Hi Paul and all, yesterday I had a session with TAC cause we've issues with Microsoft Power BI, conditional access policies and users behind remote access VPN. I know it isn't the main scope of this topic but I think I can add some perspective.
Apparently, Microsoft changes its endpoint IPs on a monthly basis (or maybe even in a shorter period), and also when they do update their endpoints, they don't refresh its documentation at the same time (see date published data here https://www.microsoft.com/en-us/download/details.aspx?id=53602 vs. last update from here https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges).
As the updatable objects apparently didn't get natted and Microsoft changes its public IPs (so the manual NAT rules I created also didn't match and you can't also add an updatable in a group to get it to the RA encryption domain), my problem was the end user traffic wasn't routed through our gateway, so the conditional access policy denied the access as from Microsoft its detected from "outside" our organization. As per versions, the gateway is on R80.30 and the management in R81.
Long-story short, apparently the answer from the Check Point engineer was: "you will have to get update the IPs all the time Microsoft changes them". I know I can do it in an scripted fashion (download the JSON or CSV, work it through the MGMT API), but nevertheless I think is an unacceptable answer from Check Point, as I believe this isn't a uncommon scenario, specially in these Covid days.
(note aside: I said apparently, because I got this feedback from my local partner, so maybe it could be some lost in translation).
Right now I'm working in the script but I think Check Point R&D should take this issue more seriously, as I believe that an script is only workaround that probably get broken in upcoming upgrades of the platform. I asked my local partner to talk to the Check Point counterpart to maybe ask a RFE or something like this, maybe he could, maybe he couldn't... So, to sum up that's why I'm writing this long post.
But not all are bad news, when I have the script ready, tested and working I will share here as I think another customer will find it handy.