Visibility of One Click rules

It would be useful to have access to the list of hosts, urls or other criertia that are included in the Microsoft 365 one click rule. Whether this is publicly availavle, listed int he admin portal or accessible via the API or whatever i don’t mind but being completely blind is painful as I have no idea what the one click rule is doing from day to day. The same could be said for cloud applications in ZIA.

This has been a pain point for me over the last 6 months while our team works on deploying Azure, Intune and Office365 and has had all kinds of problems. Identifying if something is missing from the one click rule (by accident or intentionally) is a nightmare and takes so much manpower as tickets bounce back and forth.

The standard “This is our Intelectual property” is an infuriating answer as Zscaler simply use the information published by Microsoft which is publicly available anyway!

Hi @postalspin, we actually worked really close with Microsoft on pulling the list together, and it’s based on what you can find on MS website --> https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges. Working this close with MS is what makes us, at this moment, the only security oriented MS certified networking partner.

We essentially subscribe to this and put some QA checks in place (e.g. when Facebook.com was added to the list we didn’t blindly added to O365 One Click).

Other URL cat’s we do treat as our IP as it’s a valuable part of what we do. similar, being able to put all policies in place for MS is also a valuable feature, but it is based on existing publicly available info.

Hi @skottieb,

yes i think the key there is “based on”. on previous calls with our TAM we were advised that not everything from the MS list is included in the one click rule. An example he gave at the time was sharepoint.com. Something to do with they have seen instances of infected files there so it isn’t included in the one click rule.

As soon as the team that manages O365 heard about this it threw immediate questions as to what is included in the one click rule and I am constantly having to defend it or prove that i see it included in the logs as part of the one click.

If there was somewhere i could quickly check this it would be really useful. It’s the same concept when it comes to cloud applications.

1 Like

I would agree this has been a painpoint for our organization, as well. I have to keep going back to my TAM with questions about specific URLs because not everything on the MS site is part of the one-click config.

@postalspin

We added all “optimize”, “Allow” URLs and IP addresses under one-click. from “Default” category we only added domains belonging to MSFT. All 3rd party URLs or domains are excluded belonging to “Default”. [ MSFT categories]

There are some domains which belong to MSFT which are shared between consumer and enterprise apps are excluded due to security threats associated. Example *.azureedge.net, we have customers reporting phishing and C2C attacks hosted on personal tenants of azure.

Summary: We definitely understand the transparency needed to make better security decisions. There is a major release targeted for end of 2020 and in that release, we are working on a feature to let customer make that decision of include/exclude rather than making it a block box with one-click. I would be happy to review that in detail if needed.

If there is a list of URLs you want to validate, please share with your TAM, we can help with the response.