Feedback on Office 365 IP/URL Web Services Preview

Microsoft

Please share your feedback or questions on the new Office 365 IP/URL Web Services preview as announced here: https://aka.ms/ipurlblog 

24 Replies
Please keep the RSS feed alive. Makes things easier when humans are involved in the process. I understand how great the Web service is for automation, but there is no way we are going to relinquish human control over this, and the RSS feed is key in allowing at a glance what is going to happen.
*allowing us to see at a glance what is going to happen*

Hi Xavier, we're planning a couple of simple scripts that format the /changes web method output for human review. How and with what tools do you use today to do that with the RSS? 

Hi Paul,

this is a great initiative! Is there a programmatic way to understand if the IPs/URLs of a record belong to Microsoft or to a 3rd party app (Facebook, ...)?

This information seems to be included in the optionalImpact field, but it is only human readable.

 

Hi Luigi, this isn't possible in the preview. Can you tell me what you want to do with information that would indicate that an endpoint is hosted by Microsoft or a third party? Note that there are some third party hosted endpoints which are required such as a public content delivery network.

wainting for the *SOON* to be released pac generator :D. Any beta link or program for it ?
+ any swagger contract around for your REST api ?

@Sebastien Person we don't have swagger docs. Our docs are here. Also, thanks for the interest in PAC files. They're not yet available

This looks great. Will it cater for Next Generation Layer 7 firewalls (like from PaloAlto). They tend to use App IDs rather than just listing URLs.

Also, how safe is it to use this service, considering it is in preview? Is there any intended date yet for when it will "go live"

@Thom McKiernan we're talking with most of the top firewall vendors about this. In preview, the data is accurate, but we don't recommend using it in production. GA is a little bit away and we'll release as soon as we can.

Some security administrator would like to enable only URLs/IPs that are strictly necessary to access the O365 services and have a good O365 experience. They don't want to enable 3rd party integrations. It would be nice if there was a programmatic way to identify these integrations and filter them.

Thank you for the feedback Luigi

In the Changes Web Method we need an EffectiveDate for the "remove" structure.

We need to see what will be removed in the future. The "add" structure includes this.

 


@Ian Williams wrote:

In the Changes Web Method we need an EffectiveDate for the "remove" structure.

We need to see what will be removed in the future. The "add" structure includes this.

 


Hi Ian, we don't publish items to remove in the future because of the risk of customers removing firewall entries while the servers are still live. Instead we only publish endpoints to remove after the endpoint no longer has live service on it. Hence no future date is required.

Regards, Paul

We use a set of Python scripts, to compare data between sources (XML page, web page, our own .pac files), and also rely on the RSS feed for a quick overview of what was changed. The thing, is the RSS gets delivered directly to my Outlook inbox, and as such acts as a reminder to everyone.

I had a look at the scripts provided, especially the Python one, and while it is rather clear, I still have not figured out why we do not get the ports in the output... Need to spend more time on this.


@Xavier Barros wrote:

We use a set of Python scripts, to compare data between sources (XML page, web page, our own .pac files), and also rely on the RSS feed for a quick overview of what was changed. The thing, is the RSS gets delivered directly to my Outlook inbox, and as such acts as a reminder to everyone.

I had a look at the scripts provided, especially the Python one, and while it is rather clear, I still have not figured out why we do not get the ports in the output... Need to spend more time on this.


Hi Xavier, thank you for the feedback. We're looking at how we can continue to provide RSS.

-- Paul

We have previously asked Microsoft premier support team in japan to confirm the new Web service, however we couldn’t receive support because the new Web service is in preview now.
They informed us that this page is possible to accept questions or feedback.
Therefore, we got to post some questions here.

 

First of all, will you stop publishing the current HTML, XML, and RSS format of data as scheduled on October 2nd?
If the current HTML, XML, and RSS format of data will be stopped as scheduled on October 2nd, it is difficult to respond to the new Web service currently because the published information is so insufficient.

 

Could you please answer below questions?

--------------------------------------------------
1. About service area
--------------------------------------------------
a. XML file (Current method)
<Available over Internet & ExpressRoute circuits>:
shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | OneNote | Dynamics CRM IP | Dynamics CRM URI | Power BI
<Available over Internet circuits only>:
Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow

 

b. Web service (New method)
The service area that this is part of : Common, Exchange, SharePoint, Skype.

