When starting the journey to the cloud, then connectivity is the most important point. Azure consist of thousands of endpoints which also can change daily. Therefore, Microsoft build a webservice to provide you always with an up to date list, which is used by a lot of firewall/proxy vendors to provide you an easy way to allow connections to all O365 services in their products. But often I experience, that the network team not opens all URLs as requested. So, we need a possibility to test this in before an engagement starts. In this blog post I explain how you can do this with the Modern Workplace Client Center (MWCC) PowerShell Module.
The source code can be found on GitHub and the PowerShell Module is available in the PowerShell Gallery.
You can request all Office 365 endpoints with the following command:
$Endpoints = Invoke-WebRequest -Uri https://endpoints.office.com/endpoints/worldwide?clientrequestid=$(New-Guid) $Endpoints.Content | ConvertFrom-Json
The list of Office 365 endpoints look like displayed in the following screenshot:
But as you can see with this list, it’s complicated to do connectivity tests because:
- Some URL’s contain wildcards
- Different Protocols in use
- Many URL’s are represented in different service areas
- IP’s are always complete subnets and it’s unclear which IP’s are really an endpoint at that moment.
Because of the above mentioned issues I created the new PowerShell function Invoke-AnalyzeAzureConnectivity. This function is solving the above issues and allows to do all necessary connectivity checks in a few minutes.
Some url’s contain wildcards
I searched for each URL with a wildcard for a static host. With that we can do the needed checks.
Different Protocols in use
In other methods I already use the HttpConnectivityTester Module which also respects proxy server and is doing a lot of checks. I created an additional PowerShell module to test other protocols by using Test-NetConnection and providing the same deep insights into connectivity issues.
Many url’s are represented in different service areas
The function is checking each host only once to reduce the execution time.
IP’s are always complete subnets and it’s unclear which IP’s are really an endpoint at that moment.
For this problem I have not yet a solution.
You can easily install the Module and execute the connectivity test with the following lines of code:
Install-Module ModernWorkplaceClientCenter -Force $r = Invoke-AnalyzeAzureConnectivity -UrlSet Common -OnlyRequired $r | Out-GridView
In the Out-GridView you can see if any endpoint has an issue including tips on how to solve the issue.
I hope this new function will help you. If you have feedback, just send me a message or fill out a feature request.
Latest posts by Thomas Kurth (see all)
- Microsoft Purview Information protect predefined permission groups demystified - February 28, 2023
- Extending Microsoft Sentinel with important device data - January 30, 2023
- SOC Monitor wall – Develop your Video Wall Application (Part 2) - August 22, 2022