Learn.

Connect.
Explore.
 BRK3081

Implementing a modern
network architecture to get
the most out of Office 365
Paul Collinge
Senior Program Manager
Office 365 Engineering - CXP

Jeff Mealiffe
Principal Program Manager
Office 365 Engineering - CXP
The enterprise connectivity challenge
Hote Coffee shop Home Office
l

Microsoft global network

Network first mile

Enterprise last ISP

mile
Cloud Access Security Broker

Firewall / NGFW

Intrusion Prevention System

Data Loss Prevention

Secure Web Gateway

Firewall
WAN / NGFW
Accelerator
VPN Proxy Server

Enterprise last mile

MPLS
On premises network On premises network
Head Office Branch Office

Corporate MPLS WAN / Network

perimeter
Issues with the traditional model for Office 365 traffic
Exchange Online
• Latency to the egress from remote sites is often high
• SSL Break & Inspect adds additional latency to the connections
when egressing
• Non-Cached operations with high latency will be slow
• Search
• Opening other people calendars
• Free / Busy Lookup
• Manage Rules & Alerts
• Exchange Online Archive
• Emails departing the outbox
• Outlook requires an average of around 3-5 persistent TCP
connections per user
• Different type of connections than a traditional is proxy often
designed for (i.e. persistent rather than transient)
• All this combined means a very large increase in load through
the proxy/egress
• Without costly upgrades, the above is likely to cause issues
Issues with the traditional model for Office 365 traffic
Skype for Business & Microsoft Teams

• Latency to the egress may be high

• Skype/Teams media traffic prefers to use UDP for optimal call/video/sharing quality
• Traditional proxies often are not designed to handle UDP traffic, forcing TCP to be used
• Proxies often delay frames on the way through, adding jitter and latency
• Client maintains persistent connections for all users, adding to the load Outlook adds
• Calls/meetings then add additional load, sometimes all at once (e.g. an ‘All Hands’ call )
Skype Network test – Direct vs standard TCP Proxy
Direct – Using UDP Proxied – Using TCP (perfect
conditions)
90th percentile values per metric:
Packet loss rate: 0% 90th percentile values per metric:
RTT latency: 18 Packet loss rate: 0%
Jitter: 12.62704 RTT latency: 35
Packet reorder ratio: 0% Jitter: 34.36941
Packet reorder ratio: 0%

If this is a Skype for Business Client machine connecting

to the Microsoft network Edge: If this is a Skype for Business Client machine connecting
Packet loss rate: PASSED to the Microsoft network Edge:
RTT latency: PASSED Packet loss rate: PASSED
Jitter: PASSED RTT latency: PASSED
Packet reorder ratio: PASSED Jitter: FAILED - Target of <30ms per 15ms
interval
Packet reorder ratio: PASSED
If this is a network Edge connecting to the Microsoft
network Edge:
Packet loss rate: PASSED If this is a network Edge connecting to the Microsoft
RTT latency: PASSED network Edge:
Jitter: PASSED Packet loss rate: PASSED
Packet reorder ratio: PASSED RTT latency: PASSED
Jitter: FAILED
 Issues with traditional model for Office 365 traffic

SharePoint Online & OneDrive for Business

• Latency to the egress may be high

• Client maintains persistent connections for all users, adding to the load Outlook &
Skype/Teams adds
• Often large amounts of data transferred, putting load on the egress
• SharePoint and OneDrive uses the same Anycast IP address meaning NAT scalability is
reduced if using port oversubscription
• Slow file transfer is often the result of non optimal network configuration
 Demo

Contoso customer:
• 80,000 enterprise users
• Multiple workloads: EXO, SPO, SfBO/Teams
• ~100 of branch offices WW
• MPLS Backbone with elements of WAN Microsoft Global Network

acceleration
ISP
• Centralized network egress architecture through
2 datacenters in the US
• State of the art security perimeter: Proxy, AFW, WAN
DLP, CASB, DPI, SSL B&I
• User is in Sydney office Branch Office
Customer Network
Datacenter
Demo: Office 365 – Centralized network egress
Centralized
Latency to O365
~215 ms
Front Door
Search 320-450 ms
EOA and Calendar Dreadful
Experience
SharePoint ~300 sec
Download
PL: 4%
Skype for business RTT: 198 ms
Call quality Jitter: 63 ms

