SASE

RE
D
O V
PFP
EEL
ROR
AT
VEY
IEN
M
IO
WC
ENE
NST
AGR
GUC
UIH
IDD
IE
TEE C T U R E G U I D E

SOLUTION
GUIDE

SASE for Securing Microsoft 365

Part of the “SASE for Securing Internet” reference architecture

S EPT E M B E R 2023
 Table of Contents

Table of Contents
Preface..................................................................................................................................................................... 1

Purpose of This Guide........................................................................................................................................... 3

Objectives............................................................................................................................................................................................... 3

Audience................................................................................................................................................................................................. 3

Related Documentation....................................................................................................................................................................... 4

Introduction........................................................................................................................................................... 5

Security Challenges.............................................................................................................................................................................. 5

Security Foundation.............................................................................................................................................................................6

Design Details........................................................................................................................................................8

Securing the Internet with Prisma Access....................................................................................................................................... 8

Visibility and Control...........................................................................................................................................................................9

Security Posture Management.........................................................................................................................................................24

Data Security........................................................................................................................................................................................29

SaaS Security API................................................................................................................................................................................ 38

Deployment Details............................................................................................................................................ 46

Assumptions and Prerequisites....................................................................................................................................................... 46

Configuring Visibility and Control for Microsoft 365..................................................................................................................47

Using Web Security to Configure Decryption................................................................................................................................56

Configuring SaaS Security for Microsoft 365 Applications........................................................................................................ 60

Summary.............................................................................................................................................................. 66

Palo Alto Networks

 Preface

Preface
GUIDE TYPES

Overview guide Design guide Deployment guide Solution guide

Overview guides provide high-level introductions to technologies or concepts.

Design guides provide an architectural overview for using Palo Alto Networks® technologies to provide
visibility, control, and protection to applications built in a specific environment. These guides are required
reading prior to using their companion deployment guides.

Deployment guides provide decision criteria for deployment scenarios, as well as procedures for combining
Palo Alto Networks technologies with third-party technologies in an integrated design.

Solution guides provide add-on solutions for post-deployment use cases.

DOCUMENT CONVENTIONS

Notes provide additional information.

Cautions warn about possible data loss, hardware damage, or compromise of security.

Blue text indicates a configuration variable for which you need to substitute the correct value for your
environment.

In the IP box, enter 10.5.0.4/24, and then click OK.

Bold text denotes:

• Command-line commands.

# show device-group branch-offices

• User-interface elements.

In the Interface Type list, choose Layer 3.

• Navigational paths.

Navigate to Network > Virtual Routers.

• A value to be entered.

Enter the password admin.

Palo Alto Networks 1

 Preface

Italic text denotes the introduction of important terminology.

An external dynamic list is a file hosted on an external web server so that the firewall can import objects.

Highlighted text denotes emphasis.

Total valid entries: 755

ABOUT PROCEDURES
These guides sometimes describe other companies’ products. Although steps and screen-shots were
up-to-date at the time of publication, those companies might have since changed their user interface,
processes, or requirements.

GETTING THE LATEST VERSION OF GUIDES

We continually update reference architecture guides. You can access the latest version of this and all
guides at this location:

https://www.paloaltonetworks.com/referencearchitectures

WHAT’S NEW IN THIS RELEASE

• This is a new guide.

Palo Alto Networks 2

 Purpose of This Guide

Purpose of This Guide

This solution guide builds on the reference architecture described in the SASE for Securing Internet: Design
Guide and SASE for Securing Internet: Deployment Guide. This guide provides design and deployment
guidance for the Palo Alto Networks Next-Generation Cloud Access Security Broker (NG-CASB) to secure
Microsoft 365.

This solution guide:

• Provides architectural guidance and deployment details for using Prisma® Access to provide
visibility and control, security posture management, data security, and data protection to your
Microsoft 365 environment.

• Requires that you first read the Securing SaaS with the Next-Generation CASB: Solution Guide. That
solution guide provides architectural insight and guidance necessary for your organization to
secure software-as-a-service (SaaS) applications.

OBJECTIVES
Completing the procedures in this guide, you can successfully deploy policy in Prisma Access to secure
Microsoft 365 applications and data in a SaaS environment. You also enable the following functionality:

• Visibility and control

• SaaS Security Posture Management (SSPM)

• Data security

• SaaS Security API

AUDIENCE
This guide is written for technical readers, including solution architects and design engineers, who want
to deploy the Palo Alto Networks NG-CASB solution to secure SaaS applications. It assumes the reader is
familiar with the basic concepts of SaaS applications, data security, networking, and web security.

Palo Alto Networks 3

 Purpose of This Guide

RELATED DOCUMENTATION
The following documents support this guide:

• SASE Overview—Describes components and benefits of a SASE solution and how Palo Alto Networks
delivers a full-featured SASE solution with the combination and integration of Prisma Access,
Prisma SD-WAN, and cloud-delivered security services.

• SASE for Securing Internet: Design Guide—Presents a detailed discussion of the available design
considerations and options for Prisma Access and Prisma SD-WAN when used for securing access to
the internet.

• SASE for Securing Internet: Deployment Guide—Details deployment scenarios and step-by-step
guidance for the Securing Internet design. This design includes securing internet for mobile-users
and for remote-sites.

• SASE Secure Internet Policy Design: Solution Guide—Describes best-practice policy design and
deployment detail for securing internet services by using Cloud Managed Prisma Access.

• Securing SaaS with the Next-Generation CASB—Presents a detailed discussion of the available design
considerations and options for securing SaaS applications.

• Identity-Based and Posture-Based Security for SASE—Provides an overview of how the Palo Alto
Networks SASE platform obtains and uses identity and device-posture information. This guide also
provides design and deployment guidance for applying identity-based and posture-based policies
in a SASE environment.

Palo Alto Networks 4

 Introduction

Introduction
With the emergence of the hybrid workforce, the number of SaaS applications used in enterprises has
increased dramatically. Instead of purchasing applications and running them in their data centers,
organizations are increasingly subscribing to applications that external vendors host and maintain.
These SaaS applications, originally used for niche purposes, are now used for mission-critical business
functions, such as documentation, data storage, collaboration, payroll, human resources, customer
resource management, service tracking, and more.

Microsoft 365 is one of the most popular SaaS applications. It has wide adoption in enterprise, consumer,
and education spaces. It provides several tools and applications to its users for collaboration, productivity,
and security. The users of Microsoft 365 collaborate with each other in real-time by sharing documents,
conducting virtual meetings, and using messaging services. In addition, it is highly secure and meets
several compliance standards. Some of the popular applications are OneDrive, SharePoint, Teams, and
productivity applications such as Word, Excel, and Outlook.

SECURITY CHALLENGES
To secure Microsoft 365, you need to address certain areas, such as access control, data security, and
configuration management. You must manage the risk of not having control of the infrastructure or the
application itself. Users can access the applications from unmanaged devices, bypassing endpoint security
controls. Users can also access the applications from outside the corporate network, bypassing standard
inline protections and controls.

Some of the most common security challenges associated with Microsoft 365 include the following:

• Malware propagation—When Microsoft 365 SaaS users download an infected file to their
computers, the malware can infect other files shared by these users. Because of the automated file-
syncing capabilities between SaaS and endpoints, malware can easily propagate over your entire
organization.

• Advanced threat protection—Infected endpoints using Microsoft 365 applications increase risk to
your data in your Microsoft 365 tenants, from where they can become backdoor entrances into your
corporate tenants.

• Use of unsanctioned tenants—Your users might have access to other Microsoft 365 accounts, and
when they can upload documents from their other accounts, it creates a data-security risk.

• Security posture management—Microsoft 365 SaaS application configuration parameters change

over time, and administrators can inadvertently misconfigure the applications or fail to implement
security best practices. These incorrect settings can impact data security.

• Securing unstructured data—Microsoft collaboration tools such as Microsoft Teams promote new
communication styles. To quickly convey ideas and information, employees are using shorter, more
frequent messages and sharing screenshots instead of traditional documents. As a result, sensitive
data can be unstructured and increasingly difficult to protect with legacy tools.

Palo Alto Networks 5

 Introduction

SECURITY FOUNDATION
CASB is the most recognized security solution for SaaS applications. It delivers visibility and security
controls across SaaS applications. Legacy CASBs are proxy-based standalone products, disjointed from
the security infrastructure. When deployed with other security controls, they can require complex traffic
redirection and introduce network complexity.

Legacy CASB solutions suffer from the following three limitations:

• Limited application visibility—Because they rely on signature-based recognition developed in

retrospect, legacy CASB solutions cannot provide visibility of new applications.

• Inadequate data protection—They provide inaccurate and limited coverage for data protection.
They discover sensitive data-at-rest via regular expressions (regex) and other traditional methods
that are prone to errors. They don’t offer a real-time mechanism to detect data in the context of
user conversations on collaboration applications.

• Poor security—Originally designed to be used as compliance tools, legacy CASB solutions offer
limited security controls compared to network security solutions. They deliver basic detection of
known malware and miss prevention of unknown and zero-day threats.

Prisma Access is a complete next-generation security platform delivered as a cloud-native service.

It provides secure access to the internet, SaaS, and private applications for both mobile users and
remote sites. Prisma Access supports Zero Trust Network Access (ZTNA) 2.0, delivering least-privilege
application access, continuous trust verification, and continuous security inspection. To protect all data
and secure all applications, Prisma Access supports threat prevention, malware prevention, URL filtering,
DNS security, SSL decryption, and application-based policy capabilities, providing the same level of
security no matter where users are or what resources they are accessing. To support centralized analysis,
reporting, and forensics across users, applications, and locations, Prisma Access stores logs in Cortex®
Data Lake (CDL).

