Creating Microsoft 365 application on Forcepoint ONE SSE

Setting up Microsoft Entra ID reverse proxy for Microsoft 365 starts with enabling the AzureAD RP cutoff method and selecting a AzureAD RP domain for the Microsoft 365 application in Forcepoint ONE SSE.

1. Navigate to Protect > Policies page and select Microsoft 365 from your applications.

   OR

   click the green plus icon to add the application if you have not already.
2. On the Office 365 settings page, select your App Instance or create a new Office 365 Instance to open the Office 365 Instance dialog.
   
   
   
3. On the Office 365 Instance settings page:
   1. Enter the name of the instance if you are creating a new Office 365 instance.
   2. Click the green plus icon present in the Domains section and select the required domain from the drop-down.
      You can add multiple domains as needed.

      You can manage Domains under IAM > Users and Groups > Username Domain and Authentication section.

   3. Select the AzureAD RP Domain option button adjacent to the domain name to assign the domain as the base of Azure AD Reverse proxy.
   4. Select the AzureAD RP option button as the Cutoff Method to restrict users from directly accessing Office 365 and to enforce users access the Office 365 applications only through the Azure AD reverse proxy method.
      By default, the Cutoff Method is set to None.

      Note: Configurations are not saved if you have saved Microsoft 365 Instance with Cutoff Method set to None and a domain set to AzureAD RP Domain.
   5. Click OK to save the Office 365 instance changes.
      
      
      

      The application setup page displays the Setup Azure AD RP link when Azure AD RP is selected as the Cutoff Method.
      
      
4. Click Save to the Office 365 application settings.
5. Click the Setup Azure AD RP link to open the Reverse Proxy Setup page.
   
   
   

   The Reverse Proxy Setup page provides instructions to setup the following items:

   • DNS CNAME - On your registrar's DNS manager, add or update the CNAME record for your Microsoft domain displayed. Once you have updated the CNAME record on your registrar's DNS manager, you may need to wait for couple of hours to allow DNS changes to take effect across the internet. On successful DNS propagation, appears next to the DNS CNAME only if the DNS CNAME setup is validated via a DNS check.
   • SSL Certificate - Upload a certificate and private key for login-microsoftonline-com subdomain. The traffic from unmanaged devices is redirected through this reverse proxy URL. Refer to AzureAD Reverse Proxy Certificate to create SSL certificate. appears next to the SSL Certificate if a valid certificate and key for the domain specified on the page has the AzureAD Reverse Proxy checkbox selected.
   • Azure AD Forcepoint ONE SAML Enterprise App and Conditional Access policy - Provides a link to the Admin Guide where you can find instructions to:
     • Configure Forcepoint ONE SSE application in Microsoft Entra ID
     • Configure Conditional Access Policy for configured Forcepoint ONE SSE application in Microsoft Entra ID.
     
     
     

     Even the Office 365 settings page indicates a next to the Setup Azure AD RP link once the setup is complete in Forcepoint ONE SSE.