SaaS Security - Office 365 Email - Manual Integration

Introduction

The Office 365 onboarding process to Avanan, during which customers bind their Office 365 environment to Avanan, can be executed either automatically or manually.

In automatic mode, you need to approve the Office 365 App in the SaaS Apps Store on your portal, and all configuration changes are applied by Avanan. Additionally, any changes made to the Office 365 policies on your portal, will be automatically reflected in the Office 365 environment.

In manual mode, no changes are applied to the Office 365 environment by Avanan, all changes need to be implemented manually. Furthermore, any change to the Office 365 policies on your portal, should be implemented manually on the Mail-Flow rules.

Note - Automatic mode for onboarding allows for better maintenance, management, and smoother user experience. Avanan recommends only using Manual mode as a last resort. Before using the Manual mode, contact Avanan Support to help resolve any issues raised with the Automatic mode for onboarding.

Note - In some configurations we refer to {portal}, this is an indication of your portal name. For example, if your portal is customer-x.avanan.net, then you will need to replace ‘{portal}’ with ‘customer-x’.

Manual Integration with Office 365 Mail - Required Permissions

You can choose the Manual mode of integration when you do not want Avanan to automatically add and manage Mail Flow rules, connectors, and other Microsoft configurations for your organization.

As these configurations are not managed by Avanan, Manual mode require less permissions when compared with Automatic mode.

Permissions required from Office 365 for manual integration Functions performed by Avanan
Read directory data

Used for these:

  • Mapping users to groups to properly assign policies to users.
  • Baselining the active users to detect impersonation attempts.
  • Mapping users to titles, departments and more to determine if a user is a VIP user or not.
Access directory as the signed in user
Read contacts in all mailboxes Used for baselining social graphs and communication patterns for accurate phishing detections.
Read user mailbox settings Used for continuously monitoring mailbox settings to detect indications for account compromising, such as MFA settings, forwarding rules and many more.
Read all user mailbox settings
Read and write mail in all mailboxes
Read all groups (preview)

Used for mapping users to groups to properly assign policies to users.

Read and write all groups
Read all directory RBAC settings (Reserved for future release) Used to allow administrators to disable users or reset their password.
Read all users' full profiles

Used for these:

  • Mapping users to groups to properly assign policies to users.
  • (Reserved for future release) Allow administrators to disable users or reset their password.
Read activity data for your organization

Used for these:

  • Getting user login events, Microsoft Defender events and others to present login activities and detect compromised accounts (Anomalies).
  • Getting Microsoft detection information to present for every email.
Read service health information for your organization

Reserved for future releases.

Send mail on behalf of others Used for sending notifications to end-users in scenarios that technically SMTP delivery is not available. This includes phishing, malware and DLP notifications.
Read and write user and shared mail

Used for these:

  • Enforcing Detect and Remediate policy rules, where emails are quarantined/modified post-delivery.
  • Allowing administrators to quarantine emails that are already in the users' mailboxes.
  • Baselining communication patterns as part of Learning Mode.
  • Retroactive scan of emails already in users' mailboxes immediately after onboarding.
Read and write user mail
Use Exchange Web Services with full access to all mailboxes
send mail as a user

Used for sending notifications to end-users in scenarios that technically SMTP delivery is not available. This includes phishing, malware and DLP notifications.

Send mail as any user

 

Authorize the Manual Integration Application

  1. From the Getting Started Wizard, click Start for Office 365 Mail.
    or
    From the left panel, click Security Settings > SaaS Applications.
  2. Click Start for Office 365 Mail.
  3. Select Manual mode of operation.
  4. In the Office 365 Authorization window that appears, sign in with your Microsoft Global Administrator credentials.
  5. In the authorization screen, click Accept to grant permissions for AVANAN Cloud Security Platform - Emails - Manual Mode application.
    For more information about permissions, see Required Permissions for Manual Mode.