Prisma Access delivers protection at scale with global coverage. You do not have to worry about sizing and
deploying hardware firewalls at branches or building out and managing appliances in colocation facilities.
Prisma Access provides the network infrastructure to connect remote branches, headquarters sites, data
centers, and mobile users without requiring you to build new global security infrastructure and expand
operational capacity. Prisma Access is built in the cloud, leveraging the combined infrastructures of
Amazon Web Services (AWS) and Google Cloud, delivering the first security fabric that provides resilience
by using a multi-cloud architecture.

Palo Alto Networks 6

 Introduction

NG-CASB is a Prisma Access add-on that elevates the state of cloud-delivered SaaS security. With
complete visibility, real-time data protection, and best-in-class security, NG-CASB is the industry’s only
solution that automatically keeps pace with the explosive SaaS growth. In addition to the continuous trust
verification and security inspection provided by Prisma Access, the NG-CASB solution helps secure SaaS
application use in the following four ways:

• Visibility and control—Identify all SaaS applications in use, assess risk, and control access and
features.

• Security posture management—Protect sanctioned SaaS applications from misconfigurations that

put users and data at risk.

• Advanced threat protection—Stop evasive malware inside SaaS applications and detect suspicious
user activities associated with compromised accounts and malicious insiders.

• Data security—Prevent exposure of sensitive data-in-motion to all SaaS applications and data-at-
rest inside sanctioned SaaS applications.

Figure 1 Palo Alto Networks NG-CASB

Palo Alto Networks 7

 Design Details

Design Details
This solution describes how NG-CASB allows you to gain visibility and control of Microsoft 365
applications, ensure data governance and compliance of stored data, and mitigate the risk of data leaks
and threat propagation.

SECURING THE INTERNET WITH PRISMA ACCESS

When your users access the internet (and SaaS applications such as Microsoft 365), your organization can
connect them to a Prisma Access instance in multiple ways:

• Explicit proxy—The mobile user’s web browser is configured to connect to the organization’s
Prisma Access explicit-proxy instance for HTTP or HTTPS access to internet-based SaaS
applications.

• GlobalProtect app—The mobile user has the GlobalProtect® app on their endpoint and connects
to the GlobalProtect portal in order to access the Prisma Access instance for internal, SaaS, and
internet applications.

• Remote-network connection—There is an IPSec tunnel between the Prisma Access compute

location and an IPSec-compliant remote-site device, such as a Prisma SD-WAN ION device.

Figure 2 Prisma Access securing access to the Internet

This guide describes using all connection methods shown above for managed users and providing access
to internet-based applications. For more information about securing internet access with Prisma Access,
see the SASE for Securing Internet: Design Guide.

Palo Alto Networks 8

 Design Details

VISIBILITY AND CONTROL

Prisma Access provides both visibility into the use of Microsoft 365 applications and the ability to control
users’ access to those applications. Key to both visibility and control is App-ID™ functionality. By
inspecting the session and payload information of the traffic traversing Prisma Access, App-ID identifies
applications and granular application functionality. App-ID is always enabled in Prisma Access, ensuring
advanced visibility of all applications.

Prisma Access achieves visibility and control of Microsoft 365 traffic through the following:

• Enabling the default rules provided by Prisma Access to control Microsoft 365 applications

• Enabling decryption for Microsoft 365 application traffic

Note

As described later in this guide, design considerations for decryption differ for
Prisma Access security policy and web security policy.

• Configuring the tenant restriction for Microsoft 365

Security Policy Rules

You obtain visibility and control of Microsoft 365 by using Prisma Access security policy. Security policy
rules definition requires several constructs that help you specify the traffic that you want Prisma Access to
inspect, as well as the security services to apply:

• Using multiple policy objects in a security rule allows you to make the rule base more concise.
Policy objects represent a group of discrete identities that match specific traffic criteria like source,
destination, applications, services, and URL categories.

• Each security rule has an action that allows or denies the traffic that matches the list of policy
objects.

• For allowed traffic, security policy provides additional inspection and enforcement.

This guide discusses both traditional security policy (the interface is similar to PAN-OS® and may appeal
to network security administrators) and web-access security policy (the interface is more suitable to web-
security administrators).

For more information about traditional security policy, see the SASE Secure Internet Policy Design: Solution
Guide.

Palo Alto Networks 9

 Design Details

Web Security

Web Security is a consolidated policy-management interface that’s optimized for web-security

administrators, who use it to secure access to the internet and SaaS applications. Web Security provides a
clear separation of web-access security policy from traditional security policy. Web Security achieves the
same objectives as using traditional security policy but with a separate implementation.

Some key features of Web Security are:

• Consolidated policy management—From a single location, you can define URL and application
access policies for users and security protections. You apply threat-protection settings globally to
all web traffic, which eliminates the need to configure them on a per-policy basis. You can easily
manage SSL decryption from a central location.

• Built-in best practices—The ready-to-use default policy configurations adhere to Palo Alto
Networks best-practice recommendations. To secure web traffic right away, you simply enable Web
Security and push the configuration. You can use the default policies as-is or customize your own.

• Separation of roles and responsibilities—A web-security administrator can manage web-bound

traffic from the Web Security page, while other traffic is enforced according to the policies set in
the Prisma Access security policy. Web-access security policies have built-in security rules that use
best-practices security profiles to protect all users’ web traffic. After you enable Web Security, the
following are automatically enforced:

◦ Decryption for all web traffic—Decrypts all web traffic except that for which you define
exclusions

◦ Threat inspection—Protects against vulnerabilities, detects and controls command-and-

control communication, uses WildFire® to detect unknown malware, and provides DNS security

◦ Global web access—With all threat inspections enabled, allows all web traffic and blocks high-
risk applications and URL categories

You can review web-access security policies in the cloud-managed Prisma Access portion of Strata Cloud
Manager by selecting Manage > Web Security > Web Access Policy. The default tab contains the web-
access policies, and you use a second tab in order to review and deploy SaaS policy recommendations.

Figure 3 Web security

Palo Alto Networks 10

 Design Details

The following figure shows the default web-access policies in web security.

Figure 4 Default web-access policies

Web-access security policies are evaluated before any other security rule. As shown below, web-access
security policies are applied first, and then the other rules are evaluated.

Figure 5 Security policies evaluation sequence

Palo Alto Networks 11

 Design Details

Decryption
Prisma Access uses the SSL forward proxy default configuration to decrypt all outbound internet traffic
from all users. To secure the connection, SSL uses certificates to establish trust between the client and
server. Most commonly, to establish this trust, an organization uses its own public key infrastructure
to generate a trusted signing certificate for Prisma Access. The endpoints must install the Prisma
Access Root CA certificate into their certificate store so that the client session to Prisma Access can be
established. You can use GlobalProtect to install the Trusted Root CA certificate on Windows and macOS
clients. Alternatively, Prisma Access includes built-in signing certificates that you can use for testing.

Figure 6 SSL forward proxy

Security Policy Design

This section presents two design options for defining visibility and control for Microsoft 365:

• Using traditional Prisma Access security policy

• Using Prisma Access Web Security

Both options deliver the same objective, which is to secure Microsoft 365 traffic, but implementation
details for each of them differ. If you are a network security administrator who is familiar with network
security policy, then you should consider using traditional security policy. If you are a web administrator
who is familiar with configuring Web Security policies, then you should consider using Web Security.

Note that if you enable Web Security, then the rules defined via traditional security policy for web-based
traffic are not matched.

Using Traditional Security Policy for Visibility and Control of Microsoft 365

This design describes how you can use Prisma Access to achieve visibility and control for Microsoft 365
applications by using Prisma Access security rules.

Visibility of Microsoft 365 Applications

Microsoft 365 traffic consists of many applications. Prisma Access has App-IDs to match this traffic and it
also has in-built application groups that group these App-IDs. This section presents Microsoft application
groups and their corresponding App-IDs. For instance, Table 2 shows the application group Microsoft-
365-Access and its corresponding App-IDs: office-365-consumer-access and office-enterprise-access.

Palo Alto Networks 12

 Design Details

Table 1 App-ID for the Microsoft Product Activation application group

App-IDs Description

ms-product-activation This App-ID matches traffic related to license validation procedure used by
Microsoft in all of its Windows operating systems.

Table 2 App-IDs for the Microsoft 365 Access application group

App-IDs Description

office365-consumer-access This App-ID matches consumer offerings from Microsoft 365.

office35-enteprise-access This App-ID matches enterprise offerings from Microsoft 365.

Table 3 App-IDs for the Microsoft 365 Mail Clients application group

App-IDs Description

mapi-over-http This App-ID matches transport protocol used to connect Outlook and Exchange.

ms-exchange This App-ID matches traffic related to transfer and synchronize email/calendar
information between the server and the user’s client.

rpc-over-http This App-ID matches Microsoft protocol that is used to connect Microsoft Exchange
clients to access Microsoft Exchange servers over HTTP.

activesync This App-ID matches protocol that allows users synchronize their Exchange
mailbox with their mobile device.

Table 4 App-IDs for the Microsoft 365 Services application group

App-IDs Description

ms-office365 This App-ID matches online office and software services related to Microsoft Office
365 suite.

ms-onedrive This App-ID matches traffic going from client to Microsoft OneDrive. There
are sub-applications that are part of ms-one-drive that are also matched, such
as ms-onedrive-sharing, ms-onedrive-uploading, ms-onedrive-base, and
ms-onedrive-downloading.

ms-onenote This App-ID matches application traffic related to Microsoft OneNote and
its sub-categories, such as ms-onenote-base, ms-onenote-uploading, and
ms-onenote-downloading.

ms-lync-base This App-ID matches instant messaging client’s traffic for Microsoft Lync and
Microsoft Communicator for Mac.

skype This App-ID is used to match real-time interactive application supported by skype.