 

*Question
There is something we would like to confirm.
For example:
-The new Web service “Exchange” contains “Exchange Online, Exchange Online Protection” of current item.
-The new Web service “Skype” contains “Skype for Business Online” of current item.
-The new Web service “SharePoint” contains “SharePoint Online and OneDrive” of current item.
-The new Web service “Common” contains the other items.
How the each service area of the current item will be applied in the service area of the new item, please inform us in more detail.

--------------------------------------------------
2. About the effect of three categories (Optimize, Allow, and Default)
--------------------------------------------------

We are aware that the current XML File and the tables with Office 365 URLs and IP address range in the HTML page will be replaced with the new Web service.
a. XML file
https://support.content.office.net/en-us/static/O365IPAddresses.xml
b. Web service
https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a...

 

This URL of new Web service is posted in [Web service] - [For the data on the Office 365 URLs and IP address ranges page for firewalls and proxy servers] section.
https://support.office.com/en-us/article/99cab9d4-ef59-4207-9f2b-3728eb46bf9a

There are three categories (Optimize, Allow, and Default) in a downloaded file from the above new Web service URL.
However, we can’t find three categories (Optimize, Allow, and Default) in the current XML file.

 

*Question
At present, we have allowed all the Office 365 URLs and IP address range provided by the current XML file to the firewalls/proxy servers.

 

When the current XML file will be replaced with the new Web service in future, do we need to change something in allow the setting of firewalls/proxy servers about three categories (Optimize, Allow, and Default)?

 

Otherwise, in the same way as now, would it be OK for firewalls/proxy servers to allow all Office 365 URLs and IP address range in the new Web service without regard for three categories (Optimize, Allow, and Default)?

 

@Kyounghwan Lee here are answers to your questions:

 

>> First of all, will you stop publishing the current HTML, XML, and RSS format of

>> data as scheduled on October 2nd?

Yes.

 

>> How the each service area of the current item will be applied in the service area

>> of the new item, please inform us in more detail.

 

This reduction in the service areas is intended to simplify network connectivity work required for Office 365. It also avoids support issues related to unpublished dependencies between services.

 

Old XML Product                    New JSON ServiceArea

WAC                                          Common

Sway                                          Common

Planner                                      Common

ProPlus                                      Common

Ex-Fed                                       Deprecated

Yammer                                     Common

Teams                                        Skype

OfficeiPad                                  Common

OfficeMobile                              Common

RCA                                            Deprecated

OneNote                                    Common

EXO                                            Exchange

SPO                                            SharePoint

Office365Video                          Common

LYO                                            Skype

Identity                                      Common

CRLs                                           Common

o365                                           Common

EOP                                            Exchange

 

>> When the current XML file will be replaced with the new Web service in future,

>> do we need to change something in allow the setting of firewalls/proxy servers

>> about three categories (Optimize, Allow, and Default)?

 

The only change that you are required to do is to start taking changes from the web services instead of from the XML/RSS published data. All future changes to Office 365 network endpoints will be advertised through the web services.

 

>> Otherwise, in the same way as now, would it be OK for firewalls/proxy servers

>> to allow all Office 365 URLs and IP address range in the new Web service without

>> regard for three categories (Optimize, Allow, and Default)?

 

The new categories make firewall, proxy server, and other network perimeter device configuration simpler. In particular, the default category can be directed to the default Internet egress location with any other employee web browser traffic. However, you can simply permit connectivity and bypass for all Office 365 network traffic and disregard the categories. Please review details of the new categories at http://aka.ms/pnc  

 

Regards,

Paul

I really appreciate all the advice you gave me on how to update new Web service.

 

>>The only change that you are required to do is to start taking changes from the >>web services instead of from the XML/RSS published data. 

 

Simply, I understand that the XML/ RSS data that has been published so far will be switched to new Web service.

I understand that I can permit connectivity and bypass for all Office 365 network traffic and disregard the categories (Optimize, Allow, and Default). 

 

As for the factors you pointed out, we will certainly correspond them when we update the next new Web service.

 

Regards,

Kyounghwan Lee