Is a VPN client still recommended for Office 365 access over public WiFi connections?

%3CLINGO-SUB%20id%3D%22lingo-sub-1231708%22%20slang%3D%22en-US%22%3EIs%20a%20VPN%20client%20still%20recommended%20for%20Office%20365%20access%20over%20public%20WiFi%20connections%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231708%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20mitigate%20the%20risk%20of%20data%20exposure%2C%20is%20it%20recommend%20to%20still%20use%20a%20VPN%20connection%2C%20even%20if%20you%20are%20using%20Office%20365's%20native%20desktop%20client%20apps%20on%20Windows%2010%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1231708%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evpn%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1232134%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20a%20VPN%20client%20still%20recommended%20for%20Office%20365%20access%20over%20public%20WiFi%20connections%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1232134%22%20slang%3D%22en-US%22%3E%3CP%3EWas%20it%20ever%20recommended%3F%20%3A)%3C%2Fimg%3E%20To%20mitigate%20data%20slippage%20scenarios%2C%20use%20DLP%20or%20AIP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1232187%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20a%20VPN%20client%20still%20recommended%20for%20Office%20365%20access%20over%20public%20WiFi%20connections%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1232187%22%20slang%3D%22en-US%22%3EHere%20is%20Microsoft%20guidance%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20VPN%20users%2C%20enable%20Office%20365%20connections%20to%20connect%20directly%20from%20the%20user's%20network%20rather%20than%20over%20the%20VPN%20tunnel%20by%20implementing%20split%20tunneling.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20has%20the%20benefit%20of%20minimising%20latency%2C%20improving%20reliable%20connectivity%20to%20the%20closest%20Office%20365%20entry%20point.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Foffice-365-network-connectivity-principles%23incremental-optimization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Foffice-365-network-connectivity-principles%23incremental-optimization%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20other%20words%20connect%20directly%20via%20the%20local%20network%20is%20preferred%20rather%20than%20the%20overhead%20of%20using%20a%20VPN%2C%20which%20Microsoft%20say%20should%20be%20bypassed%20if%20using%20a%20VPN.%20Don%E2%80%99t%20think%20public%20WiFi%20would%20change%20any%20of%20this%20guidance.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1232848%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20a%20VPN%20client%20still%20recommended%20for%20Office%20365%20access%20over%20public%20WiFi%20connections%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1232848%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20bigger%20concern%20is%20how%20do%20I%20have%20absolute%20certainty%20that%20all%20traffic%20being%20passed%20from%20my%20clients%20(Azure%20AD%20Joined%20Windows%2010%20Pro%20clients%2C%20with%20BitLocker%20on%2C%20or%20iOS%20and%20Android%20devices)%20to%20the%20Office%20365%20cloud%20is%20done%20completely%20encrypted%2C%20from%20at%20rest%20to%20in%20transit%2C%20even%20when%20connected%20to%20a%20public%20WiFi%20hotspot%20(i.e.%20captive%20portals%20at%20coffee%20shops%2Fairports)%20or%20an%20untrusted%20network%20(i.e.%20Verizon%20or%20Comcast's%20public%20WiFi%2C%20etc.)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1232929%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20a%20VPN%20client%20still%20recommended%20for%20Office%20365%20access%20over%20public%20WiFi%20connections%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1232929%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F86092%22%20target%3D%22_blank%22%3E%40Robert%20Gordon%3C%2FA%3E%26nbsp%3BI%20get%20where%20you%20are%20coming%20from%2C%20I%20just%20don't%20see%20a%20VPN%20being%20the%20answer.%26nbsp%3B%20Typically%20you'd%20use%20things%20like%20Conditional%20Access%20to%20manage%20the%20risk%20accordingly%20when%20accessing%20resources%20from%20untrusted%20networks%20or%20devices.%26nbsp%3B%20Then%20the%20is%20Microsoft%20Information%20Protection%20to%20apply%20protection%20if%20needed%2C%20like%20with%20Windows%20Information%20Protection%20or%20Azure%20Information%20Protection.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWIthout%20having%20to%20do%20anything%2C%20traffic%20is%20encrypted%20and%20other%20steps%20taken%20to%20protect%20Office%20365%20as%20mentioned%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Foffice-365-encryption-risks-and-protections%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Foffice-365-encryption-risks-and-protections%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

To mitigate the risk of data exposure, is it recommend to still use a VPN connection, even if you are using Office 365's native desktop client apps on Windows 10? 

4 Replies
Highlighted

Was it ever recommended? :) To mitigate data slippage scenarios, use DLP or AIP.

Highlighted
Here is Microsoft guidance

For VPN users, enable Office 365 connections to connect directly from the user's network rather than over the VPN tunnel by implementing split tunneling.

This has the benefit of minimising latency, improving reliable connectivity to the closest Office 365 entry point.

https://docs.microsoft.com/en-us/office365/enterprise/office-365-network-connectivity-principles#inc...

In other words connect directly via the local network is preferred rather than the overhead of using a VPN, which Microsoft say should be bypassed if using a VPN. Don’t think public WiFi would change any of this guidance.
Highlighted

My bigger concern is how do I have absolute certainty that all traffic being passed from my clients (Azure AD Joined Windows 10 Pro clients, with BitLocker on, or iOS and Android devices) to the Office 365 cloud is done completely encrypted, from at rest to in transit, even when connected to a public WiFi hotspot (i.e. captive portals at coffee shops/airports) or an untrusted network (i.e. Verizon or Comcast's public WiFi, etc.)?

Highlighted

@OneTechBeyond I get where you are coming from, I just don't see a VPN being the answer.  Typically you'd use things like Conditional Access to manage the risk accordingly when accessing resources from untrusted networks or devices.  Then the is Microsoft Information Protection to apply protection if needed, like with Windows Information Protection or Azure Information Protection.  

 

WIthout having to do anything, traffic is encrypted and other steps taken to protect Office 365 as mentioned here https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-encryption-risks-and-protection...