Palo Alto Networks 13

 Design Details

Table 5 App-IDs for the Microsoft 365-Dependent Apps application group

App-IDs Description

http-audio This App-ID matches streaming audio used by many media players (e.g., QuickTime,
Windows Media Player, Win amp, Real Media), radio stations and other audio
applications.

http-video This App-ID matches streaming video used by many media players (e.g., QuickTime,
Windows Media Player, Win amp, Real Media) and other video applications.

ocsp This App-ID matches Online Certificate Status Protocol (OCSP). This protocol is used
for obtaining the revocation status of an X.509 digital certificate.

soap This App-ID matches SOAP protocol which is used for exchanging XML-based
messages.

ssl This App-ID matches Transport Layer Security (TLS) and its predecessors, SSL.

web-browsing This App-ID is used to match HTTP protocol.

websocket This App-ID matches WebSocket which provides bi-directional communication over
a single TCP connection.

windows-azure-base This App-ID matches the traffic related to the Microsoft Azure service.

Table 6 App-IDs for the Microsoft Real Time Protocols application group

App-IDs Description

rtcp Monitoring protocol for Real-Time Protocol (RTP)

stun Resolves public IP of a device behind NAT

rtp Network protocol for delivering audio and video over IP networks

Security Policy Rules

By default, Prisma Access comes with the following rules:

• Microsoft Product Activation—This rule matches Microsoft license activation traffic, and it uses
default settings provided by Prisma Access.

• Microsoft 365—The following describes this rule:

◦ This rule matches office365-consumer-access and office35-enteprise-access applications.

◦ The destination address in this list is Worldwide Any IPv4 and Worldwide Any IPv6 derived from
EDLs.

◦ The profile group used in this rule is best-practice-DLP which is a custom profile group, and it
contains data protection enabled. We have added data loss prevention (DLP) protection to this
rule because this rule matches files uploaded or downloaded to Microsoft 365 that may contain
sensitive traffic.

• Microsoft 365 Real Time—This rule matches real-time protocols like rtp and uses default settings.

• Microsoft 365 Catch All—This rule matches dependent applications like ssl and uses default settings.

Palo Alto Networks 14

 Design Details

In these security rules, Prisma Access uses external dynamic lists (EDLs) that are published in EDL
hosting service maintained by Palo Alto Networks. The EDL Hosting Service maintains a list of feed
URLs that contain software-as-a-service (SaaS) application endpoints. Each Feed URL contains an EDL
that is checked daily for any new endpoints added to the publicly available Feed URLs published by SaaS
endpoints, which in this case is Microsoft 365.

These rules are applied in a security policy as shown in the following table:

Table 7 Security rules used to match Microsoft 365 traffic

Destination Destination Tenant

Name address Application group URL restriction Action Profile group

Microsoft any ms-product-activation Any No Allow best-practice

Product
Activation

Microsoft EDL Microsoft 365 Access Any Yes Allow best-practice-DLP

365
Microsoft 365 Mail Clients

Microsoft 365 Services

Microsoft EDL Microsoft Real Time Any No Allow best-practice

365 Real Protocols
Time

Microsoft any Microsoft 365 - Dependent EDL No Allow best-practice

365 Catch Apps
All

Decryption Settings in Prisma Access Security Policy

To ensure compatibility across all websites, Prisma Access includes both RSA and ECDSA signed
certificates. Two sets of certificates, one trusted certificate for trusted domains, and one untrusted
certificate for untrusted domains. The untrusted certificate ensures that the end user gets a browser error
when the target website has a certificate signed by a certificate authority that Prisma Access does not
trust.

Figure 7 Certificate settings

Palo Alto Networks 15

 Design Details

Note

SAML authentication for explicit proxy requires decryption. When using

explicit proxy, it is a best practice to decrypt all traffic. For a detailed
description, see the Securing Internet Access by Using Explicit Proxy: Solution
Guide.

If decryption breaks an important website or application, you can add the hostname or use a wildcard
domain as a custom decryption exclusion. If for compliance regulation you want to prevent decryption for
a specific type of application (examples: financial services, government, health, and medicine), you can
configure a bypass based on URL categories. Prisma Access does not decrypt, inspect, and enforce security
policy on traffic that the SSL decryption exclusion list allows or the URL category that is bypassed.

Note

If you add a site to the exclusion list, confirm that the site hosts applications or
provides services that your business requires and document the justification.

The main reasons that websites and applications break when decryption is applied include pinned
certificates, client authentication, incomplete certificate chains, and unsupported ciphers. Pinned
certificates are commonly associated with mobile apps. To eliminate the need to maintain exclusions for
the most common websites and applications that cannot be decrypted, Prisma Access contains a list of
predefined exclusions. An example of exclusions is shown in the following figure.

Figure 8 Decryption exclusions

When using Prisma Access decryption, you use a best-practice decryption profile to enforce the
recommended TLS versions, cipher suites, and certificate validations. The best-practice decryption
profiles enforce the following:

• Block sessions based on certificate status, including blocking sessions with expired certificates,
untrusted issuers, unknown certificate status, and restrict certificate extensions.

• Block sessions with unsupported versions and cipher suites and that require using client
authentication.

• Define the minimum protocol version and key exchange, encryption, and authentication algorithms
allowed.

Palo Alto Networks 16

 Design Details

Caution

If you must support an application with weaker protocols or algorithms,

you should create a separate profile that is associated with only the required
applications.

The following figure shows how Prisma Access applies a best-practice decryption profile in order to
enforce the above-mentioned settings.

Figure 9 Decryption settings used in Prisma Access

Note

SAML authentication for explicit proxy requires decryption. When using

explicit proxy, it is a best practice to decrypt all traffic. For a detailed
description, see Securing Internet Access by Using Explicit Proxy.

Palo Alto Networks 17

 Design Details

Decryption for Microsoft 365 Traffic

By default, Prisma Access does not decrypt Microsoft 365 traffic. To support decryption, we recommend
you create a rule that decrypts Microsoft 365 traffic. In this design, we have created a rule called Decrypt
Catch All that decrypts all traffic, excluding rule one, and it also decrypts Microsoft 365 traffic.

Figure 10 Decryption policy

Palo Alto Networks 18

 Design Details

Decryption for Android Devices

As explained in the “Decryption” section, you should install Prisma Access certificates in endpoints.
However, Android devices don’t allow importing external certificates into their store. As a result, you
can’t decrypt Android devices. Due to the constraint imposed by Android devices, we recommend that you
disable decryption only for Android devices. Prisma Access supports this by identifying Android devices by
using Host Information Profiles (HIP) objects.

A HIP object might have a single attribute, such as host device operating system, or a combination of
attributes, such as hostname, host id, serial number, and many others. By default, Prisma Access supports
many HIP objects, as shown in the following figure.

Figure 11 HIP objects in Prisma Access

Palo Alto Networks 19

 Design Details

You can group multiple HIP objects together in a HIP profile. For instance, you can create a HIP profile
that matches a specific Windows version, verify that an antivirus application is running, and verify disk
encryption.

Figure 12 HIP profiles in Prisma Access

The GlobalProtect app collects information about the device hosting it, and then the app submits this
information to the GlobalProtect gateway. The gateway matches the raw information submitted by
GlobalProtect against your HIP objects and HIP profiles. If it finds a match, it generates an entry in the
HIP Match log. If it finds an HIP profile match in a policy rule, it enforces the corresponding security
policy.

Palo Alto Networks 20

 Design Details

In this design, you create a HIP profile that consists of HIP objects that match for Android devices, and
you use that match in the decryption policy. When the decryption policy matches Android devices, it does
not decrypt the traffic.

Figure 13 Android no-decrypt policy

Using Web-Access Security Policy for Visibility and Control of Microsoft 365

Web Security provides a simplified and consolidated management experience for administrators who’re
focused on securing access to the internet and Microsoft 365 applications.

Visibility of Microsoft 365 Applications

To match Microsoft 365 traffic by using Web Security, you need to create a custom web-access security
policy for matching this traffic. This custom web-access security policy must match the applications
belonging to Microsoft 365. When deploying Web Security, web administrators need not worry about
App-IDs. Instead, they can apply applications in their rules. Prisma Access Web Security has a default
application group called Ms Office 365. This application group matches several applications belonging to
Microsoft 365.

Palo Alto Networks 21

 Design Details

Table 8 Applications pertaining to Microsoft 365 traffic

Applications Traffic matched

Ms Lync Online Lync, which provides functions (such as messaging, voice, video, and meeting) to
users of Skype

Ms Outlook Outlook, an email application.

Ms Powerbi Power BI, a set of business-analytics tools

Ms Powerpoint Microsoft PowerPoint, a presentation program

Ms Teams Microsoft Teams, a platform that combines workplace chat, meetings, notes, and
attachments

Office On Demand Office on Demand, which allows users to use Microsoft 365 programs on machines
where Microsoft 365 is not installed

Outlook Web Online Outlook Web Online, which allows users to access their email, without using a local
mail application like Outlook

SharePoint SharePoint, a cloud-based service that allows you to create and manage websites

Visual Studio Visual Studio, a development environment

Note

For each of these applications, you can control which function within that
application you can allow. For instance, for SharePoint, you can enable sub-
functions like uploading/downloading to it.

Security Policy Rules

To define security policies in Web Security, you need to define applications that you want to be matched
(as opposed to App-IDs). Configuring applications makes it easier for web administrators to define
security policies. When you define a security rule, shown below, and push it then the applications defined
are converted as App-IDs.

