Microsoft 365 network connectivity principles

This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

Before y'all begin planning your network for Microsoft 365 network connectivity, it is of import to empathise the connectivity principles for securely managing Microsoft 365 traffic and getting the all-time possible performance. This article will help you lot understand the most recent guidance for securely optimizing Microsoft 365 network connectivity.

Traditional enterprise networks are designed primarily to provide users access to applications and information hosted in visitor operated datacenters with potent perimeter security. The traditional model assumes that users will access applications and information from inside the corporate network perimeter, over WAN links from co-operative offices, or remotely over VPN connections.

Adoption of SaaS applications like Microsoft 365 moves some combination of services and data outside the network perimeter. Without optimization, traffic betwixt users and SaaS applications is subject to latency introduced past parcel inspection, network hairpins, inadvertent connections to geographically distant endpoints and other factors. Yous can ensure the all-time Microsoft 365 operation and reliability by understanding and implementing key optimization guidelines.

In this commodity, y'all will learn about:

  • Microsoft 365 architecture as it applies to customer connectivity to the cloud
  • Updated Microsoft 365 connectivity principles and strategies for optimizing network traffic and the cease-user experience
  • The Role 365 Endpoints web service, which allows network administrators to swallow a structured listing of endpoints for utilise in network optimization
  • New Office 365 endpoint categories and optimization guidance
  • Comparing network perimeter security with endpoint security
  • Incremental optimization options for Microsoft 365 traffic
  • The Microsoft 365 connectivity test, a new tool for testing bones connectivity to Microsoft 365

Microsoft 365 architecture

Microsoft 365 is a distributed Software-as-a-Service (SaaS) cloud that provides productivity and collaboration scenarios through a various gear up of micro-services and applications, such every bit Substitution Online, SharePoint Online, Skype for Business Online, Microsoft Teams, Commutation Online Protection, Office in a browser, and many others. While specific Microsoft 365 applications may have their unique features every bit it applies to customer network and connectivity to the cloud, they all share some key principals, goals, and architecture patterns. These principles and architecture patterns for connectivity are typical for many other SaaS clouds and at the same fourth dimension being different from the typical deployment models of Platform-as-a-Service and Infrastructure-as-a-Service clouds, such every bit Microsoft Azure.

Ane of the most significant architectural features of Microsoft 365 (that is oft missed or misinterpreted by network architects) is that information technology is a truly global distributed service, in the context of how users connect to it. The location of the target Microsoft 365 tenant is important to empathize the locality of where customer data is stored within the cloud, simply the user experience with Microsoft 365 doesn't involve connecting directly to disks containing the data. The user experience with Microsoft 365 (including performance, reliability, and other of import quality characteristics) involves connectivity through highly distributed service front doors that are scaled out across hundreds of Microsoft locations worldwide. In the majority of cases, the best user feel is accomplished by assuasive the client network to route user requests to the closest Microsoft 365 service entry indicate, rather than connecting to Microsoft 365 through an egress point in a central location or region.

For virtually customers, Microsoft 365 users are distributed across many locations. To achieve the best results, the principles outlined in this document should be looked at from the calibration-out (non calibration-up) indicate of view, focusing on optimizing connectivity to the nearest betoken of presence in the Microsoft Global Network, not to the geographic location of the Microsoft 365 tenant. In essence, this ways that even though Microsoft 365 tenant information may be stored in a specific geographic location, Microsoft 365 experience for that tenant remains distributed, and can exist present in very close (network) proximity to every end-user location that the tenant has.

Microsoft 365 connectivity principles

Microsoft recommends the following principles to achieve optimal Microsoft 365 connectivity and functioning. Utilize these Microsoft 365 connectivity principles to manage your traffic and get the best performance when connecting to Microsoft 365.

The master goal in the network design should exist to minimize latency by reducing the round-trip time (RTT) from your network into the Microsoft Global Network, Microsoft's public network courage that interconnects all of Microsoft's datacenters with low latency and cloud application entry points spread effectually the world. You can acquire more than nearly the Microsoft Global Network at How Microsoft builds its fast and reliable global network.

Place and differentiate Microsoft 365 traffic

Identify Microsoft 365 traffic.

Identifying Microsoft 365 network traffic is the commencement stride in being able to differentiate that traffic from generic Internet-leap network traffic. Microsoft 365 connectivity tin can be optimized past implementing a combination of approaches like network route optimization, firewall rules, browser proxy settings, and bypass of network inspection devices for certain endpoints.