Content

Policy Modes

These are the supported policy modes:

  • Monitor - monitors the emails and creates the relevant event.
  • Detect and Prevent - creates an event, and also performs retroactive enforcement for Inbound emails already delivered to users.
  • Inline - All emails are reviewed before delivery to the user.

Monitor and Detect and Prevent have the same configuration in Office 365.

Inline Mode - Integration Steps

  1. Connectors
  2. Creating connector filter
  3. Journal Rule
  4. Create Inline Outbound Connectors
  5. Create Inline rules
  6. Transport Rules - Inline Mode

Step 1: Connectors

In this step, you define two connectors:

  • Journaling Outbound - For Monitoring mode. Required in all modes.
  • Inbound connector - For all modes.

These connectors send traffic to and receive traffic from the cloud. For information on the configuration for Inline see later.

Create new connectors

In the Exchange admin center, go to Mail flow > connectors.

Create the following connectors based on the following configuration.

1.1 Inbound Connector

To configure the inbound connector

  1. For From, select Partner organization.
  2. For To, select Office 365.
  3. Click Next.
  4. For Name, enter Avanan Inbound.
  5. For Description, enter Avanan Inbound Connector.
  6. For What do you want to do after the connector is saved?, select Turn it on.
  7. Click Next.
  8. For How do you want to identify the partner organization, select Use the sender's IP address.
  9. Click Next.
  10. Under Specify the sender IP address range, click the + icon.
    • If your data residency is in the United States, enter this IP address: 35.174.145.124
    • If your data residency is in Europe, enter this IP address: 52.212.19.177
    • If your data residency is in Canada, enter this IP address: 15.222.110.90
    • If your data residency is in United Arab Emirates, enter this IP address: 3.29.194.128
  11. Click OK and then Next.
  12. Under What security restrictions do you want to apply?, select Reject email messages if they are not sent over TLS.
  13. Click Next.
  14. In the Settings Confirmation window, make sure your settings are correct before you click Save.
    1.1_Inbound_Connector

1.2 Journaling Outbound Connector 

To configure the outbound connector

  1. For From, select Office 365.
  2. For To, select Your organization mail server.
  3. Click Next.
  4. For Name, enter Avanan Journaling Outbound.
  5. For Description (Optional), enter Avanan Journaling Outbound connector.
  6. For What do you want to do after connector is saved?, select Turn it on.
  7. Click Next.
  8. For When do you want to use this connector?, select Only when email messages are sent to these domains.
  9. Click the + icon to add a new domain: {portal}-mail.avanan.net. Replace {portal} with your portal name.
  10. Click OK and then Next.
  11. Under How do you want to route email messages?, select Route email through these smart hosts.
  12. Click the + icon to add a smart host, and enter the host domain name: {portal}-host.avanan.net. Replace {portal} with your portal name.
  13. Click Save and then Next.
  14. Under How should Office 365 connect to your partner organization's email server?, select Always use Transport Layer Security (TLS) to secure the connection.
  15. For Connect only if the recipient's email server certificate matches this criteria, select Any digital certificate, including self-signed certificates.
  16. Click Next.
  17. Check your settings before validation and click Next.
  18. Click the + icon and enter this email address: {portal}@{portal}-mail.avanan.net. Replace {portal} with your portal name.
  19. Click Validate. Make sure that both connectors were created.
    1.2_journaling_outbound_connector_

1.3 DLP inbound connector

To configure the DLP inbound connector

Similar to the Avanan Outbound connector, with the following changes:

  • For from, enter Your organization mail server (step 1).
  • For Name, enter Avanan DLP Inbound (step 4).
  • Under Specify the sender IP address range (step 10).
    • If your data residency is in the United States, enter this IP address: 3.214.204.1
    • If your data residency is in Australia, enter this IP address: 13.211.69.231
    • If your data residency is in Europe, enter this IP address: 52.212.19.177
    • If your data residency is in United Arab Emirates, enter this IP address: 3.29.194.128
1.3_DLP_inbound_connector

Step 2: Creating connector filter

To configure the connector filter:

  1. In the Exchange admin center, go to Protection > Connection filter.
  2. Click the icon to edit the default rule.
  3. Under Connection filtering > IP Allow list, click Create policy.
  4. Under add allowed IP address,
    • If your data residency is in the United States, enter these IP address: 35.174.145.124, 3.214.204.181
    • If your data residency is in Australia, enter this IP address: 13.211.69.231
    • If your data residency is in Europe, enter this IP address: 52.212.19.177
    • If your data residency is in United Arab Emirates, enter this IP address: 3.29.194.128
creating_connector_filter

Step 3: Journal Rule

The journal rule is used for the monitoring mode. The journal rule configures Office 365 to send all emails to Avanan.

Note: Before you create a journal rule, you must specify an account to receive journal reports that cannot be delivered to the journal destination.

Please follow the steps in this guide to configure this mailbox.

The journal rule should be configured as follows:

  1. In the Exchange admin center, go to Compliance management > Journal rules.
  2. Click the + icon to create a new journal rule.
  3. Enter this information in the Journal Rule window:
    • For Send journal reports to, enter {portal}@{portal}-mail.avanan.net. Replace {portal} with your portal name.
    • For Name, enter Avanan - Monitor.
    • For If the message is sent to or received from..., select (Apply to all messages).
      Note - If you plan to use group filters in your setup, select the group you want to include in your policy.
    • For Journal the following messages..., select All messages.
    • Click Save.

Step 4: Create Inline Outbound Connectors

Outbound connector

  1. In the Exchange admin center, go to Mail Flow > connectors.
  2. Click the + icon to create a new connector.
  3. Enter this information as the connector details:
    • For From, enter Office 365.
    • For To, enter Partner organization.
    • Click Next.
    • For Name, enter Avanan Outbound.
    • For Description (Optional), enter Avanan Outbound Connector.
    • For What do you want to do after connector is saved?, select Turn it on
    • Click Next.
    • For When do you want to use this connector?, select Only when I have a transport rule to set up that redirects messages to this connector
    • Click Next.
    • For How do you want to route email messages?, select Route email through these smart hosts.
    • Click the + icon to add a smart host: {portal}-host.avanan.net. Replace {portal} with your portal name.
    • Click Save and then Next.
    • For How should Office Office 365 connect to your partner organization's email server?, select Always use Transport Layer Security (TLS) to secure the connection.
    • For Connect only if the recipient's email server certificate matches this criteria, select Any digital certificate, including self-signed certificates
    • Click Next.
    • Confirm your settings before validation and click Next.
    • Click the + icon and enter this address: {portal}@{portal}-mail.avanan.net. Replace {portal} with your portal name.
    • Click Validate.

DLP Outbound connector

Similar to the Avanan Outbound connector, with the following changes:

  • For To, enter Your organization mail server (step 3.b).
  • For Name, enter Avanan DLP Outbound (step 3.d).
  • Smart host: {portal}-dlp.avanan.net. Replace {portal} with your portal name (step 3.k).

Step 5: Create Inline rules

Create “Avanan - Protect” Inline rule

Use a similar configuration to the first mail-flow rule with the following configurations:

  1. For Name, enter Avanan - Protect.
  2. For Apply this rule if..., add two conditions:
    • First condition - The sender is located outside the organization.
    • Second condition - The recipient is located inside the organization.

If necessary, add another condition and specify the groups that should be inline.

  1. For Do the following..., add two actions:
    • For Set the message header, enter this Key = X-CLOUD-SEC-AV-Info
    • For to the value, enter this Value = {Portal},office365_emails,inline
    • First action - Set a message header:
    • Second action - Use the following connector, select Avanan Outbound connector.
  2. For Except if..., add the following exception:
    • If your data residency is in the United States, enter this IP address: 35.174.145.124
    • If your data residency is in Europe, enter this IP address: 52.212.19.177
    • If your data residency is in Canada, enter this IP address: 15.222.110.90
    • If your data residency is in United Arab Emirates, enter this IP address: 3.29.194.128
    • Sender's IP address is in the range:

Note - If you have other inbound connectors using IP addresses, add their IP addresses to this list.