Table 9 Prisma Access web-access security policy

Source DLP
Policy name State location User Web applications Advanced settings protection

Microsoft Enabled Any Any Ms Office 365 Antispyware, vulnerability, protection, Yes
365 WildFire and malware protection.

In the above rule, you need to enable DLP protection, which is not part of the default protection. This rule
matches traffic coming from any location and applies advanced settings as shown above.

Palo Alto Networks 22

 Design Details

Tenant Restriction

Tenant restriction ensures that your users can connect only to your tenant rather than to their personal
Microsoft 365 tenants. You can configure tenant restriction in Web Security.

Decryption Settings in Prisma Access Web Security

Web Security has centralized decryption settings that apply to all Web Security policies. The following
figure shows the Web Security default settings.

Figure 14 Web Security decryption policy

The key features of Web Security decryption policy are the following:

• To decrypt sessions, it uses the same certificates used by Prisma Access security policy.

• In the Bypass URL Categories pane, you define the websites that need to be excluded.

• In the Action Options pane, you can choose what action to take when Web Security can’t decrypt
traffic. We recommend that you leave the default option, which is to block the session.

Palo Alto Networks 23

 Design Details

SECURITY POSTURE MANAGEMENT

Human misconfiguration is the most common cause of cloud breaches. The more SaaS applications used
by an organization, the more difficult it is to maintain the security posture across all applications. With
over 75 applications supported and growing, SSPM helps prevent data loss and reduces the risk of security
breaches, using the following capabilities:

• Detection of misconfigurations—Finds misconfigurations by using built-in best practices and

categorizes misconfigurations by severity in order to help you prioritize risks.

• Comprehensive and effortless remediation—Provides misconfiguration alerts and the ability

to remediate issues quickly across applications with one click of a button or manually using
straightforward instructions. Enables you to lock a configuration so that the setting does not
become a misconfiguration in the future.

The SSPM dashboard provides a summary view that allows you to quickly identify the most critical risks.
The dashboard provides information about the total number of failed policies by risk, applications with
the riskiest policy violations, high-risk policy violations, and applications with high-risk accounts.

Figure 15 SSPM dashboard

Palo Alto Networks 24

 Design Details

The policy rules are already built-in. To reduce the alert noise and enable easy prioritization of settings
that require remediation, the results of the policies are grouped by security areas and applications.

Figure 16 Policy status

Each policy provides details into how it maps to application-specific settings. Details for each application
include:

• Configuration setting for each SaaS application instance

• Status of the configuration setting for each SaaS application instance

• Compliance requirement mapping to security standards

• Remediation type (manual or system)

• Links to the application site for additional reference

Palo Alto Networks 25

 Design Details

Figure 17 Detailed policy information

For each of the SaaS application-specific settings, detailed information, references, and remediation
instructions help you to quickly remediate the failed policies. To prevent configuration drift, SSPM
performs continuous monitoring for all settings across all apps. If the best-practice settings do not align
with your policies, you have the option of disabling monitoring for individual settings with application-
instance granularity.

Palo Alto Networks 26

 Design Details

As previously mentioned, Prisma Access Security Posture Management has in-built rules that it uses to
verify configuration of Microsoft 365. From the dashboard, you can verify the settings related to Microsoft
365, as shown in the following figure.

Figure 18 Detailed setting information

Palo Alto Networks 27

 Design Details

By selecting Microsoft 365, you can view all the recommendations listed by SSPM, which are shown below.

Figure 19 Microsoft 365 application posture

Palo Alto Networks 28

 Design Details

DATA SECURITY
With the industry’s first cloud-delivered DLP service, this solution provides data protection and
compliance controls consistently across SaaS applications. This solution delivers the following data-
security capabilities:

• Single cloud engine—This solution delivers unified policies for sensitive data everywhere, both at
rest and in transit.

• Highest levels of detection accuracy—This solution automatically detects sensitive content via ML
data classification and an extensive number of described data identifiers using regex or keywords
(examples: credit card or ID numbers, financial records, General Data Protection Regulation
(GDPR), or other data privacy and compliance-related information) and applies customizable data
profiles and Boolean logic to scan for collective types of data.

• Scanning, classification, and protection—This solution analyzes all data stored within SaaS
applications in order to make sure policy violations, exposures, and regulatory compliance are
properly addressed.

• Exposure analysis—To reduce incidents and inaccurate detection, this solution analyzes public,
external, and internal sharing of files, as well as precise context criteria (example: number of
occurrences and pattern logic).

• Exact data matching—An advanced data-fingerprinting method detects specific sensitive data and
prevents exfiltration.

• Secure collaboration applications—Ensuring high accuracy and fewer false positives, this solution
automatically identifies sensitive information even within the context of unstructured users’
conversations by using deep learning, natural language processing, artificial intelligence models,
and advanced optical character recognition (OCR).

• Detection of flexible document properties—Third-party data tagging augments the identification

of sensitive data. This solution also includes file blocking profiles that you can use to prevent file
types from being downloaded, which is an important part of a cloud data protection strategy.

• Automated incident workflows—Policy-based response actions include user alerts and

auto-remediation.

To evaluate the content of data being sent to (data-in-motion) or stored (data-at-rest) in Microsoft 365,
the next-generation CASB solution uses Enterprise DLP. Enterprise DLP is a cloud-based service that is
natively integrated into existing security control points, including SaaS Security Inline (Prisma Access and
NGFW), SaaS Security API, and Prisma Cloud. It provides instantaneous protection for data by applying
consistent data-security policies at scale.

To avoid data loss and data theft, Enterprise DLP discovers, monitors, and protects your sensitive data.
The service detects sensitive data by using a combination of techniques that include regex, keywords, and
ML. The service applies customizable data profiles by using Boolean logic, which provides much more
granular data-matching options and accuracy than just using search patterns. The service contains 1000+

Palo Alto Networks 29

 Design Details

data patterns and 20+ data profiles, including profiles for GDPR, California Consumer Privacy Act (CCPA),
personally identifiable information (PII), and you can create your own.

Data security is an important aspect of SaaS security, one of the key outcomes of data security is to protect
sensitive data from being exposed. The design goals for SaaS data security are the following:

• Prevent disclosure of PII

• Prevent theft of intellectual property information

• Meet compliance with external standards such as GDPR, CCPA, Payment Card Industry Data Security
Standard, Health Insurance Portability and Accountability Act (HIPAA), and Sox agencies

• Protect sensitive data from malicious or well-meaning insiders

The process for securing SaaS data is as follows:

1. Identify business critical and/or PII data

2. Identify business-required regulatory compliance standards

3. Identify file types and storage locations

4. Choose data profiles based on data patterns and matching logic that meet your requirements

5. Using the data profiles identified, create data-asset policies in order to secure data stored in
Microsoft 365

6. Apply data profiles identified in web-access policies in order to secure data uploads to Microsoft
365

7. Monitor and remediate incidents

Figure 20 Data security process

Palo Alto Networks 30

 Design Details

Data Types
NG-CASB supports a wide variety of applications and the most used file types, such as .csv,. json, .txt,
.doc, .docx, .xls, and more. You should also evaluate the maximum supported file size. For SaaS Security
API support, see Support on SaaS Security API to understand different file types that SaaS Security API
supports for scanning. For SaaS Security Inline support, see What’s Supported with Enterprise DLP to
identify different file types supported.

Detection Methods
Sensitive data is often stored or transferred in assets such as files, images, databases, and other forms
where data is typically stored. To determine the presence of sensitive data, NG-CASB performs deep-
scanning techniques on these assets. To that end, NG-CASB uses detection methods such as data patterns,
exact data matching, and optical character recognition.

Data patterns can match API credentials, addresses from different countries, credit card numbers,
Tax IDs, and many other forms of information. To identify content, the data patterns use regex, ML
techniques, and proximity analysis. For instance, they use regex to identify addresses from different
countries and ML techniques to identify legal documents. NG-CASB has more than 1000+ pre-defined
data patterns that you could use individually or combined with other data patterns in order to create a
data profile that is then applied to a DLP policy. When the pre-defined data patterns do not provide the
required granularity, you can define custom data patterns that scan content based on regex and proximity
keywords.

The second detection method is exact data matching (EDM). This capability allows NG-CASB to match
exact data values for detection. With extremely high accuracy, EDM detects sensitive information (such as
passwords) and PII (such as social security numbers, medical record numbers, bank account numbers, and
credit card numbers) stored in a structured data source such as databases, directory servers, or structured
data files (.csv and. tsv). The key difference between EDM and data patterns is that the data patterns look
for sensitive information whereas EDM looks for specific information. To leverage EDM, you must create
an encrypted hash of the sensitive data and upload it to the DLP engine. After sensitive data is uploaded,
the DLP engine indexes the encrypted hash of uploaded EDM data sets. EDM capability supports certain
file types, and there are restrictions on the size of the files. For supported data set formats, see Supported
EDM Data Set Formats.

OCR is the last detection method. After you enable OCR, the DLP engine scans images (such as .jpg, .jpeg,
.png, .tif, and .tiff) that are embedded in container files (such as .pdf, .pptx or .docx). The DLP engine then
extracts text with sensitive information and applies data profiles.

Data Profiles
NG-CASB has built-in data profiles that include match criteria based on data patterns (such as credit
card or ID numbers, financial records, GDPR, or other data privacy-related and compliance-related
information), Boolean logic and match count. Both SaaS Security Inline and SaaS Security API use the data
profiles to protect data. You can use the profiles as-is, or you can create your own.

