First things first, we're about to discuss Microsoft Office 365 which is in a constant state of change, so if you have experience that dates back more than a couple of weeks please re-test your experiences before posting.
Secondly, please keep this on topic, I need to get this resolved properly so it's important (to me) that this thread does not get de-railed.
I am rolling out Office365 on a number of sites simultaneously. We use R80.30 on all relevant sites, I have HTTPS inspection enabled (considered essential by per numerous SK articles - and my own opinion). Almost all of O365 works fine and the broken bits (such as Teams file transfer) broken by HTTPS inspection) don't matter to me at this time.
What is a genuine and major problem is this:
Microsoft being who and what they are, conflate 'outlook.com' and 'office.com' entry points to their ecosystem in such a way that if we allow users to access 'Microsoft & Office365 Services' as a Check Point application category users can access all O365 applications as we have configured them corporately but *also* their own personal <name>@outlook.com webmail! This insane situation is discussed all over the Internet and no useful conclusions are every reached. There are suggested GPO solutions but these only affect Outlook the application and not the Web Mail. Some posts suggest blocking all webmail, this is of course nonsense!
The Check Point App wiki seems to present a solution: there are specific categories for Personal MS web mail and corporate or Office365 (proper) webmail. The problem is, that either these never worked or something has changed at the MS side rendering these ineffective...
The Check Point app wiki recognises these:
specifucally the 'Microsoft Outlook--web' app. which is described as the personal/free email. Then it shows the 'Office365-Outlook' which is the corporate/enterprise or small business version.
This is perfect, we can control what we need - allowing the Office365-outlook and the Office365-Outlook-web to the newly cloudified email for the organisation while wisely blocking all personal email accounts in the OUTLOOK.COM ecosystem....
with the one (new) problem that (probably due to something horrific that Microsoft have done) the access to a personal Outllok.com account looks like this in the Check Point logs:
So, what this means is, we cannot block the personal web mail while allowing all the required O365 corporate email and webmail.
Check Point (or others who have been through this) can you tell us how to solve this issue?
Please no-one tell me to disable all webmail or to try to block the 'personal' URLs - these are live.microsoft.com and other FQDNS *totally* shared by both O365 corporate and personal.
Thanks in advance,
John