  1. Select the checkbox for Stop processing more rules.
  2. Click Save.
  3. Make sure that Avanan - Protect rule is configured like this:

Protecting Microsoft 365 Group Mailboxes 

To protect group mailboxes, add the mailboxes to the Protect rule as a recipient or as a member of a Distribution List in the scope of the rule.

Create “Avanan - Protect Outgoing” Inline rule

Similar to the Avanan Outbound connector, with the following changes:

  • For Apply this rule if..., add two conditions (step 2):
    • First condition - The sender is located inside the organization.
    • Second condition - The recipient is located outside the organization.
  • For Do the following..., add two actions (step 3):
    • For Set the message header, enter this Key = X-CLOUD-SEC-AV-Info
    • For to the value, enter this Value = {Portal},office365_emails,sent,inline
    • First action - Set a message header:
    • Second action - Use the following connector, select Avanan DLP Outbound connector.
  • For Except if..., add the following exception (step 4):
    • If your data residency is in the United States, enter these IP addresses: 35.174.145.124, 3.214.204.181
    • If your data residency is in Australia, enter this IP address: 13.211.69.231
    • If your data residency is in Europe, enter this IP address: 52.212.19.177
    •  If your data residency is in United Arab Emirates, enter this IP address: 3.29.194.128
    • Sender's IP address is in the range:

Step 6: Transport Rules - Inline Mode

The purpose of the transport rule is to implement the inline mode for the users that need to be inline. Every time you change the scope of the inline policy (add or remove users/groups) you need to edit the scope of the transport rule accordingly.

Junk Filter rule

To configure the Avanan Junk filter rule

  1. For Name, enter Avanan - Junk Filter.
  2. For Apply this rule if..., add two conditions:
    • If your data residency is in the United States, enter this IP address: 35.174.145.124
    • If your data residency is in Europe, enter this IP address: 52.212.19.177
    • If your data residency is in Canada, enter this IP address: 15.222.110.90
    • First condition - A message header matches these patterns, for the header enter X-CLOUD-SEC-AV-SPAM-HIGH, and for the text patterns enter true.
    • Second condition - Senders IP address is in the range -
  3. For Do the following…, select Modify the message properties and then set the spam confidence level (SCL) to 9.

Junk Filter Low rule

To configure the Avanan Junk Filter Low rule

  1. For Name, enter Avanan - Junk Filter Low.
  2. For Apply this rule if..., add two conditions:
    • If your data residency is in the United States, enter this IP address: 35.174.145.124
    • If your data residency is in Europe, enter this IP address: 52.212.19.177
    • If your data residency is in Canada, enter this IP address: 15.222.110.90
    • If your data residency is in United Arab Emirates, enter this IP address: 3.29.194.128
    • First condition - A message header matches these patterns, for the header enter X-CLOUD-SEC-AV-SPAM-LOW, and for the text patterns enter true.
    • Second condition - Senders IP address is in the range -
  3. For Do the following…, select Modify the message properties and then set the spam confidence level (SCL) to 6.

Whitelist rule

To configure the Avanan whitelist rule

  1. For Name, enter Avanan - Whitelist.
  2. For Apply this rule if..., Sender's IP address is in the range:
    • If your data residency is in the United States, enter this IP address: 35.174.145.124
    • If your data residency is in Europe, enter this IP address: 52.212.19.177
    • If your data residency is in Canada, enter this IP address: 15.222.110.90
    • If your data residency is in United Arab Emirates, enter this IP address: 3.29.194.128
  3. For Do the following..., set the spam confidence level (SCL) to...Bypass spam filtering.
  4. For Except if..., select A message header matches these text patterns.
  5. For text patterns, select X-CLOUD-SEC-AV-SCL header matches true.

Monitoring Mode - Integration Steps

Monitoring mode requires only these steps:

  1. Inbound connector
  2. Creating connector filter
  3. Journal Rule