Palo Alto Networks 31

 Design Details

Figure 21 Data profiles in NG-CASB

Securing Data-in-Motion
This section describes how you can secure Microsoft 365 applications by using traditional security policy
or Web Security. Both methods achieve the same objective, which is to secure Microsoft 365 traffic, but
they differ in implementation details. Traditional web administrators might prefer to use Web Security,
but network security professionals might prefer to use the Prisma Access Security Policy.

Using Traditional Security Policy

If you are using traditional Prisma Access security policy for applying data security, then you need to
apply data profile to a security rule defined in Prisma Access. As discussed in the “Visibility and Control”
section, Prisma Access supports four rules for matching Microsoft 365 traffic. Amongst the four rules, the
rule named Microsoft 365 matches assets uploaded or downloaded to Microsoft 365 applications. Hence, we
recommend you deploy data profile to a custom profile group and attach the profile group to the security
rule.

Palo Alto Networks 32

 Design Details

For instance, in this guide, the default profile group is best-practice. In this design, you therefore create
a new custom profile group called best-practice-DLP, which includes the data profile Match Credit Cards
Inline. You apply this profile group to the security rule Microsoft 365.

Figure 22 Sample custom profile group for traditional security policy

Using Web Security

SaaS Security Inline secures data-in-motion, enabling content inspection for assets that are uploaded
to Microsoft 365 applications. The data profiles can be applied either to web-access security policy or to
Prisma Access rules. This section describes how you can apply a data profile to web-access policies. When
a user uploads an asset to any SaaS application, Prisma Access inspects the asset in-line by using the DLP
data profile assigned to a web-access security policy.

To enable DLP, you need to apply a data profile to the web-access security policy. In the example shown
below, the data profile Match Credit Cards Inline is applied, for inspecting files uploaded to Microsoft 365.
By applying this DLP policy, you scan your assets to see if there is any credit card information present in
them.

Figure 23 Sample custom web-access policy

Palo Alto Networks 33

 Design Details

Securing Data-at-Rest
When using Microsoft 365 applications, users can upload files from their unmanaged devices, bypassing
inline protections. To protect data assets in Microsoft 365, NG-CASB continuously scans assets by
using pre-defined or custom data-asset policies. Data-asset policies detect and remediate any sensitive
information present in SaaS stored assets. The data-asset polices can not only generate alerts but also can
take auto-remediate actions. The following sequence describes how NG-CASB can quarantine a sensitive
file uploaded from an unmanaged device:

1. A user mistakenly uploads sensitive information to Microsoft 365.

2. SaaS Security API discovers the file during asset scanning.

3. SaaS Security API sends the file to Enterprise DLP for content scanning and matching configured
data profiles.

4. SaaS Security API quarantines the file according to the configured data-asset policy.

5. Mobile or branch office users are prevented from accessing the quarantined file.

Figure 24 Securing data-at-rest

Palo Alto Networks 34

 Design Details

Data-Asset Policy Definition

For scanning content and assessing risk, NG-CASB includes default data-asset policies profiles. The
data-asset policies match existing data profiles and define actions for notifications and incident creation.
Some of the built-in asset policies include the following:

• Intellectual Property—Scans files for RSA and AWS secret keys and confidential documents that are
at risk of being stored or shared in a way that could result in a loss of intellectual property.

• Financial Information—Scans for financial data including credit card numbers, credit card
magnetic stripe data, international bank account numbers, financial accounting, bank statements,
personal finance, invoices, and other financial documents. By default, SaaS Security API performs
strict checking on credit card numbers in order to reduce false positives.

• PII Compliance—Scans for PII data, such as U.S., Canadian, and international social security
numbers. It also scans for Tax IDs from the U.S., Australia, Canada, Germany, and the UK for both
the Unique Taxpayer Reference and National Insurance Number formats. For each type of personally
identifiable information for which SaaS Security API scans, you can specify the minimum number of
occurrences required to trigger a match. As the number of violations for a specific asset exceeds the
specified threshold, the severity of the risk increases.

• Healthcare Information—Scans healthcare documents for exposure to sensitive or confidential

information, related to Clinical Laboratory Improvement Amendments number, Drug Enforcement
Administration number, and other healthcare documents. SaaS Security API uses ML to classify
information and to detect sensitive information.

• Legal Information—Scans legal documents for exposure to sensitive or confidential information

related to bankruptcy filings, lawsuits, business agreements, mergers and acquisition information,
patents, and other legal documents. SaaS Security API uses ML to classify information and to detect
sensitive information.

• Sensitive Credentials—Scans for key words, phrases, or regex strings that match a specific pattern
or character combination. For example: imported-openssh-key or -----BEGIN RSA

Figure 25 Built-in data-asset policies

Palo Alto Networks 35

 Design Details

You can also create custom data-asset policies by using built-in or custom data patterns and profiles. The
data-asset policies are DLP rules that can match cloud application, exposure, asset type, and data profile.
After you create a policy, when the data matches the policy, the action could be to create an incident or
take any of the following auto-remediation actions:

• Quarantine

• Change sharing

• Notify file owner

Figure 26 Custom data-asset policy

Data Security-Control Policy Definition

To monitor rules in email applications, SaaS administrators can create security-control policies. When
enabled, certain rules can cause data leakage to the outside world. For instance, if there are public email
folders in an application, then users in the same organization (or sometimes belonging to different
organizations) can access it. Having visibility into the existence of such folders reduces the risk of
exposure.

Palo Alto Networks 36

 Design Details

By default, SaaS Security API provides the following policies:

• Public Folders in Email—This policy checks whether there are public folders present in email.

• High Risk Email Forwarding Rules—This policy checks whether there are any rules that forward
emails to high-risk email groups.

• Administrative Access of End Users Inbox—This policy checks whether an email administrator has
access to end-user email boxes.

Figure 27 Built-in security-control policies

Advanced Threat Protection

Microsoft 365 applications introduce new risks that you need to understand and control. To help mitigate
the risks from advanced threats, NG-CASB provides the following capabilities:

• Protection from malware—Microsoft 365 applications automatically synchronize files with users
and third parties, so malware can also spread across the organization. This solution prevents
infected files from residing in Microsoft 365 application, whether the malware is known or
unknown and regardless of the source of the file. This solution stops the threat at the source before
the threat propagates to other locations.

• Monitoring and detection of suspicious user activity—This solution provides detection of

suspicious activities that could indicate a compromised account or malicious insider.

• Behavioral analytics—This solution identifies high-risk activities such as shared credentials, bulk
data access, suspicious logins, impossible traveler, and more.

• User activity auditing—This solution enables quick and simple investigation and remediation
workflows.

Palo Alto Networks 37

 Design Details

SAAS SECURITY API

This design recommends API-based security to complement inline security for managing the security
posture of the applications and securing the data stored inside them.

The process for securing Microsoft 365:

1. Configure internal domains, which are used by SaaS Security API, to identify the exposure level
of shared assets.

2. Review data security policy rules, adding additional rules if needed.

3. Using an administrator account, onboard applications for SaaS Security API and SSPM

4. Initiate a retroactive scan of the stored assets.

5. Explore discovered and quarantined assets, exposure levels, file types, and user and application
ownership.

6. Review and manage incidents triggered by policies.

7. Review and manage SaaS configuration recommendations.

SaaS Security API is a cloud service that connects directly to Microsoft 365 by using its API. This
connection provides visibility and control over the data and activities within the application. Deploying
SaaS Security API does not require deploying hardware or software on the network or endpoints. Traffic
doesn’t need to be steered to SaaS Security API through agents or proxy PAC file deployments. In fact, all
endpoints are supported, including mobile devices and personal and partner endpoints. Because there is
no added latency in using the Microsoft 365 application, the user experience of using it is unchanged.

SaaS Security API is available globally and can manage multiple SaaS applications, providing consistent
visibility and control across each. Within the managed SaaS application, SaaS Security API visibility and
control even extend to data and activities that originate on personal devices and collaborators who aren’t
part of your organization.

Palo Alto Networks 38

 Design Details

Figure 28 SaaS Security API integration with Microsoft 365

SaaS Security API connects and maintains a connection to Microsoft 365 without storing the
administrator password. However, to configure SaaS Security API to connect, you need an administrator
account in the Microsoft 365 application. When you add Microsoft 365 application to SaaS Security API,
you are asked to log in to the Microsoft 365 application as an administrator. SaaS Security API does not
store the login information. Instead, the administrator account is used to grant an OAuth token to SaaS
Security API, which stores the token and uses it to access the application.

Asset Discovery and Visibility

Assets are the content stored in each cloud application. To help you uncover accidental or malicious data
exposure, SaaS Security API provides visibility into the asset inventory. SaaS Security API discovers
the assets stored in the cloud application, assesses the shared or exposed data within and outside your
organization, and identifies the impact or risk to intellectual property and regulatory non-compliance.
In addition to creating an incident and alerting the administrator, the service provides auto-remediation
capabilities, including the option to quarantine, change sharing, or notify the owner.

After connecting to Microsoft 365, to discover all assets inside the SaaS application, you must initiate
a retroactive scan. After the initial scan, SaaS Security API continuously monitors the application and
applies policy against new or modified assets (changes in permissions, location, owners, collaborators,
etc.). If you modify your policies, the new policies apply only to new assets and activities in the
application. To apply new policies to historical data, you must re-authenticate the application.

Palo Alto Networks 39

 Design Details

Giving priority to new assets and activities, the SaaS Security API policy engine evaluates the files and
metadata against the rules and displays the results on the dashboard. Depending on the amount of data
stored in the SaaS application, the scan of historical data and activities might take a while. All discovered
assets are shown in the SaaS Security API data assets screen.