Microsoft Global Network

ISP

WAN

Customer Network
Office 365 Connectivity
Guidance
Office 365 connectivity principles

aka.ms/o365ip Internet

Differentiate traffic Egress connections Optimize route length Assess network security
Identify and differentiate Egress Office 365 data Avoid network hairpins and Assess bypassing proxies,
Office 365 traffic using connections as close to the optimize connectivity traffic inspection devices
Microsoft published user as practical with directly into the nearest and duplicate security
endpoints data matching DNS resolution entry point into Microsoft’s which is available in Office
network 365
 New URL and IP categories and web services API
 Continued efforts to consolidate/reduce Office 365 IP subnets and URLs
 New, priority driven endpoint taxonomy (http://aka.ms/ipurlblog) for easier customer network
optimization
 Categories are based on importance/impact to user experience and network optimization ROI
 Allowing customers to do incremental network optimizations for Office 365
 Web services API (http://aka.ms/ipurlws) to support automation by customers and partners
 Focus on key Office 365 experiences first
EXO: 2 FQDNs/~20 IP subnets
SPO: 2 FQDNs/ ~15 IP subnets
Customers Partners
SfBO/Teams: 2 IP subnets

REST API
Optimize Allow Default
Consolidated
[<10 FQDNs] Legacy O365 Endpoints:
O365
[~100 [100s [~1000
Endpoints:
FQDNs] IPs
of IPs and[the
URLs] and URLs]
rest]

• Highest impact on end user performance
• Highly network trusted by customers
• High volume
• Most sensitive to network latency/QoS
• Expect low rate of change
• Bypass of SSL break & inspect required
• Proxy bypass strongly recommended
• First priority for local and direct Internet egress
• Network trusted by customers
• Medium to low volume
• Connectivity must never be blocked
• Proxy or firewall capable
• Bypass of SSL break & inspect recommended
• Suggested for local and direct Internet egress
• Default network treatment (i.e. generic
Internet)
• Optional services with description of
functionality loss
 New optimize category endpoints
Reminder: It is not sufficient to only open connectivity to these endpoints for Office 365 to work
Workload Endpoints
Skype for • UDP ports 3478, 3479, 3480, and 3481,
Business / • TCP port 443 for IP Address ranges
Microsoft Teams
13.107.64.0/18 & 52.112.0.0/14.
• No proxyable URL based endpoints.
Exchange Online For all Exchange IP addresses:
• https://outlook.office365.com:443
• https://outlook.office.com:443
SharePoint Online For all SharePoint IP addresses:
• https://<tenant>.sharepoint.com:443
• https://<tenant>-my.sharepoint.com:443
<tenant> = * used if customer doesn’t provide tenant name
Detailed Info
• Relay discovery, allocation and real time
traffic (3478), Audio (3479), Video (3480),
and Video Screen Sharing (3481)
• Real time traffic alternate on TCP port 443
• Outlook.office365.com is used by Outlook
clients
• Outlook.office.com is used by Outlook
Web Access
• Web access to SharePoint and OneDrive
• OneDrive for Business Sync Tool
Why?
• Media traffic is particularly latency
sensitive
• UDP is required for optimal media quality
• TCP 443 will be used if UDP path is
blocked somewhere on network
• High traffic volume
• Multiple TCP connections per client
• Instant search, Other mailbox calendars,
Free / busy lookup, Manage rules & alerts,
Exchange online archive, Emails departing
outbox
• High traffic volume
• Large file upload and download
• All connections to same IP address
Office 365 IP addresses and URLs web services
Data from the HTML page is needed by devices, not people
/endpoints – provides the endpoints required for firewall ACLs or proxy servers
/version – can be polled to identify the latest version or for an RSS feed
/changes – returns specific changes made
Network devices can fetch and identify Office 365 network traffic
Benefits with the new web services
• Automation and validation of data during publishing
• System readable data for direct network device integration
• Data available in JSON or CSV format
• Includes new Optimize, Allow, Default categorization of Office 365
endpoints
• Includes ExpressRoute routable flag for each endpoint
• Version change notification published alongside the data
• All provided attributes are supported by owning development teams
Details
• We’re working with network service vendors to integrate this
• Configure them for optimal Office 365 connectivity
• Customers using these configured devices will have recommended
configuration and all monthly updates automated
Office 365 connectivity principles