Previous Microsoft 365 optimization guidance divided Microsoft 365 endpoints into two categories, Required and Optional. As endpoints have been added to support new Microsoft 365 services and features, we have reorganized Microsoft 365 endpoints into 3 categories: Optimize, Allow, and Default. Guidelines for each category applies to all endpoints in the category, making optimizations easier to understand and implement.

For more information on Microsoft 365 endpoint categories and optimization methods, meet the New Role 365 endpoint categories section.

Microsoft now publishes all Microsoft 365 endpoints as a web service and provides guidance on how all-time to use this data. For more information on how to fetch and piece of work with Microsoft 365 endpoints, meet the article Function 365 URLs and IP accost ranges.

Egress network connections locally

Egress network connections locally.

Local DNS and Net egress is of critical importance for reducing connectedness latency and ensuring that user connections are made to the nearest point of entry to Microsoft 365 services. In a circuitous network topology, it is important to implement both local DNS and local Internet egress together. For more information about how Microsoft 365 routes client connections to the nearest point of entry, see the article Client Connectivity.

Prior to the advent of cloud services such as Microsoft 365, stop-user Cyberspace connectivity every bit a design factor in network compages was relatively uncomplicated. When Internet services and web sites are distributed around the globe, latency betwixt corporate egress points and any given destination endpoint is largely a function of geographical altitude.

In a traditional network architecture, all outbound Net connections traverse the corporate network, and egress from a primal location. Equally Microsoft'southward deject offerings take matured, a distributed Cyberspace-facing network architecture has become critical for supporting latency-sensitive cloud services. The Microsoft Global Network was designed to arrange latency requirements with the Distributed Service Front Door infrastructure, a dynamic cloth of global entry points that routes incoming cloud service connections to the closest entry point. This is intended to reduce the length of the "last mile" for Microsoft cloud customers past effectively shortening the road betwixt the customer and the cloud.

Enterprise WANs are often designed to backhaul network traffic to a central visitor head office for inspection earlier egress to the Internet, commonly through one or more proxy servers. The diagram below illustrates such a network topology.

Traditional enterprise network model.

Because Microsoft 365 runs on the Microsoft Global Network, which includes front-end servers effectually the world, there will oftentimes be a front end-finish server shut to the user's location. By providing local Internet egress and by configuring internal DNS servers to provide local proper noun resolution for Microsoft 365 endpoints, network traffic destined for Microsoft 365 can connect to Microsoft 365 forepart servers as shut as possible to the user. The diagram below shows an case of a network topology that allows users connecting from main office, co-operative part, and remote locations to follow the shortest route to the closest Microsoft 365 entry point.

WAN network model with regional egress points.

Shortening the network path to Microsoft 365 entry points in this way can improve connectivity performance and the end-user feel in Microsoft 365, and can also help to reduce the impact of futurity changes to the network architecture on Microsoft 365 performance and reliability.

Also, DNS requests can introduce latency if the responding DNS server is distant or decorated. You tin can minimize proper name resolution latency by provisioning local DNS servers in co-operative locations and making sure they are configured to cache DNS records accordingly.

While regional egress can work well for Microsoft 365, the optimum connectivity model would exist to always provide network egress at the user's location, regardless of whether this is on the corporate network or remote locations such every bit homes, hotels, coffee shops, and airports. This local directly egress model is represented in the diagram below.

Local egress network architecture.

Enterprises who have adopted Microsoft 365 can take advantage of the Microsoft Global Network's Distributed Service Front Door architecture by ensuring that user connections to Microsoft 365 take the shortest possible road to the nearest Microsoft Global Network entry betoken. The local egress network compages does this by allowing Microsoft 365 traffic to be routed over the nearest egress, regardless of user location.

The local egress architecture has the following benefits over the traditional model:

  • Provides optimal Microsoft 365 performance by optimizing route length. terminate-user connections are dynamically routed to the nearest Microsoft 365 entry point by the Distributed Service Forepart Door infrastructure.
  • Reduces the load on corporate network infrastructure by allowing local egress.
  • Secures connections on both ends by leveraging client endpoint security and deject security features.

Avert network hairpins

Avoid hairpins.

As a general rule of thumb, the shortest, most directly route betwixt user and closest Microsoft 365 endpoint will offer the best performance. A network hairpin happens when WAN or VPN traffic bound for a detail destination is first directed to some other intermediate location (such equally security stack, cloud access broker, or cloud-based spider web gateway), introducing latency and potential redirection to a geographically distant endpoint. Network hairpins tin also exist caused by routing/peering inefficiencies or suboptimal (remote) DNS lookups.