Figure 29 SaaS Security API data assets screen

To find specific assets, you can use the search bar to search by asset name or owner. To identify assets
with common attributes, you can use filters to narrow down the scope of the results. The following filter
criteria is available to search for assets:

• Creators

• Application instance

• Exposure

• Policy

• Data profile

The detailed view of the asset summarizes file name, type, exposure, owner, and last updated. Additional
detailed information on exposure, incidents, and user activity can help you monitor and investigate user
activity.

Palo Alto Networks 40

 Design Details

Figure 30 Asset detailed view

Identifying Internal and External Users

SaaS Security API defines a collaborator as any person who can access, view, preview, download, comment,
or edit a managed asset. SaaS Security API uses the defined internal domains to determine whether the
collaborators on an asset are internal to your organization or if the owner has shared the asset with
external users. SaaS Security API determines this by matching the domain name in each collaborator’s
email address against a defined list of internal domains. You also can configure external users and
domains as trusted, which helps distinguish business partners, contractors, and other third parties who
should be treated differently from generic external users.

Note

Because SaaS Security API uses the internal domains list in order to determine
the exposure level of an asset during the scan process, you must define the
internal domains list before scanning cloud applications.

Palo Alto Networks 41

 Design Details

Exposure Risk Assessment

Gaining visibility into how data is shared allows you to identify data that has been shared publicly, with
the wrong person, or with someone who should no longer have access. Additionally, when you do identify
an issue with sharing, SaaS Security API allows you to look back and see who accessed the data and when.

The exposure level describes how an asset is shared. SaaS Security API uses the following exposure levels
to classify scanned assets:

• Public—SaaS Security API considers an asset public if the repository is public or if the owner created
a public link, vanity URL, or password-protected link for direct access to the asset.

• External—The owner invited one or more users outside the organization to collaborate on the asset.
These are domains that are not configured as internal domains.

• Company—The owner created an organization-wide URL that gives anyone in the organization
direct access to the asset.

• Internal—This exposure level includes assets the owner has not shared. Also, it includes assets
that the owner has shared but only with specific users within the organization. These users have an
email address in the enterprise domain name.

Advanced Threat Protection

Advanced threat prevention capabilities for SaaS Security API help you protect against evasive malware
inside Microsoft 365 applications and detect suspicious user activities associated with compromised
accounts and malicious insiders.

Malware Detection

SaaS Security API uses WildFire to detect both known and unknown malware stored in Microsoft 365. SaaS
Security API scans assets and submits files to WildFire for analysis.

Note

SaaS Security API does not submit any files for processing by default, and you
control which file type categories apply to the WildFire service.

Palo Alto Networks 42

 Design Details

Figure 31 WildFire settings

Suspicious User Activity

SaaS Security API uses a combination of tools, including ML, predefined and user-defined data patterns,
security configuration controls, and access to event logs auditing user access and activity on each cloud
application. With these tools, it builds context on sensitive data within your environment, identifies
thresholds for expected and unexpected behavior, and uses this intelligence to log a violation or alert you
to risky user behavior and possible data leaks from accidental or malicious user activity.

SaaS Security API offers built-in user-activity policies like the following:

• Risky IP—Detects user activities from IP addresses that are deemed to be malicious. These IP
addresses are determined by threat intelligence from Palo Alto Networks and reputable third-party
feeds. IP addresses include Tor exit nodes and IP addresses from Bulletproof hosting providers.
These services can host and distribute malicious, illegal, and unethical material.

• Bulk Upload—Detects users who are uploading large numbers of files or folders within a short
timeframe, likely indicating malicious intent to compromise your organization’s sensitive data.

• Impossible Traveler—Detects a user accessing an application from two different physical locations
within a timeframe that would be impossible for the user to physically travel.

Palo Alto Networks 43

 Design Details

The following figure shows the pre-defined user-activity policies in SaaS Security API.

Figure 32 Pre-defined user-activity policies

The following figure shows details of Risky IP security policy.

Figure 33 Risky IP security policy

Palo Alto Networks 44

 Design Details

To show the top events for user-activity policies, the SaaS Security API dashboard presents data analytics
of suspicious user-activities.

Figure 34 Risky events reported by SaaS Security API

Using the above information, you can drill down on any of them to find out which users have triggered the
policies.

Figure 35 User-activity details matching the “Risky IP” policy

Figure 36 Geographic locations with suspicious user activities

Palo Alto Networks 45

 Deployment Details

Deployment Details
This section covers the deployment details for securing Microsoft 365 applications. Many procedures are
examples, and you should adapt them to meet your specific requirements. As previously described, you
have two choices for implementing security policy:

• Prisma Access traditional security rules

• Prisma Access Web Security

If you are a network-security professional, then you might choose to follow Prisma Access security rules.
In contrast, if you are a web-security professional or if you are deploying Microsoft 365 security for the
first time, then you might deploy web security.

Prisma Access supports default profiles that ensure a straightforward deployment of security for
Microsoft 365. For conciseness, this guide does not repeat the default profiles that are built into Prisma
Access. Instead, this guide describes procedures that you need to deploy in order to support the above-
mentioned use cases. We encourage you to read the “Security Profiles” section in the SASE Secure Internet
Policy Design: Solution Guide.

ASSUMPTIONS AND PREREQUISITES

Prisma Access:

• Cloud-managed Prisma Access 4.0.0-Preferred or higher

As part of creating the example policies and recommendations, we tested the following SaaS application
clients:

• Web client on Windows and macOS

• “Thick” standalone clients on Windows and macOS, including:

◦ Outlook for Microsoft 365 on Windows 10 and macOS

◦ OneDrive on Windows 10 and macOS

◦ Teams

• Mobile applications for iOS and Android

◦ Outlook on iOS and Android

◦ OneDrive on iOS and Android

◦ Teams on iOS and Android

Palo Alto Networks 46

 Deployment Details

Procedures

Configuring Visibility and Control for Microsoft 365

1.1 Access Cloud Manager

1.2 Enable Microsoft 365 Rules

1.3 Create HIP Profile for Android

1.4 Disable Decryption for Android Devices

1.5 Install Certificates for iOS Devices

1.6 Create Data Loss Prevention Profile

1.7 Create a Custom Security Profile Group

1.8 Apply the Custom Security Group to the Security Policy Rules

1.9 Identify Tenant ID

1.10 Configure Tenant Restrictions

1.11 Push Configuration Updates to Prisma Access

Prisma Access provides predefined best-practice security profile rules. These best-practice rules are
already built-in to security policy rules and use the strictest security settings recommended by Palo
Alto Networks. For some profile types, you might see rules in addition to the best practice rules. You can
optionally use these basic settings to, for example, scan applications that are not business-critical or that
you allow for personal use, while continuing to use the strict best-practice rules to enforce your most
sensitive enterprise applications.

Caution

The policies shown in this guide are examples. Each client and operating
system have unique behavior, and the examples shown in this guide might
not support all client implementations. We highly recommend that before
implementing the policies in a production environment, you test these policies
with the clients you plan to support.

Palo Alto Networks 47

 Deployment Details

1.1 Access Cloud Manager

Strata Cloud Manager provides a single management pane that combines both Prisma Access and Prisma
SD-WAN tasks. In Cloud Manager, you use the left panel to navigate to specific Prisma Access and Prisma
SD-WAN functions. If the left panel is collapsed, to see the text labels that describe each function, you can
expand it by clicking the chevron at the bottom of the left panel.

For effective navigation within Cloud Manager, familiarize yourself with the icons. You access initial setup
tasks using Workflows functions. After the initial setup is complete, you access most operational tasks by
using Manage functions.

Step 1: Log in to Cloud Manager.

Step 2: Familiarize yourself with Cloud Manager, and then click Workflows. The left panel collapses.

When using Manage functions for Prisma Access, Cloud Manager uses inheritance to maintain certain
configuration parameters. Settings you make at a higher level configuration scope (Prisma Access), are
also available as read-only within lower level scopes (example: GlobalProtect and Service Connections).
Each time you start a session with Cloud Manager, your configuration scope is set to the scope selected in
the previous session. If you choose a different configuration scope, Cloud Manager maintains this choice
across all configuration screens that rely on a configuration scope. To simplify access to the configuration
scope pane, you can pin it and make it persistent. All following procedures in this guide assume that you
have pinned the configuration scope pane.

Palo Alto Networks 48

 Deployment Details

By default, Cloud Manager uses the Folders tab, which allows you to select configuration scopes for
Prisma Access. For all procedures, this guide assumes you choose scopes from the Folders tab. You do not
use the Snippets tab in this guide.

Step 3: Continuing in Cloud Manager, click Manage > Configuration > NGFW and Prisma Access. The
Overview pane appears.

Step 4: To pin the Configuration Scope pane to the left, click in the Configuration Scope box, and then
click the thumbtack. The Configuration Scope now remains visible in this position for all configuration
screens.

1.2 Enable Microsoft 365 Rules

When you are logging into Prisma Access for the first time, the Microsoft 365 rules are disabled. This
procedure shows how to enable the default settings in each of the rules.

Table 10 Default Microsoft 365 rules included in Prisma Access

Src Dst
Name Zone Zone Application group Service Action Profile Group

Microsoft Product trust any ms-product-activation Application-default Allow best-practice

Activation

Microsoft 365 trust any Microsoft 365 Access Application-default Allow best-
practice-
Microsoft 365 Mail Clients DLP
Microsoft 365 Services

Microsoft 365 trust any Microsoft Real Time Application-default Allow best-practice
Real Time Protocols

Microsoft 365 trust any Microsoft 365 - Dependent Application-default Allow best-practice
Catch All Apps

Palo Alto Networks 49

 Deployment Details

Step 1: Log in to Cloud Manager, and then navigate to Manage > Configuration > NGFW and Prisma
Access > Security Services > Security Policy.

