Azure AD header modification policy TLS interception requirements


Article ID: 223496


Updated On:


Web Security Service - WSS


In order to implement Azure AD header modification (see Article 212259) TLS/SSL interception needs to be enabled.

However there are some TLS inspection bypass list that can prevent the Azure AD login url from being intercepted thus preventing the Azure AD headers from being added to the Azure AD login urls.


The "TLS Interception" G2 rule that applies to "Office 365 destinations" has a verdict set to "Do not intercept".


If you want to not intercept "Office 365 Destinations" please contact Broadcom Support to have the policy fragment "Intercept TLS traffic to Azure AD login URLS" associated with your WSS tenant.

This fragment force the interception of the 3 Microsoft login URL even if you have the "Office 365 Destinations" set to "Do Not Intercept".