To ensure that Microsoft 365 connectivity is not subject to network hairpins even in the local egress case, check whether the Isp that is used to provide Internet egress for the user location has a direct peering relationship with the Microsoft Global Network in close proximity to that location. You may also want to configure egress routing to send trusted Microsoft 365 traffic straight, as opposed to proxying or tunneling through a third-party cloud or cloud-based network security vendor that processes your Internet-bound traffic. Local DNS name resolution of Microsoft 365 endpoints helps to ensure that in addition to straight routing, the closest Microsoft 365 entry points are beingness used for user connections.

If you lot use cloud-based network or security services for your Microsoft 365 traffic, ensure that the result of the hairpin is evaluated and its bear on on Microsoft 365 performance is understood. This can be done by examining the number and locations of service provider locations through which the traffic is forwarded in relationship to number of your co-operative offices and Microsoft Global Network peering points, quality of the network peering relationship of the service provider with your Isp and Microsoft, and the performance bear on of backhauling in the service provider infrastructure.

Due to the large number of distributed locations with Microsoft 365 entry points and their proximity to end-users, routing Microsoft 365 traffic to whatsoever 3rd-party network or security provider tin can have an adverse impact on Microsoft 365 connections if the provider network is not configured for optimal Microsoft 365 peering.

Assess bypassing proxies, traffic inspection devices, and duplicate security technologies

Bypass proxies, traffic inspection devices, and duplicate security technologies.

Enterprise customers should review their network security and risk reduction methods specifically for Microsoft 365 bound traffic and employ Microsoft 365 security features to reduce their reliance on intrusive, performance impacting, and expensive network security technologies for Microsoft 365 network traffic.

Almost enterprise networks enforce network security for Internet traffic using technologies similar proxies, SSL inspection, packet inspection, and data loss prevention systems. These technologies provide of import risk mitigation for generic Internet requests simply can dramatically reduce operation, scalability, and the quality of stop user experience when applied to Microsoft 365 endpoints.

Role 365 Endpoints web service

Microsoft 365 administrators can employ a script or Residuum call to consume a structured list of endpoints from the Office 365 Endpoints web service and update the configurations of perimeter firewalls and other network devices. This will ensure that traffic jump for Microsoft 365 is identified, treated appropriately and managed differently from network traffic bound for generic and oft unknown Internet spider web sites. For more than information on how to use the Part 365 Endpoints spider web service, see the article Office 365 URLs and IP address ranges.

PAC (Proxy Automatic Configuration) scripts

Microsoft 365 administrators tin create PAC (Proxy Automatic Configuration) scripts that tin be delivered to user computers via WPAD or GPO. PAC scripts can be used to bypass proxies for Microsoft 365 requests from WAN or VPN users, assuasive Microsoft 365 traffic to use direct Cyberspace connections rather than traversing the corporate network.

Microsoft 365 security features

Microsoft is transparent virtually datacenter security, operational security, and chance reduction around Microsoft 365 servers and the network endpoints that they represent. Microsoft 365 congenital-in security features are available for reducing network security risk, such every bit Information Loss Prevention, Anti-Virus, Multi-Factor Authentication, Customer Lock Box, Defender for Part 365, Microsoft 365 Threat Intelligence, Microsoft 365 Secure Score, Exchange Online Protection, and Network DDOS Security.

For more than data on Microsoft datacenter and Global Network security, run across the Microsoft Trust Eye.

New Office 365 endpoint categories

Office 365 endpoints represent a varied set up of network addresses and subnets. Endpoints may exist URLs, IP addresses or IP ranges, and some endpoints are listed with specific TCP/UDP ports. URLs can either be an FQDN like account.office.internet, or a wildcard URL like *.office365.com.

Note

The locations of Role 365 endpoints inside the network are non direct related to the location of the Microsoft 365 tenant data. For this reason, customers should look at Microsoft 365 as a distributed and global service and should not attempt to block network connections to Office 365 endpoints based on geographical criteria.

In our previous guidance for managing Microsoft 365 traffic, endpoints were organized into ii categories, Required and Optional. Endpoints within each category required different optimizations depending on the criticality of the service, and many customers faced challenges in justifying the application of the same network optimizations to the full listing of Office 365 URLs and IP addresses.

In the new model, endpoints are segregated into three categories, Optimize, Allow, and Default, providing a priority-based pivot on where to focus network optimization efforts to realize the best functioning improvements and return on investment. The endpoints are consolidated in the above categories based on the sensitivity of the constructive user experience to network quality, volume, and functioning envelope of scenarios and ease of implementation. Recommended optimizations can be applied the same way to all endpoints in a given category.