Step 2: In the Configuration Scope pane, choose Prisma Access.

Step 3: In the Security Policy Rules pane, under Prisma Access - Pre Rules, enable the four rules
pertaining to Microsoft 365.

Step 4: Click the Microsoft Product Activation rule.

Step 5: Select Enabled, and then click Save.

Step 6: Repeat this process for all rules in Table 10.

1.3 Create HIP Profile for Android

Step 1: Navigate to Manage > Configuration > NGFW and Prisma Access > Objects > HIP > HIP Profiles.

Step 2: In the Configuration Scope pane, choose Prisma Access.

Step 3: On the HIP Profiles page, click Add HIP Profile.

Step 4: In the Name box, enter Android.

Step 5: In the Match box, select is-android.

Step 6: Click Save.

1.4 Disable Decryption for Android Devices

Step 1: Navigate to Manage > Configuration > NGFW and Prisma Access > Security Services > Decryption.

Step 2: In the Configuration Scope pane, choose Prisma Access.

Step 3: In the Decryption Policies pane, click Add Rule.

Palo Alto Networks 50

 Deployment Details

Step 4: In the Name box, enter android-no-decrypt.

Step 5: In the Source pane, under Devices, click Add HIP Profiles.

Step 6: In the HIP Profiles list, select Android.

Step 7: Click Save.

1.5 Install Certificates for iOS Devices

To successfully decrypt iOS devices, you should install the following certificates in the iOS devices:

• Forward-Trust-CA.

• Forward-Trust-CA-ECDSA.

Step 1: Navigate to Manage > Configuration > NGFW and Prisma Access > Security Services > Decryption.

Step 2: In the Decryption Settings pane, click the edit cog.

Step 3: In the Certificate Settings pane, under RSA, click Export.

Step 4: In the Certificate Settings pane, under ECDSA, click Export.

Step 5: Install the above certificates on the iOS devices you want to connect to your sanctioned Microsoft
365 application.

1.6 Create Data Loss Prevention Profile

Now you create a DLP profile that matches credit card data. A DLP profile contains data patterns that
match sensitive information such as credit card, social security, driver license, and other forms of
personally identifiable information.

Step 1: Navigate to Manage > Configuration > Data Loss Prevention.

Step 2: In the Data Profiles pane, click Add Data Profile.

Step 3: On the Add a Data Profile dialog box, click With Data Patterns only.

Step 4: In the Primary Rule pane, click Add Data Pattern group.

Step 5: In the Data Profile Name box, enter Match Credit Cards Inline.

Step 6: In the Data Pattern Conditions pane, in the Data Pattern list, choose Credit Card Number, and
then click Save.

Palo Alto Networks 51

 Deployment Details

1.7 Create a Custom Security Profile Group

Now you create a security profile group called best-practice-DLP. A security profile group combines all
security profiles that you have created or that are available by default. The security profile group allows
you to add all security profiles to a security rule by referencing a single object.

Step 1: Navigate to Manage > Configuration > NGFW and Prisma Access > Security Services > Profile
Groups.

Step 2: In the Configuration Scope pane, choose Prisma Access.

Step 3: In the Profile Groups pane, click Add Profile Group.

Step 4: In the Name box, enter best-practice-DLP.

Step 5: In the Anti-Spyware Profile list, choose best-practice.

Step 6: In the Vulnerability Protection Profile list, choose best-practice.

Step 7: In the URL Access Management Profile list, choose best-practice.

Step 8: In the File Blocking Profile list, choose best-practice.

Step 9: In the WildFire and AntiVirus Profile list, choose best-practice.

Step 10: In the DNS Security Profile list, choose best-practice.

Step 11: In the Data Loss Prevention Profile list, choose Match Credit Cards Inline, and then click Save.

Palo Alto Networks 52

 Deployment Details

1.8 Apply the Custom Security Group to the Security Policy Rules

Now you deploy the custom security group best-practice-DLP to the security rule Microsoft 365.

Step 1: Navigate to Manage > Configuration > NGFW and Prisma Access > Security Services > Security
Policy.

Step 2: In the Configuration Scope pane, choose Prisma Access.

Step 3: In the Security Policy Rules pane, click Microsoft 365.

Step 4: In the Actions and Advanced Inspection pane, in the Profile Group list, choose best-practice-DLP,
and click Save.

1.9 Identify Tenant ID

This procedure demonstrates how to identify the tenant ID of your organization.

Step 1: Log in to admin.microsoft.com, and then enter your administrator credentials.

Step 2: In the navigation pane on the left, click Show all.

Step 3: In Admin centers, click Azure Active Directory.

Step 4: On the Example page, in the Basic Information pane, note your tenant ID.

1.10 Configure Tenant Restrictions

Next, you configure tenant restrictions for your users. Tenant restrictions limit login access to a specific
Microsoft 365 enterprise instance and block access to all other Microsoft 365 enterprise and consumer
accounts.

Step 1: Navigate to Manage > Configuration > NGFW and Prisma Access > Objects > SaaS App
Management.

Step 2: In the Configuration Scope pane, choose Prisma Access.

Step 3: In the Microsoft 365 pane, click the edit cog.

Palo Alto Networks 53

 Deployment Details

Step 4: On the Tenant Restrictions tab, next to Domains, verify that the following list of domains for
accessing Microsoft 365 is pre-populated.

Step 5: In the Permitted Tenant List pane, click the + button.

Step 6: Enter your tenant’s name. (Example: example.com)

Step 7: In the Tenant Directory ID box, enter your tenant ID, and then click Save.

Note

The previous procedure shows you how to find your tenant ID.

Step 8: On the top right of the Tenant Restrictions page, click Assign to Security Rules.

Step 9: Under Security Rules, select Microsoft 365 and Microsoft 365 Real Time, and then click Update.

Palo Alto Networks 54

 Deployment Details

Step 10: Navigate to Manage > Configuration > NGFW and Prisma Access > Security Services, and then
click rule Microsoft 365.

In the URL Category/Tenant Restrictions pane, you should see that tenant restriction is enabled.

1.11 Push Configuration Updates to Prisma Access

Next, you enable all of the objects you have configured.

Step 1: On the SaaS Application Management page, click Push Config, and then click Push.

Step 2: On the Push Config dialog box, in the Description box, enter a description.

Step 3: Select GlobalProtect and Remote Networks, and then click Push.

Note

For this and subsequent procedures, if you are deploying only mobile users or
remote networks, you push the configuration for the connection types in use.

Step 4: On the Jobs dialog box, when the push job result changes to OK, click Done.

Step 5: Navigate to Manage > Configuration > NGFW and Prisma Access > Overview.

Step 6: In the Configuration Scope pane, select Prisma Access, and then in the Config Status pane, watch
for the configuration status to change back to In Sync. This indicates that the configuration push has
completed.

Palo Alto Networks 55

 Deployment Details

Procedures

Using Web Security to Configure Decryption

2.1 Enable Web Security Management

2.2 Create Microsoft 365 Rule

2.3 Add DLP to Microsoft 365 Rule

2.4 Identify Tenant ID

2.5 Tenant Restrictions for Microsoft 365 using Web Security

2.6 Push Configuration Updates to Prisma Access

Decryption policies determine which traffic gets decrypted and which is not. By default, Prisma Access
decrypts any traffic when its URL category is part of groups such as financial-services, government,
health-medicine, and shopping. Similarly, the best-practices recommend you decrypt when the URL
categories are part of groups such as parked, questionable, unknown, web-based-email, and webhosting.

In these procedures, you use Web Security to enable decryption for Microsoft traffic originating from
Windows, macOS, and iOS devices. You disable decryption for Android devices.

2.1 Enable Web Security Management

Web Security management integrates with SaaS Security Inline in order to deploy policy
recommendations.

Step 1: In Cloud Manager, navigate to Manage > Configuration > NGFW and Prisma Access > Overview. In
the Configuration scope pane, select Global Protect.

Step 2: In the Web Security pane, click Enable.

Step 3: On the Enable Web Security message, click Enable.

Step 4: Click Push Config, and then click Push.

Palo Alto Networks 56

 Deployment Details

Step 5: In the Push Config dialog box, in the Description box, enter a description, select Prisma Access,
and then click Push.

Step 6: If you want to enable Web Security for Explicit Proxy, navigate to Manage > Configuration >
NGFW > Prisma Access > Overview, and then in the Configuration Scope pane, select Explicit Proxy and
repeat Step 2 to Step 5.

Step 7: If you want to enable Web Security for Remote Networks, navigate to Manage > Configuration >
NGFW > Prisma Access > Overview, and then in the Configuration Scope pane, select Remote Networks
and repeat Step 2 to Step 5.

2.2 Create Microsoft 365 Rule

In this procedure, you use Web Security in order to configure a security rule for Microsoft 365
applications.

Step 1: Navigate to Manage > Configuration > NGFW and Prisma Access > Security Services > Web
Security.

Step 2: In the Custom Web Access Policies pane, click Add Policy.

Step 3: In the Name box, enter Microsoft 365.

Step 4: In the Allowed Web Application pane, click Add > Add Application.

Step 5: In the Name list, choose Ms Office365.

There are many applications that are part of the default rule Ms Office365. If you want to select only a
particular application, for instance SharePoint uploading, then execute the next step.

Step 6: In the Allowed Web Application pane, in the App Functions list, unselect Allow All App Functions,
and select option SharePoint Online Uploading, and then click Save.

Palo Alto Networks 57

 Deployment Details

2.3 Add DLP to Microsoft 365 Rule

Next, you add DLP policy to the Microsoft 365 rule.

