When starting the journey to the cloud, then connectivity is the most important point. Azure consist of thousands of endpoints which also can change daily. Therefore, Microsoft build a webservice to provide you always with an up to date list, which is used by a lot of firewall/proxy vendors to provide you an easy way to allow connections to all O365 services in their products. But often I experience, that the network team not opens all URLs as requested. So, we need a possibility to test this in before an engagement starts. In this blog post I explain how you can do this with the Modern Workplace Client Center (MWCC) PowerShell Module.
The source code can be found on GitHub and the PowerShell Module is available in the PowerShell Gallery.
Basics
You can request all Office 365 endpoints with the following command:
$Endpoints = Invoke-WebRequest -Uri https://endpoints.office.com/endpoints/worldwide?clientrequestid=$(New-Guid) $Endpoints.Content | ConvertFrom-JsonThe list of Office 365 endpoints look like displayed in the following screenshot:
But as you can see with this list, it’s complicated to do connectivity tests because:
- Some URL’s contain wildcards
- Different Protocols in use
- Many URL’s are represented in different service areas
- IP’s are always complete subnets and it’s unclear which IP’s are really an endpoint at that moment.
My solution
Because of the above mentioned issues I created the new PowerShell function Invoke-AnalyzeAzureConnectivity. This function is solving the above issues and allows to do all necessary connectivity checks in a few minutes.
-
Some url’s contain wildcards
I searched for each URL with a wildcard for a static host. With that we can do the needed checks.
-
Different Protocols in use
In other methods I already use the HttpConnectivityTester Module which also respects proxy server and is doing a lot of checks. I created an additional PowerShell module to test other protocols by using Test-NetConnection and providing the same deep insights into connectivity issues.
-
Many url’s are represented in different service areas
The function is checking each host only once to reduce the execution time.
-
IP’s are always complete subnets and it’s unclear which IP’s are really an endpoint at that moment.
For this problem I have not yet a solution.
You can easily install the Module and execute the connectivity test with the following lines of code:
Install-Module ModernWorkplaceClientCenter -Force $r = Invoke-AnalyzeAzureConnectivity -UrlSet Common -OnlyRequired $r | Out-GridViewIn the Out-GridView you can see if any endpoint has an issue including tips on how to solve the issue.
I hope this new function will help you. If you have feedback, just send me a message or fill out a feature request.
Principal Security Consultant | MVP at baseVISION AGI’m a consultant, trainer and architect for modern workplace and enterprise mobility projects with Microsoft Technologies in the past ten years. I love to push and design the modern workplace based on Microsoft 365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs. Latest posts by Thomas Kurth (see all)
- Microsoft Sentinel ASIM Parser demystified - March 31, 2024
- Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
- Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024
0 Comments