  • Optimize endpoints are required for connectivity to every Part 365 service and represent over 75% of Role 365 bandwidth, connections, and volume of data. These endpoints correspond Office 365 scenarios that are the about sensitive to network performance, latency, and availability. All endpoints are hosted in Microsoft datacenters. The rate of change to the endpoints in this category is expected to be much lower than for the endpoints in the other 2 categories. This category includes a minor (on the order of ~10) set of key URLs and a defined set of IP subnets dedicated to core Office 365 workloads such as Exchange Online, SharePoint Online, Skype for Business Online, and Microsoft Teams.

    A condensed list of well-defined critical endpoints should help y'all to plan and implement high value network optimizations for these destinations faster and easier.

    Examples of Optimize endpoints include https://outlook.office365.com, https://<tenant>.sharepoint.com, and https://<tenant>-my.sharepoint.com.

    Optimization methods include:

    • Featherbed Optimize endpoints on network devices and services that perform traffic interception, SSL decryption, deep package inspection, and content filtering.
    • Bypass on-premises proxy devices and cloud-based proxy services commonly used for generic Cyberspace browsing.
    • Prioritize the evaluation of these endpoints as fully trusted by your network infrastructure and perimeter systems.
    • Prioritize reduction or elimination of WAN backhauling, and facilitate directly distributed Cyberspace-based egress for these endpoints as close to users/co-operative locations as possible.
    • Facilitate direct connectivity to these cloud endpoints for VPN users by implementing split tunneling.
    • Ensure that IP addresses returned by DNS proper noun resolution friction match the routing egress path for these endpoints.
    • Prioritize these endpoints for SD-WAN integration for direct, minimal latency routing into the nearest Internet peering point of the Microsoft global network.
  • Allow endpoints are required for connectivity to specific Office 365 services and features, but are non every bit sensitive to network performance and latency equally those in the Optimize category. The overall network footprint of these endpoints from the standpoint of bandwidth and connection count is likewise smaller. These endpoints are dedicated to Office 365 and are hosted in Microsoft datacenters. They represent a wide set of Office 365 micro-services and their dependencies (on the order of ~100 URLs) and are expected to alter at a higher charge per unit than those in the Optimize category. Not all endpoints in this category are associated with defined dedicated IP subnets.

    Network optimizations for Allow endpoints can improve the Function 365 user experience, just some customers may cull to scope those optimizations more narrowly to minimize changes to their network.

    Examples of Allow endpoints include https://*.protection.outlook.com and https://accounts.accesscontrol.windows.cyberspace.

    Optimization methods include:

    • Featherbed Allow endpoints on network devices and services that perform traffic interception, SSL decryption, deep package inspection, and content filtering.
    • Prioritize the evaluation of these endpoints as fully trusted by your network infrastructure and perimeter systems.
    • Prioritize reduction or elimination of WAN backhauling, and facilitate direct distributed Internet-based egress for these endpoints as close to users/branch locations as possible.
    • Ensure that IP addresses returned past DNS name resolution friction match the routing egress path for these endpoints.
    • Prioritize these endpoints for SD-WAN integration for direct, minimal latency routing into the nearest Cyberspace peering point of the Microsoft global network.
  • Default endpoints represent Function 365 services and dependencies that do not require any optimization, and can be treated by customer networks equally normal Internet bound traffic. Some endpoints in this category may not be hosted in Microsoft datacenters. Examples include https://odc.officeapps.live.com and https://appexsin.stb.s-msn.com.

For more data nearly Office 365 network optimization techniques, see the article Managing Office 365 endpoints.

Comparison network perimeter security with endpoint security

The goal of traditional network security is to harden the corporate network perimeter confronting intrusion and malicious exploits. As organizations prefer Microsoft 365, some network services and data are partly or completely migrated to the cloud. Equally for any central change to network architecture, this procedure requires a reevaluation of network security that takes emerging factors into account:

  • As cloud services are adopted, network services and information are distributed betwixt on-premises datacenters and the cloud, and perimeter security is no longer acceptable on its own.
  • Remote users connect to corporate resources both in on-premises datacenters and in the cloud from uncontrolled locations such as homes, hotels, and coffee shops.
  • Purpose-built security features are increasingly built into cloud services and can potentially supplement or supplant existing security systems.

Microsoft offers a broad range of Microsoft 365 security features and provides prescriptive guidance for employing security best practices that tin help y'all to ensure information and network security for Microsoft 365. Recommended best practices include the following:

  • Utilize multi-factor authentication (MFA) MFA adds an additional layer of protection to a strong password strategy by requiring users to acknowledge a phone telephone call, text bulletin, or an app notification on their smart phone after correctly inbound their countersign.

