Azure AD header modification policy TLS interception requirements

book

Article ID: 223496

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

In order to implement Azure AD header modification (see Article 212259) TLS/SSL interception needs to be enabled.

However there are some TLS inspection bypass list that can prevent the Azure AD login url from being intercepted thus preventing the Azure AD headers from being added to the Azure AD login urls.

Cause

The "TLS Interception" G2 rule that applies to "Office 365 destinations" has a verdict set to "Do not intercept".

Resolution

If you want to not intercept "Office 365 Destinations" please contact Broadcom Support to have the policy fragment "Intercept TLS traffic to Azure AD login URLS" associated with your WSS tenant.

This fragment force the interception of the 3 Microsoft login URL even if you have the "Office 365 Destinations" set to "Do Not Intercept".

Attachments