Configuring Reverse Proxy for Microsoft 365 with Microsoft Entra ID Authentication - General workflow

Describes general instructions for configuring Microsoft 365 for use with Forcepoint ONE SSE when Microsoft 365 uses Microsoft Entra ID as the identity provider.

To successfully create and configure the reverse proxy application, you must complete the following procedures:

1. Configure Microsoft 365 Application Instance in Forcepoint ONE SSE with Azure AD Reverse Proxy as the cutoff method. Refer to Creating Microsoft 365 application in Forcepoint ONE SSE.
   1. Setup a CNAME for your AzureAD RP domain at your DNS provider as specified in the Azure AD Reverse Proxy Setup page of your Microsoft 365 instance in Forcepoint ONE SSE.
   2. Obtain and upload an SSL certificate for your Azure AD RP domain to Forcepoint ONE SSE. Refer to Configuring AzureAD reverse proxy certificate.
2. Create a SAML reverse proxy application in Azure and configure Forcepoint ONE SSE as a SAML SP. Test the application. Verify that the traffic is redirected. Refer to Microsoft Entra ID: Configuring Forcepoint ONE SSE as a SAML SP.
3. Configure a conditional access policy. Define the criteria to control which devices access your Office 365 services. Refer to Configuring conditional access policy in Microsoft Entra ID.
4. Validate the conditional access policy. Verify that the traffic from unmanaged devices cannot access your Office 365 services. Refer to Validating the conditional access policy.