  • Use Microsoft Defender for Cloud Apps Configure policies to track dissonant action and act on it. Gear up up alerts with Microsoft Defender for Cloud Apps so that admins can review unusual or risky user activity, such as downloading large amounts of data, multiple failed sign-in attempts, or connections from a unknown or dangerous IP addresses.

  • Configure Data Loss Prevention (DLP) DLP allows yous to identify sensitive data and create policies that help foreclose your users from accidentally or intentionally sharing the information. DLP works across Microsoft 365 including Exchange Online, SharePoint Online, and OneDrive and then that your users tin can stay compliant without interrupting their workflow.

  • Use Customer Lockbox As a Microsoft 365 admin, you can use Customer Lockbox to control how a Microsoft support engineer accesses your data during a help session. In cases where the engineer requires access to your data to troubleshoot and fix an event, Customer Lockbox allows you to approve or reject the access request.

  • Use Office 365 Secure Score A security analytics tool that recommends what you can practise to further reduce take a chance. Secure Score looks at your Microsoft 365 settings and activities and compares them to a baseline established by Microsoft. You'll get a score based on how aligned you are with best security practices.

A holistic arroyo to enhanced security should include consideration of the following:

  • Shift accent from perimeter security towards endpoint security by applying cloud-based and Part customer security features.
    • Shrink the security perimeter to the datacenter
    • Enable equivalent trust for user devices inside the office or at remote locations
    • Focus on securing the data location and the user location
    • Managed user machines have higher trust with endpoint security
  • Manage all data security holistically, non focusing solely on the perimeter
    • Redefine WAN and edifice perimeter network security past allowing trusted traffic to bypass security devices and separating unmanaged devices to guest Wi-Fi networks
    • Reduce network security requirements of the corporate WAN edge
    • Some network perimeter security devices such equally firewalls are still required, but load is decreased
    • Ensures local egress for Microsoft 365 traffic
  • Improvements tin be addressed incrementally as described in the Incremental optimization section. Some optimization techniques may offer ameliorate cost/benefit ratios depending on your network architecture, and you should cull optimizations that make the near sense for your organization.

For more than data on Microsoft 365 security and compliance, see the manufactures Microsoft 365 security and Microsoft 365 compliance.

Incremental optimization

We have represented the ideal network connectivity model for SaaS earlier in this article, but for many large organizations with historically circuitous network architectures, it will not be practical to directly make all of these changes. In this section, we discuss a number of incremental changes that can assistance to improve Microsoft 365 performance and reliability.

The methods you will use to optimize Microsoft 365 traffic will vary depending on your network topology and the network devices y'all take implemented. Large enterprises with many locations and complex network security practices will demand to develop a strategy that includes most or all of the principles listed in the Microsoft 365 connectivity principles section, while smaller organizations might just demand to consider one or two.

You lot tin arroyo optimization as an incremental process, applying each method successively. The post-obit tabular array lists fundamental optimization methods in lodge of their impact on latency and reliability for the largest number of users.

Optimization method Description Impact
Local DNS resolution and Internet egress
Provision local DNS servers in each location and ensure that Microsoft 365 connections egress to the Internet every bit close every bit possible to the user'due south location.
Minimize latency
Improve reliable connectivity to the closest Microsoft 365 entry point
Add regional egress points
If your corporate network has multiple locations but only one egress betoken, add together regional egress points to enable users to connect to the closest Microsoft 365 entry point.
Minimize latency
Better reliable connectivity to the closest Microsoft 365 entry point
Bypass proxies and inspection devices
Configure browsers with PAC files that send Microsoft 365 requests directly to egress points.
Configure edge routers and firewalls to permit Microsoft 365 traffic without inspection.
Minimize latency
Reduce load on network devices
Enable straight connectedness for VPN users
For VPN users, enable Microsoft 365 connections to connect directly from the user's network rather than over the VPN tunnel by implementing split tunneling.
Minimize latency
Improve reliable connectivity to the closest Microsoft 365 entry bespeak
Migrate from traditional WAN to SD-WAN
SD-WANs (Software Defined Wide Surface area Networks) simplify WAN management and amend performance by replacing traditional WAN routers with virtual appliances, like to the virtualization of compute resources using virtual machines (VMs).
Better performance and manageability of WAN traffic
Reduce load on network devices

Microsoft 365 Network Connectivity Overview

Managing Office 365 endpoints

Part 365 URLs and IP address ranges

Office 365 IP Accost and URL Web service

Assessing Microsoft 365 network connectivity

Network planning and performance tuning for Microsoft 365

Role 365 operation tuning using baselines and functioning history

Performance troubleshooting plan for Office 365

Content Commitment Networks

Microsoft 365 connectivity test

How Microsoft builds its fast and reliable global network

Part 365 Networking blog