonline services.

Which FQDN tags should we enable?

KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-12-12T06:21:43.1633333+00:00

@Jessie

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Different Microsoft O365 Services would require different URLs, FQDNs , IPs and Ports to be whitelisted.

For a complete list of the configurations, refer : Office 365 URLs and IP address ranges.

Some of the above can be achieved using Service tags in Azure Firewall.

As described in Use Azure Firewall to protect Office 365.

If a specific combination of product, category and required/not required has only FQDNs required, but uses TCP ports that aren't 80/443, an FQDN tag isn't be created for this combination. Application Rules can only cover HTTP, HTTPS or MSSQL

For SharePoint, please use the tags with Office365.SharePoint in Application Rules and Network Rules.

Hope this helps.

Cheers,

Kapil
Jessie 85 Reputation points

2023-12-12T06:37:22.9333333+00:00

@KapilAnanth-MSFT

Thank you for responding to my question.

There are different options for FQDN tags to "Office365.SharePoint" endpoint

when creating an application rule. Other than the "NotRequired" tags,

which FQDN tag(s) from the screenshot helps us achieve access to SharePoint?

Also, there is a problem with authentication.

My understanding is that the below FQDNs resolves the authentication problem.

*.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net,

However, we would like to achieve this also with an FQDN tag, not the above specific FQDNs.

Again, which FQDN tag helps us achieve access to the 2 services above?screenshot03.png
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-12-12T11:59:40.2333333+00:00

@Jessie

I would suggest you to use all the tags beginning with "Office365.SharePoint" as of now.

Please note that these tags are new and the Service Tags document is yet to be updated.

See : https://github.com/MicrosoftDocs/azure-docs/issues/117488

With respect to AAD authentication, you can use "AzureActiveDirectory" and "AzureActiveDirectoryDomainServices".

Or you can use the FQDN : login.microsoftonline.com

Refer : Microsoft Entra authentication endpoints

Cheers,

Kapil.
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-12-13T10:21:12.65+00:00

@Jessie

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
Jessie 85 Reputation points

2023-12-14T00:00:53+00:00

@KapilAnanth-MSFT ,

Thanks you for the above response.

There are no questions yet.

We will be trying it out in our Dev environment first before implementing it in the Prod environment.

I will probably have questions when we test it.
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-12-14T04:53:47.68+00:00

@Jessie

You are most welcome.

Sure, please go ahead with a Dev/Test Environment before moving to Prod.

I have summarized my comments and posted it as a new answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-12-18T04:49:10.4066667+00:00

@Jessie

Just checking in to see if there are further queries from your end.

Please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil

Accepted answer

KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-12-14T04:52:50.44+00:00
@Jessie

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Different Microsoft O365 Services would require different URLs, FQDNs , IPs and Ports to be whitelisted.

For a complete list of the configurations, refer : Office 365 URLs and IP address ranges.

Some of the above can be achieved using Service tags in Azure Firewall.

As described in Use Azure Firewall to protect Office 365.

If a specific combination of product, category and required/not required has only FQDNs required, but uses TCP ports that aren't 80/443, an FQDN tag isn't be created for this combination. Application Rules can only cover HTTP, HTTPS or MSSQL

Wrt SharePoint,

For SharePoint, please use the tags with Office365.SharePoint in Application Rules and Network Rules.

Please note that these tags are new and the Service Tags document is yet to be updated.

See : https://github.com/MicrosoftDocs/azure-docs/issues/117488

With respect to AAD authentication,

You can use "AzureActiveDirectory" and "AzureActiveDirectoryDomainServices".

Or you can use the FQDN : login.microsoftonline.com

Refer : Microsoft Entra authentication endpoints

Cheers,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.
Xyza Xue_MSFT 24,716 Reputation points Microsoft Vendor

2023-12-15T08:48:04.42+00:00

Hi @Jessie,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Jessie 85 Reputation points

2023-12-28T00:26:55.4666667+00:00

Hello @Xyza Xue_MSFT , @KapilAnanth-MSFT

Thank you for your comments above.

I have a follow up question from the tests conducted in our Dev environment.

In addition to the SharePoint FQDNs suggested above, I also included the following.

Office365.Common.Allow.Required

Office365.Common.Default.Required

I have noticed that it allowed access to more Microsoft services than needed, e.g outlook.com.

Question:

How do I disallow connection to a subset of the FQDN tags (in this case outlook.com), without unselecting the entire FQDN tag?

KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2023-12-29T05:05:22.47+00:00

@Jessie

I am afraid we cannot define rules for a subset of the FQDN tags.

However, what you can do is suggest for more such granular FQDN tags in Azure Feedback Hub.

All the feedback shared in these forums are monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Cheers,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

FQDN Tags.

0 additional answers

Your answer