Step 1: Navigate to Manage > Configuration > NGFW and Prisma Access > Security Services > Web
Security.

Step 2: In the Custom Web Access Policies pane, click Microsoft 365.

Step 3: In the Allowed Web Applications pane, on the Ms Office365 rule, in the DLP list, choose Match
Credit Cards Inline, and then click Save.

2.4 Identify Tenant ID

This procedure demonstrates how to identify the tenant ID of your organization.

Step 1: Log in to admin.microsoft.com and enter your administrator credentials.

Step 2: In the navigation pane on the left, click Show all.

In the navigation pane on the left, in the admin centers, click Azure Active Directory.

Step 3: On the Example page, in the Basic Information pane, note your tenant ID.

2.5 Tenant Restrictions for Microsoft 365 using Web Security

In this example procedure, you configure tenant restrictions using Web Security.

Step 1: Navigate to Manage > Configuration > NGFW and Prisma Access > Objects > SaaS App
Management.

Step 2: In the Configuration Scope pane, choose Prisma Access.

Step 3: In the Microsoft 365 pane, click the edit cog.

Palo Alto Networks 58

 Deployment Details

Step 4: On the Tenant Restrictions tab, in the Domains pane, verify that the following list of domains for
accessing Microsoft 365 are already pre-populated.

Step 5: On the Tenant Restrictions tab, in the Permitted Tenant List pane, click the + button.

Step 6: Enter your tenant’s name. (Example: example.com)

Step 7: On the Tenant Restrictions tab, in the Tenant Directory ID dialog box, enter your tenant ID.

Note

The next procedure shows you how to find your tenant ID.

2.6 Push Configuration Updates to Prisma Access

Next, you enable all of the objects you have configured.

Step 1: Click Push Config, and then click Push.

Step 2: On the Push Config dialog box, select Prisma Access, and then click Push.

Step 3: In the Jobs dialog box, when the push job result changes to OK, click Done.

Step 4: Navigate to Manage > Configuration > NGFW and Prisma Access > Overview.

Step 5: In the Configuration Scope pane, select Prisma Access, and then in the Config Status pane, watch
for the config status to change back to In Sync. This indicates that the configuration push has completed.

Palo Alto Networks 59

 Deployment Details

Procedures

Configuring SaaS Security for Microsoft 365 Applications

3.1 Onboard Microsoft 365 Applications to Prisma Access

3.2 Configure the Internal Domain

3.3 Create Data-Asset Policy Rule

3.4 Create User-Activity Policy

SaaS Security API is a cloud service that connects directly to Microsoft 365 by using its API. This
connection provides visibility and control over the data and activities within the application. When
you enable SaaS Security API it discovers assets stored in Microsoft 365, scans, and analyses the risks
associated with them based on default or custom data-asset policies. In addition, SaaS Security API
detects any user activity anomalies. This procedure group shows how to configure SaaS Security API to
secure Microsoft 365.

3.1 Onboard Microsoft 365 Applications to Prisma Access

Now you onboard Microsoft 365 applications to Prisma SaaS.

By onboarding Microsoft 365 applications, Prisma SaaS can perform inspection on the assets uploaded to
Microsoft 365 applications.

Step 1: Navigate to Manage > Configuration > SaaS Security.

Step 2: On the Settings tab, in the Configure pane, select Apps Onboarding.

Step 3: Click Office 365.

Step 4: In the Data Security Instances pane, click Add Instance.

Step 5: Add Microsoft administrator credentials and complete the onboarding process.

Step 6: In the Posture Security Instances pane, click Add Instance.

Step 7: Add the Microsoft credentials to complete the onboarding process.

Palo Alto Networks 60

 Deployment Details

Step 8: After you have completed onboarding Office 365, verify that both instances of Office 365 are
running. You can do that by navigating to Manage > Configuration > SaaS Security > Settings and in the
Configure pane, select Apps Onboarding. Here, you click Office 365 and verify that both instances are
running.

3.2 Configure the Internal Domain

Now you configure the internal domain to be example.com. Configuring internal domains allows you to
identify data assets that are internal and external to your organization. You configure internal domains in
SaaS Security API.

Step 1: Continuing in the Cloud Manager, navigate to Manage > Configuration > SaaS Security > Settings,
and in the Configure pane, select Manage Domains.

Step 2: In the Internal Domains pane, click Edit.

Step 3: In the Edit Internal Domains dialog box, enter example.com, and then click Save.

Palo Alto Networks 61

 Deployment Details

3.3 Create Data-Asset Policy Rule

You configure a data-asset policy Alert on HIPPA Violations. Data-asset policies detect whether there is
sensitive data present in SaaS applications. To detect sensitive data, SaaS Security API provides default
policies. In addition to the default policies, SaaS Security API allows you to create custom policies.

In this procedure, you create a custom data-asset policy. This policy is a medium-severity policy, and
it alerts an administrator and logs an incident when HIPPA violation occurs on Microsoft 365 SaaS
application.

Note

This procedure assumes that Microsoft 365 is already onboarded to Prisma

Access.

Step 1: Navigate to Manage > Configuration > SaaS Security > Data Security > Policies.

Step 2: On the Data Asset Policies tab, click Add Policy.

Step 3: In the General pane, in the Policy Name box, enter Alert on HIPAA Violations.

Step 4: In the Description box, enter Alert on HIPAA Violations Data Asset Policy.

Step 5: In the Severity list, choose Medium.

Step 6: Set Status to Enabled.

Step 7: In the Match Criteria pane, select Cloud Apps.

Step 8: In the Any Cloud App list, select Choose.

Palo Alto Networks 62

 Deployment Details

Step 9: In the Select Cloud App list, select Office 365 Example.

Step 10: Select Data Pattern/Data Profile.

Step 11: In the Type list, choose Data Profile.

Step 12: In the Select a Data Profile list, choose PII.

Step 13: In the Action pane, select Log as an incident only, and then click Create.

Palo Alto Networks 63

 Deployment Details

3.4 Create User-Activity Policy

In this procedure, you create a custom user-activity policy Uploads to Microsoft 365. This policy matches
uploads to Microsoft 365 application, and it flags an alert when a user uploads more than 50 times a day.
User-activity policies highlight any suspicious activities in SaaS applications. Such activities include risky
IP addresses, bulk uploads, bulk downloads, and more. SaaS Security API has in-built policies to detect
such activities and has options for you to create custom policies. The custom policies allow you to match
granular conditions to define specific user behaviors.

Step 1: Navigate to Manage > Configuration > SaaS Security > Data Security > Policies.

Step 2: On the User Activity Policies tab, click Add Policy.

Step 3: In the General pane, in the Policy Name box, enter Uploads to Microsoft 365.

Step 4: In the Description box, enter Uploads to Microsoft 365 Activity Policy.

Step 5: In the Severity list, select 3 (Medium).

Step 6: Set Status to Enabled.

Step 7: In the Items to Detect pane, select Users.

Step 8: In the Match Criteria pane, in the Sanctioned Applications list, select Office 365 Example.

Palo Alto Networks 64

 Deployment Details

Step 9: In the User Activity list, select Upload, and then click Create.

Palo Alto Networks 65

 Summary

Summary
The Palo Alto Networks next-generation CASB solution elevates the state of cloud-delivered SaaS security.
With complete visibility, real-time data protection, and best-in-class security, it’s the industry’s only
solution that automatically keeps pace with the explosive SaaS growth. In addition to the continuous
trust verification and security inspection provided by Prisma Access, the NG-CASB add-on helps secure
Microsoft 365 application in the following four ways:

• Visibility and control–Control Microsoft 365 application traffic.

• Security posture management—Protect Microsoft 365 applications from misconfigurations that

put users and data at risk.

• Data security—Prevent exposure of sensitive data-in-motion and data-at-rest inside Microsoft

365 applications.

• Advanced threat protection—Stop evasive malware inside Microsoft 365 applications and detect
suspicious user activities associated with compromised accounts and malicious insiders.

The NG-CASB design uses cloud-managed Prisma Access in order to provide the following set of
capabilities, which are all integrated into a single management console:

• SaaS Security Inline—SaaS Security Inline uses ACE to retrieve Microsoft 365 application
information and enforce access controls. ACE contains over 55,000 SaaS application IDs and is
adding to the list constantly. To identify new SaaS applications as they become available, ACE uses
ML and crowdsourcing.

• SaaS Security API—Cloud-based service that connects directly to Microsoft 365 applications by
using the cloud application’s API. The service provides asset discovery, data classification, sharing/
permission visibility, user-activity monitoring, and threat detection.

• SSPM—Cloud-based service that connects directly to Microsoft 365 applications by using the
cloud application’s API. Through continuous monitoring, the service helps detect and remediate
misconfigured security settings and best practices in SaaS applications.

• Enterprise DLP—Enterprise DLP is a cloud-delivered solution that comprehensively protects

sensitive data across all networks, clouds, and users. It easily enables data protection and
compliance in minutes, eliminating appliance deployment and ongoing management cycles and
ensuring the most cost-effective enterprise DLP on the market.

Palo Alto Networks 66

HEADQUARTERS
Palo Alto Networks Phone: +1 (408) 753-4000
3000 Tannery Way Sales: +1 (866) 320-4788
Santa Clara, CA 95054, USA Fax: +1 (408) 753-4001
https://www.paloaltonetworks.com [email protected]

© 2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of
our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks
mentioned herein may be trademarks of their respective companies. Palo Alto Networks reserves the right to change,
modify, transfer, or otherwise revise this publication without notice.

You can use the feedback form to send comments

about this guide.

B-002173P-1-23b