aka.ms/o365ip Internet

Differentiate traffic Egress connections Optimize route length Assess network security
Identify and differentiate Egress Office 365 data Avoid network hairpins and Assess bypassing proxies,
Office 365 traffic using connections as close to the optimize connectivity traffic inspection devices
Microsoft published user as practical with directly into the nearest and duplicate security
endpoints data matching DNS resolution entry point into Microsoft’s which is available in Office
network 365
 Microsoft
Global
Network
 Fast, globally available
network
 100K miles of fiber in 130+
locations
 130+ global edge nodes
reaching 63% of the Global
GDP within 25ms
 Peering relationships with
2700+ ISPs in 190+
locations
 Connects 35+ Office 365
Peering & Service front door locations
Datacenter locations
Office 365 Datacenter
 Fully software defined and Announced new Office 365 locations
managed by Microsoft

*Network sites not exhaustive

 Office 365 peering locations aka.ms/8075
Brisbane Australia Chennai India Madrid Spain

Melbourne Australia Hyderabad India Stockholm Sweden

Perth Australia Mumbai India Zurich Switzerland

Sydney Australia New Delhi India Taipei Taiwan

Vienna Austria Dublin Ireland London UK

Brussels Belgium Milan Italy Slough UK

Sao Paulo Brazil Turin Italy Manchester UK

Rio de Janeiro Brazil Osaka Japan Ashburn USA

Sofia Bulgaria Tokyo Japan Atlanta USA

Montreal Canada Kuala Lumpur Malaysia Boston USA

Toronto Canada Mexico City Mexico Chicago USA

Vancouver Canada Amsterdam Netherlands Dallas USA

Santiago Chile Auckland New Zealand Denver USA

Zagreb Croatia Wellington New Zealand Houston USA

Prague Czech Republic Manila Philippines Las Vegas USA

Copenhagen Denmark Warsaw Poland Los Angeles

Honolulu USA

Helsinki Finland Lisbon Portugal Miami USA

Marseille France Bucharest Romania New York USA

Paris France Moscow Russia Palo Alto USA

Berlin Germany Singapore Singapore Phoenix USA

Frankfurt Germany Cape Town South Africa San Antonio USA

Athens Greece Johannesburg South Africa San Jose USA

Hong Kong Hong Kong Seoul South Korea Seattle USA

Budapest Hungary Barcelona Spain

Connectivity architecture – bringing Office 365 closer to all users

 Microsoft Global Network (AS8075): Presence | Peering | Backhaul

 Distributed Service Front Door infrastructure
 Intelligent content and business logic placement

 Office 365 cloud becomes closer and closer to end users 45+ datacenters

100+ locations

190+ peering locations

2700+ networks

Network Service
POP Front Door Data
Microsoft Global
Network
Office 365 connectivity architecture and strategy
• Microsoft Global Network (AS8075): Presence |
Question: What can you do to align with Office 365
Peering | Backhaul strategy and fully take advantage of these
• Distributed Service Front Door infrastructure investments

• Intelligent content and business logic placement Answer: Egress Office 365 data traffic locally with
• Office 365 cloud becomes closer and closer to end matching DNS name resolution
users

Miami,
FL
Orlando, ISP
FL
Service Estimated User to
Front Door Washington
DC Front Door RTT
(EXO example)
~65m
s
San Francisco, ISP
CA ~25m
San Jose, s
CA Service
Front
Front
Door ~5ms
Service Service
Seattle, Front Door Front Door
WA ISP Microsoft Global ~85m
Seattle, s
WA Network
Custom
er
Networ * Data at rest remains within tenant specific geo/compliance
Office 365 connectivity principles

