Office 365 Automatic Mode Onboarding - Microsoft 365 Footprint
While onboarding, if you choose to activate Office 365 Mail using the Automatic mode of operation, Avanan adds the AVANAN Cloud Security Platform - Emails V2 enterprise application to your Microsoft Azure and makes these changes to your Microsoft 365 environment.
- Mail Flow Rules
- Connectors
- Connection Filters
- Journal Rules
- Groups
- Distribution Lists
- Spoofed Senders Allow List
- Trusted ARC Sealers
- Reported Phishing Emails
- Delegated Token
- PowerShell Script
Mail Flow Rules
To support Protect (Inline) protection mode for policies, Avanan creates Mail Flow rules. These rules allow Avanan to scan and perform remediation before the email is delivered to the recipient’s mailbox.
Avanan creates these Mail Flow rules.
- Avanan - Protect Outgoing Rule
- Avanan - Protect Rule
- Avanan - Whitelist Rule
- Avanan - Junk Filter Low Rule
- Avanan- Junk Filter Rule
Avanan - Protect Outgoing Rule
When is this rule applied? | What does this rule do? | Exceptions |
|
|
Sender IP address belongs to one of the relevant IP addresses for Avanan - Protect Outgoing rule. See IP Addresses for Avanan - Protect Outgoing Rule. |
Note - [portal] refers to the unique identifier of your Avanan Portal tenant.
IP Addresses for Avanan - Protect Outgoing Rule
Avanan tenants residing in the United States:
- 35.174.145.124
- 3.214.204.181
- 44.211.178.96/28
- 3.101.216.128/28
- 3.101.216.144/28
- 44.211.178.112/28
Avanan tenants residing in Europe
- 52.17.62.50
- 52.212.19.177
- 3.252.108.160/28
- 13.39.103.0/28
- 13.39.103.16/28
- 3.252.108.176/28
Avanan tenants residing in Canada
- 15.222.110.90
- 52.60.189.48
- 3.101.216.128/28
- 3.99.253.64/28
- 3.99.253.80/28
- 3.101.216.144/28
Infinity Portal tenants residing in the United Arab Emirates (UAE) *
- 3.29.194.128/28
- 3.29.194.144/28
* These regions are relevant only for tenants created using the Avanan MSP Portal.
Avanan - Protect Rule
When is this rule applied? | What does this rule do? | Exceptions |
|
|
Sender IP address belongs to one of the relevant IP addresses for the Avanan - Protect rule. See IP Addresses for Avanan - Protect Rule. |
Notes - [portal] refers to the unique identifier of your Avanan Portal tenant.
IP Addresses for Avanan - Protect Rule
Avanan tenants residing in the United States
- 35.174.145.124
- 44.211.178.96/28
- 3.101.216.128/28
Avanan tenants residing in Europe
- 52.212.19.177
- 3.252.108.160/28
- 13.39.103.0/28
Avanan tenants residing in Canada
- 15.222.110.90
- 3.101.216.128/28
- 3.99.253.64/28
Infinity Portal tenants residing in the United Arab Emirates (UAE) *
- 3.29.194.128/28
- 3.29.194.144/28
* These regions are relevant only for tenants created using the Avanan MSP Portal.
Avanan - Whitelist Rule
When is this rule applied | What does this rule do? | Exceptions |
Sender IP address belongs to one of the relevant IP addresses for the Avanan - Whitelist rule. See IP Addresses for Avanan - Whitelist Rule. | Sets the Spam Confidence Level (SCL) to -1. |
If the message header X-CLOUD-SEC-AV-SCL matches the following patterns: true. |
IP Addresses for Avanan - Whitelist Rule
Avanan tenants residing in the United States
- 35.174.145.124
- 44.211.178.96/28
- 3.101.216.128/28
Avanan tenants residing in Europe
- 52.212.19.177
- 3.252.108.160/28
- 13.39.103.0/28
Avanan tenants residing in Canada
- 15.222.110.90
- 3.101.216.128/28
- 3.99.253.64/28
Infinity Portal tenants residing in the United Arab Emirates (UAE) *
- 3.29.194.128/28
- 3.29.194.144/28
* These regions are relevant only for tenants created using the Avanan MSP Portal.
