Microsoft Entra IdP: Configuring Reverse Proxy for Microsoft 365

Provides the setup instructions for configuring Microsoft 365 for use with Forcepoint ONE SSE when Microsoft 365 uses Microsoft Entra ID as the identity provider.

Attention: Azure Active Directory (AD) is renamed as Microsoft Entra ID.

This feature is helpful for customers who want to provide agentless secure access to Microsoft 365 applications through the Forcepoint ONE SSE reverse proxy while using Microsoft Entra ID as the IdP.

After the reverse proxy application and conditional access policy are configured and active:

  • If a user tries to connect to Microsoft Online (https://login.microsoftonline.com) directly from an unmanaged device, then they will be blocked through the conditional access policy. The policy allows access through the Forcepoint ONE SSE gateways only.

  • If a user connects to Microsoft Apps (https://myapps.microsoft.com) and opens the reverse proxy application, then Forcepoint ONE SSE redirects the user to the correct reverse proxy URL. The user can access their applications after they re-authenticate.

Configuring SSO between Microsoft 365 applications and Forcepoint ONE SSE when Microsoft Entra ID is configured as the IdP causes a login loop. This is because the application directs sign-in requests to Forcepoint ONE SSE, which relays the request to Microsoft Entra ID, which in turn checks the M365 setup and sends the request back to Forcepoint ONE SSE. To overcome this issue, users connecting from unmanaged devices will be prompted to sign in twice—first to access myapps.microsoft.com and then again after clicking the Reverse Proxy application. If both authentications are successful, users can access Microsoft applications via Forcepoint ONE SSE reverse proxy.