aka.ms/o365ip Internet

Differentiate traffic Egress connections Optimize route length Assess network security
Identify and differentiate Egress Office 365 data Avoid network hairpins and Assess bypassing proxies,
Office 365 traffic using connections as close to the optimize connectivity traffic inspection devices
Microsoft published user as practical with directly into the nearest and duplicate security
endpoints data matching DNS resolution entry point into Microsoft’s which is available in Office
network 365
 Application level Security for Optimize endpoints
Workload Endpoints
Skype for • UDP ports 3478, 3479, 3480, and 3481,
Business / • TCP port 443 for IP Address ranges
Microsoft Teams 13.107.64.0/18 & 52.112.0.0/14.
• No proxyable URL based endpoints.
Exchange Online For all Exchange IP addresses:
• https://outlook.office365.com:443
• https://outlook.office.com:443
SharePoint Online For all SharePoint IP addresses:
• https://<tenant>.sharepoint.com:443
• https://<tenant>-my.sharepoint.com:443
<tenant> = * used if customer doesn’t provide tenant name
Detailed Info
• Relay discovery, allocation and real time
traffic (3478), Audio (3479), Video (3480),
and Video Screen Sharing (3481)
• Real time traffic alternate on TCP port 443
• Outlook.office365.com is used by Outlook
clients
• Outlook.office.com is used by Outlook
Web Access
• Web access to SharePoint and OneDrive
• OneDrive for Business Sync Tool
Security Elements available in the
service
• Signaling traffic is TLS encrypted
• Media traffic is encrypted
• Multi Factor Authentication
• Exchange Online Protection
• Multi Factor Authentication
• Anti Malware protection
• Data Loss Prevention (DLP)
• Office 365 Advanced Threat Protection
(ATP)
• Data Loss Prevention (DLP)
• Anti Malware protection
• Office 365 Advanced Threat Protection
(ATP)
Example Modern Network
Architecture
Branch Office – Traditional Approach
1 Branch Office
 All traffic is sent via the WAN/MPLS to the Head Office
location to egress

2 Standard corporate network security stack

 To egress the environment all traffic has to traverse the Service
corporate security stack Front Door

Firewall

DLP IPS

1 2

MPLS/WAN
Internet Proxy
Users PC Router

Branch office Head office

Modern Network architecture: Example #1
SDWAN for direct Office 365 – Reduced/Removed MPLS load/costs

1 SDWAN local branch egress

 SDWAN device used for local ISP breakout
Other Cloud
 For Office 365, the device can auto consume the ‘Optimize’ services
category from the web service
 Other desired traffic such as update traffic and trusted & defined
cloud services can use this path
Service
Front Door Service
2 Standard corporate network security stack
Front Door
Windows/Offic
 Other traffic goes direct to standard internet browsing path e Updates
 This is the remainder of Office 365 URLs. Firewall
 Also any other browsing traffic

ISP 1

ISP 2 DLP IPS

1 2

MPLS/WAN
SDWAN device Internet Proxy
Users PC SDWAN device

Branch office Head office

Modern Network architecture: Example #2
SDWAN for Direct Office 365 through regional Egress

1 MPLS to nearest regional site with local breakout

 SDWAN device used to connect to nearest regional Office Other Cloud
services
location with an internet breakout.
 For Office 365, the internet egress device can auto consume
the ‘Optimize’ category from the web service
 Other desired traffic such as update traffic and trusted &
defined cloud services can use this path
Service
Service
2
Windows/Offic Front Door
Standard corporate network security stack e Updates Front Door
 Other traffic goes direct to standard internet browsing path
 This is the remainder of Office 365 URLs.
 Also any other browsing traffic Firewall

1 ISP 1
MPLS/WAN

Users PC SDWAN ISP 2

device
Branch office 2 DLP IPS

Users PC SDWAN
device
MPLS/W
2
Regional office 1 AN
1
SDWAN Internet Proxy
MPLS/WAN device
Users PC SDWAN
device
Branch office 1 Head office
Modern Network architecture: Example #3
SDWAN for egress through Secure Web Gateway

1 SDWAN used to send all traffic via a Cloud based, Secure Web
Windows/Offic
Gateway e Updates Other Cloud
services
 SDWAN device used for local ISP breakout
 All traffic is sent to the nearest secure web gateway Service
Front Door
 Corporate traffic can be sent direct to Head Office via
SDWAN or via SWG

2 Standard corporate network security stack

Cloud based
 Legacy egress kept in place for edge cases Secure Web
Gateway Internet

ISP 1
1

Users PC SDWAN
device ISP 2

Firewall
Branch office 2 DLP IPS
SDWA
N
device
2
1
Legacy Egress
Users PC SDWAN
device Home
Users PC Head office
Branch office 1
General Benefits of local egress
Technical Benefits