Avanan - Junk Filter Low Rule
This rule is used to mark Microsoft that the email was detected as spam by Avanan and should be delivered to the Junk folder.
When is this rule applied? | What does this rule do? |
|
Sets the Spam Confidence Level (SCL) to 6. |
IP Addresses for Avanan - Junk Filter Low Rule
Avanan tenants residing in the United States
- 35.174.145.124
- 44.211.178.96/28
- 3.101.216.128/28
Avanan tenants residing in Europe
- 52.212.19.177
- 3.252.108.160/28
- 13.39.103.0/28
Avanan tenants residing in Canada
- 15.222.110.90
- 3.101.216.128/28
- 3.99.253.64/28
Infinity Portal tenants residing in United Arab Emirates (UAE) *
- 3.29.194.128/28
- 3.29.194.144/28
Avanan- Junk Filter Rule
This rule is used to mark Microsoft that the email was detected as spam by Avanan and should be delivered to the Junk folder.
When is this rule applied? | What does this rule do? |
|
Sets the Spam Confidence Level (SCL) to 9. |
IP Addresses for Avanan - Junk Filter Rule
Avanan Portal tenants residing in the United States
- 35.174.145.124
- 44.211.178.96/28
- 3.101.216.128/28
Avanan Portal tenants residing in Europe
- 52.212.19.177
- 3.252.108.160/28
- 13.39.103.0/28
Avanan Portal tenants residing in Canada
- 15.222.110.90
- 3.101.216.128/28
- 3.99.253.64/28
Avanan portal tenants residing in India *
- 43.205.150.240/29
- 18.143.136.64/28
- 43.205.150.240/29
Avanan portal tenants residing in the United Kingdom
- 13.42.61.32
- 13.42.61.32/28
Avanan Portal tenants residing in the United Arab Emirates (UAE) *
- 3.29.194.128/28
- 3.29.194.144/28
* These regions are relevant only for tenants created using the Avanan MSP Portal.
Connectors
To support Protect (Inline) protection mode for policies, Avanan creates connectors. These connectors allow Avanan to scan and perform remediation before the email is delivered to the recipient’s mailbox.
Avanan creates these connectors.
- Avanan Inbound Connector
- Avanan DLP Inbound Connector
- Avanan Outbound Connector
- Avanan DLP Outbound Connector
- Avanan Journaling Outbound Connector
Avanan Inbound Connector
Mail flow scenario:
- From: Partner organization
- To: Office 365
Identify your partner organization by:
Identify the partner organization by verifying that the messages are coming from one of the relevant IP addresses for Avanan Inbound Connector. See IP Addresses for Avanan Inbound Connector.
Security restrictions:
- Reject messages if they aren't encrypted using Transport Layer Security (TLS).
IP Addresses for Avanan Inbound Connector
- Avanan Portal tenants residing in the United States:
- 35.174.145.124
- 44.211.178.96/28
- 3.101.216.128/28
- Avanan Portal tenants residing in Europe
- 52.212.19.177
- 3.252.108.160/28
- 13.39.103.0/28
- Avanan Portal tenants residing in Canada
- 15.222.110.90
- 3.101.216.128/28
- 3.99.253.64/28
- Avanan Portal tenants residing in India *
- 43.205.150.240/29
- 18.143.136.64/28
- 43.205.150.240/29
- Avanan Portal tenants residing in the United Arab Emirates (UAE) *
- 3.29.194.128/28
- 3.29.194.144/28
- Avanan Portal tenants residing in the United Kingdom:
- 13.42.61.32
- 13.42.61.32/28
- 13.39.103.0/28
* These regions are relevant only for tenants created using the Avanan MSP Portal.
Avanan DLP Inbound Connector
Mail flow scenario:
- From: Your organization's email server
- To: Office 365
Identify incoming emails are sent from your email by:
- Identify the incoming messages from your email server by verifying that the sender's IP address is one of the relevant IP addresses for Avanan DLP Inbound Connector. See IP Addresses for Avanan DLP Inbound Connector.
- Sender's email address is an accepted domain for your organization.
