Infrastructure
Applying zero trust principles to your infrastructure means that, as an administrator, you need to take a holistic view of everything that interacts with your organization’s data, including servers, cloud infrastructure and platforms, and development environments.
You can use a tool such as Microsoft Defender for Cloud, which is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP), to evaluate your cloud workloads and platforms as well as look for anomalous patterns in potential unknown risks to ensure that your organization is protected from known and unknown security risks.
Further Reading
For more information on Microsoft Defender for Cloud, see https://learn.microsoft.
com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction.
The next section will describe the security and compliance concepts for networking.
Network
Microsoft 365 services are generally accessed over the public internet. You will review the ways by which users will access the Microsoft 365 service, and how data will flow to and be stored in the service.
From a zero-trust perspective, it is important to identify all the points on your network that you can secure as well as identify the tools that are used to help protect identity, devices, and data as it moves from point to point.
When considering Microsoft 365 in terms of networking, administrators need to grasp the following concepts:
- Connectivity
- Encryption
- Performance
Connectivity
As a cloud service, Microsoft 365 components are not available on the internal network. From the perspective of a network administrator, you must allow internal users to access the internet endpoints for the Microsoft 365 service, which may mean configuring existing appliances such as firewalls and proxy devices.
Endpoints, such as Internet Protocol (IP) addresses or Uniform Resource Locators (URLs), are classified into three categories:
- Optimize: This category is required for connectivity to services and represents over 75% of the consumed bandwidth.
- Allow: This category is required for connectivity, but not as sensitive to latency as Optimize endpoints.
- Default: These are endpoints that are treated as normal internet traffic.
Organizations should plan for network best practices when planning their Microsoft 365 deployment.
Some of the recommended practices are as follows:
- Differentiating Microsoft 365 traffic from normal internet traffic
- Egressing network connections locally so that users will be routed as quickly as possible to the Microsoft network
- Bypassing proxies to reduce the amount of time needed for data to arrive at Office 365 services
Microsoft 365 administrators and network administrators should work together to plan a network connectivity strategy. To help plan effectively, Microsoft provides a web service for obtaining the IP addresses and URLs that are used in the service.
Note
You can find more information about the Office 365 IP address and URL web service at https:// learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service.
Microsoft typically recommends bypassing proxy devices for network traffic destined for Microsoft 365.