• Data/Applications/Services are increasingly moving to the cloud and no longer live in the corporate network, it
therefore doesn’t make sense to backhaul all traffic to a central egress
• Central security/egress stacks are very expensive to uplift for cloud services, may still not be optimal and may need
continual uplift for future services
• Cloud security elements often replicate security delivered at the egress
• Allows an enterprise to be more agile to an increasingly fast paced world
• Consider the shift in software update distribution, often best delivered by local CDN
• Centralized management for all remote egress devices

Cost Benefits
• MPLS costs are often much higher than local internet connectivity
• Kelly Services, with 10,000 employees spread across 900+ global branches realized a 60% reduction in overall
telecom OPEX costs when moving to an direct to internet architecture.
In most branches they were able to deliver 10x more bandwidth for 25% of the cost of their legacy connectivity
approach, using the Secure Web Gateway model to implement a simple, centralized control.
Demo: Office 365 – Local and Direct network egress
Centralized Local and Direct
Latency to O365
200-215 ms ~12 ms
Front Door
Search 300-400 ms ~130 ms

EOA and Calendar Dreadful Delightful

Experience
SharePoint 300 sec ~7 sec
Download
PL: 4% PL: 0.2%
Skype for business RTT: 198 ms RTT: 11 ms
Call quality Jitter: 63 ms Jitter: 10 ms

Front Door Front Door Front Door

Data

Microsoft Global Network

ISP ISP

WAN

CPE Device
Config
Customer Network
Skype for Business Online
Network Connectivity
Call Connectivity Model
 Signalling traffic (SIP)
 Connects client to a pool in the location of the tenant
 Informs the client of the relay to use for media services – TCP Port
443
 For media traffic the client attempts multiple
connection methods simultaneously when starting
media
 [Optimal] UDP Direct - Ports 3478, 3479, 3480, & 3481, (Optional)50,000-59,999
 [OK] TCP Direct – Port 443
 [Least Preferred] TCP via Proxy PAC

 Best method that gets a response is used

1-to-1 call media path (direct connectivity)

Media Path

Corporate Wired /
user Wireless
Corporate ISP / Internet /
network Express Route
Provider
Corporate Azure network/
user SfB DC

Wired /
Wireless

Home Home ISP / Internet

user network
 Legacy behavior: 1-to-1 calls on different networks
 Internet path
 Microsoft Network
 Peer Location
 Traffic flow

Media
Relay
 Teams 1-to-1 calls on different networks

Transport
Relay

Media
Relay
SharePoint/OneDrive for Business
Network Connectivity
 SharePoint Online – Client Connectivity Mechanism
 Now uses Anycast to connect to the same IP globally
 DNS lookup for tenantname.sharepoint.com returns
13.107.136.9
 Multiple edge servers globally configured for that IP
 BGP route advertisement and least cost routing is used
 Finds the nearest SharePoint enabled Edge node to connect
 TCP and SSL connections terminated, optimized and connected
to the SharePoint front end server on an existing session
 SharePoint Online & OneDrive for Business Connection Process
EMEA SPO Edge Nodes

TCP 443 Connection to the

EMEA SPO Anycast IP address

Client 3 SPO NAM

4
Connected

• Connects the client to the secure, highly

available, globally distributed edge network
•Terminates SSL connections closer to the client
•Optimizes connections at the edge to rectify 2
sub-optimal settings from the customer side
•Re-uses connections between the edge and
SharePoint Online DNS
File Performance

2x-5x 3x-10x
Increase in upload speeds Increase in download speeds

55% 40%
Faster opening Word Faster opening PowerPoint
documents in Office Online documents in Office Online

Anycast is now rolled out globally and customers following the network
principles will instantly see the benefit without any customer side change
required
Exchange Online
Network Connectivity
 Exchange Online Connection Process -Anycast
For Exchange Online Hosted Mailboxes DC1 CAFE

Outlook.ms-acdc.office.com DC2 CAFE

Outlook 3 TCP 443 Connection to 1st IP in Co
list returned nn
ect 5
IP Addresses of FE servers 4 to
Connected DNS Server M ailb
ox
Ma 6
Anycast IP
i lflo
Ou w
t lo ok.
ms
-ac
dc.
DC3 CAFE Mailbox Server
1 off
ice
. co
m
out DNS
loo 2
k.o Looku
ffic
e36 p
5.c
om
DC4 CAFE
DNS
Considerations for inbound
connectivity
Inbound connections matter
Hybrid connectivity frequently involves cloud to on-premises
flows