IP Addresses for Avanan DLP Inbound Connector
Avanan portal tenants residing in the United States
- 3.101.216.144/28
- 44.211.178.112/28
- 3.214.204.181
Avanan Portal tenants residing in Europe
- 52.17.62.50
- 3.252.108.176/28
- 13.39.103.16/28
Avanan Portal tenants residing in Canada
- 52.60.189.48
- 3.99.253.80/28
- 3.101.216.144/28
Avanan Portal tenants residing in the United Arab Emirates (UAE) *
- 3.29.194.128/28
- 3.29.194.144/28
Avanan Portal tenants residing in the United Kingdom *
- 13.42.61.47
- 13.42.61.47/28
- 13.39.103.23/28
Avanan Outbound Connector
Mail flow scenario:
- From: Office 365
- To: Partner organization
Use of connector:
Use only when I have a transport rule set up that redirects messages to this connector.
Routing:
Route email messages through these smart hosts: [portal]-host.avanan.net
Security restrictions:
- Always use Transport Layer Security (TLS) and connect only if the recipient’s email server has a digital certificate.
Avanan DLP Outbound Connector
Mail flow scenario:
- From: Office 365
- To: Your organization's email server
Use of connector:
- Use only when I have a transport rule set up that redirects messages to this connector.
Routing:
Route email messages through these smart hosts: [portal]-dlp.avanan.net
Security restrictions:
- Always use Transport Layer Security (TLS) and connect only if the recipient’s email server has a digital certificate.
Avanan Journaling Outbound Connector
Mail flow scenario:
- From: Office 365
- To: Your organization's email server
Use of connector:
Use only for email sent to these domains: [portal]-mail.avanan.net
Routing:
Route email messages through these smart hosts: [portal]-host.avanan.net
Security restrictions:
- Always use Transport Layer Security (TLS) and connect only if the recipient’s email server has a digital certificate.
Connection Filters
Avanan creates Connection Filters to prevent the blocking of emails sent to users.
Connection filter name: Connection filter policy (Default)
Avanan Portal tenants residing in the United States
- 35.174.145.124
- 3.214.204.181
- 44.211.178.96/28
- 3.101.216.128/28
- 3.101.216.144/28
- 44.211.178.112/28
Avanan Portal tenants residing in Europe
- 52.17.62.50
- 52.212.19.177
- 3.252.108.160/28
- 13.39.103.0/28
- 13.39.103.16/28
- 3.252.108.176/28
Avanan Portal tenants residing in Canada
- 15.222.110.90
- 52.60.189.48
- 3.101.216.128/28
- 3.99.253.64/28
- 3.99.253.80/28
- 3.101.216.144/28
Infinity Portal tenants residing in the United Arab Emirates (UAE) *
- 3.29.194.128/28
- 3.29.194.144/28
* These regions are relevant only for tenants created using the Avanan MSP Portal.
Journal Rules
Avanan creates a Journal rule that configures Microsoft 365 to send a copy of all scoped emails to the journaling mailbox used by Avanan for inspection.
Avanan uses this Journal rule only for policies in Detect and Detect and Remediate protection modes.
Journal rule name: Avanan - Monitor
Journal Reports
Avanan configures the Journal rule to send the Journal reports to [portal]@[portal]-mail.avanan.net
It also configures a mailbox for undeliverable journal reports, if the mailbox was not configured yet for the Avanan Portal tenant.
Avanan sends the undeliverable journal reports to these mailboxes when they are not deliverable to the email address specified in the journal rule:
- Avanan Portal tenants residing in United States: [portal name]@mt-prod-3-journal-error.avanan.net
- Avanan Portal tenants residing in Europe: [portal name]@mt-prod-av-1-journal-error.avanan.net
- Avanan Portal tenants residing in Canada: [portal name]@mt-prod-av-ca-2-journal-error.avanan.net
Groups
Avanan creates groups to protect the specific users and groups selected in the policies for Protect (Inline) protection mode.
When administrators configure Scope for a policy in Protect (Inline) protection mode, it gets updated to the relevant group so that only those specific users are protected inline.
Avanan creates these groups:
- avanan_inline_incoming
-
avanan_inline_outgoing
Avanan Inline Incoming Group
This group allows Avanan to protect only the incoming emails sent to users protected by an incoming policy in Protect (Inline) protection mode.
Group name: avanan_inline_incoming
Group email address: avanan_inline_incoming@[portal domain]
Avanan Inline Outgoing Group
This group allows Avanan to protect only the outgoing emails sent by users protected by an outgoing policy in Protect (Inline) protection mode.
Group name: avanan_inline_outgoing
Group email address: avanan_inline_outgoing@[portal domain]
Distribution Lists
Avanan creates a distribution list to support the protection of group mailboxes for policies in Protect (Inline) protection mode.
Distribution list name: avanan_inline_groups
Spoofed Senders Allow List
To route emails from protected users and send emails on behalf of the protected domain, Avanan adds spoofed sender exceptions to Tenant Allow/Block List in Microsoft 365.
For example, Avanan adds these infrastructure values for Avanan tenants residing in the United States region.
User | Sending Infrastrucure | Spoof Type | Action |
* | us.cloud-sec-av.com | Internal | Allow |
* | us.cloud-sec-av.com | External | Allow |
Sending infrastructure for Avanan portal tenants residing in different regions:
Region | Country | Sending Infrastrucure |
Americas | USA | us.cloud-sec-av.com |
Canada | ca.cloud-sec-av.com | |
EMEA (Europe, Middle East and Africa) |
Ireland | eu.cloud-sec-av.com |
United Arab Emirates | mec.cloud-sec-av.com/ | |
APAC (Asia Pacific) | Australia | au.cloud-sec-av.com |
India | ||
United Kingdom | - |
Trusted ARC Sealers
To ensure email authentication remains valid even after routing emails, Avanan adds a domain to the list of Authentication Received Chain (ARC) trusted sealers.
Avanan adds this to the list of trusted ARC sealers: avanan.net
Reported Phishing Emails
To present all phishing reported emails from end users using the Microsoft Report Message Add-in, reports will be configured to be sent to Microsoft and to an internal phishing reporting mailbox.
If your Microsoft 365 account is not configured to send emails to an internal mailbox, the system creates a shared mailbox with report-phishing-checkpoint@<your domain> email address and configures it to receive these reports.
Note - The system creates only a shared mailbox and it does not consume a Microsoft license from your account.
Delegated Token
To complete the required actions during automatic onboarding, such as creating groups and assigning a Global Admin role to the Avanan application, Avanan uses a delegated token from the authorizing user who approved the permissions.
If you choose to disconnect Avanan from Microsoft 365, Avanan executes the reverse actions, including deleting groups and disassociating roles. To do that, the Avanan Azure application must periodically refresh and maintain a valid delegated token.
The system initiates the refresh action on behalf of the authorizing user, and you can observe these activities in your Microsoft 365 audit log:
- Periodic logins by the Avanan application on behalf of the user to refresh the token.
- Failed login attempts in case the user no longer exists or the password has changed.
Note - These failed logins do not affect security or email delivery. However, when disconnecting Avanan from Microsoft 365, manual actions are necessary to eliminate its footprint.
To resolve this issue, re-authorize the Microsoft 365 application with the same or another Microsoft administrator credentials.- Go to Security Settings > SaaS Applications.
- Click Configure for Office 365 Mail.
- Click Re-Authorize Avanan Office 365 Emails App.
- Follow the onscreen instructions and authorize the Microsoft 365 application.
PowerShell Scripts
Avanan uses PowerShell scripts to perform various tasks in the Microsoft 365 environment, such as:
- Create / edit / delete Mail Flow rules, Connectors, Journal rules, Connection Filter, and Distribution List.
- Configuring a mailbox for undeliverable Journal Reports (if the mailbox was not configured yet for the tenant).
This mailbox will be used to receive Journal Reports when they are not deliverable to the email address specified in the Journal rule. - Reading the Hosted Content Filter Policy to get the tenant’s policy actions.
- Allowing Avanan domain, so emails will not be blocked when going through Avanan’s security engines.
- In case a policy that triggers Microsoft Encryption is created, a script will read the IRM Encryption to configure an Encryption rule.
- Creating a new shared mailbox and configuring the system to forward reported phishing emails to the mailbox using the Microsoft Report Message Add-in.
Note - If the Microsoft account is already configured to forward reported phishing emails to an internal mailbox, this configuration will not be performed.