Firewall
Office 365 ISP 1
Workload On-Premises
Capacity Capacity

Corporate Datacenter
Optimizing Exchange inbound flows
Follow general best practices guidance: http://aka.ms/JustALoadBalancer
External namespaces published in public DNS
Autodiscover points clients (including O365) to appropriate
namespace
Follow principles of connectivity
Egress location should be close to target infrastructure to minimize latency
Minimize impact of security controls on inbound traffic: enough to mitigate threats

Firewall
Exchange Online ISP 1
Capacity
Exchange On-Premises
Load Capacity
Balancer

Corporate Datacenter
High availability for Exchange inbound flows
High availability accomplished via Exchange on-premises
preferred architecture & namespace design: http://aka.ms/preferred &
http://aka.ms/namespace

Exchange Online
Capacity

ISP 1
Firewall

Firewall
Exchange On-Premises Exchange On-Premises
Capacity Load Load Capacity
Balancer Balancer

Corporate Datacenter – Site Corporate Datacenter – Site

Additional controls for Exchange inbound flows
Additional control points can be added into the traffic flow
Authentication of most inbound flows managed with
federation trusts & org relationships
Can’t use traditional pre-auth at reverse proxy
Details at http://aka.ms/HybridAuth

Firewall
Exchange Online ISP 1
Capacity
Exchange On-Premises
Reverse Load Capacity
Proxy Balancer
(No Pre-
auth*)

Corporate Datacenter
Exchange Hybrid Agent Outbound ACL Only

Hybrid Proxy
Service
IP Whitelist

Hybrid Agent

Tenant-specific endpoint:
https://{guid}.resource.{flow}.his.msappproxy.net
Exchange Online
Exchange Servers

• No customer DNS changes On-Premises Environment

• No certificate changes
• No firewall/network changes http://aka.ms/HybridAgent
• Protect on-premises systems
Optimizing SharePoint inbound flows
Follow general best practices guidance: http://aka.ms/SPOHybridPublish

Follow principles of connectivity

Egress location should be close to target infrastructure to minimize latency
Minimize impact of security controls on inbound traffic: enough to mitigate threats (must use
reverse proxy w/certificate auth)

Firewall
SharePoint Online ISP 1
Capacity
SharePoint On-
Reverse Premises
Proxy Capacity
(Certificate
Auth)

Corporate Datacenter
Office 365 Multi Geo:
connectivity and performance
impacts
Get enterprise-grade Contoso.onmicrosoft.com
25,000 Office 365 Users

global data location

Central Geo: NAM
Satellite Geos: EUR & AUS

controls with Multi-Geo

Granular data location controls
Easily control the country or region where each
user’s Office 365 data is stored at-rest and EUR 5K users
address your global data residency needs.

Unlock modern productivity for all NAM 15K users

Use a single Office 365 tenant across your

company and empower all employees with a
modern collaboration experience, regardless of
their location.

Learn more aka.ms/Multi-Geo

AUS 5K users
Available now in Exchange Online and
OneDrive
Coming soon for SharePoint Online and Groups

Asia-Pacific, Australia, Canada, European Union, France, India, Japan, Korea, North America, United Kingdom

aka.ms/Multi-Geo
Key networking considerations for Multi Geo
Multi Geo is not a performance solution – it’s about data residency
Local/regional egress model is critical for Multi Geo customers to avoid
performance degradation
Performance may increase, but only if connectivity guidance is followed

Miami, FL
Orlando, FL ISP

Datacenter Service
Front Door Data

Paris, France

Branch Office ISP

Data
Paris, Data
Service Service
France Front Door Front Door

Tokyo, Japan Tokyo, Japan

Microsoft Global
Branch Office
Network
ISP
Custom
er
Networ
k
 PRE09

Network Bandwidth
Estimation for Office 365
How Much Bandwidth do I need for Office 365?
 This is a very difficult question to answer
 The figure is variable per customer profile
 Similar size/sector customers may see very different values
 Using an average may lead to poor planning decisions
The traditional approach
Use calculators for each workload

• Network and Migration Planning for Office 365

• Exchange Client Network Bandwidth calculator
• Skype for Business Bandwidth Calculator
• Teams Bandwidth Planner
• Technical Case Study from Microsoft IT

• Generally Workload Specific when planning needs to be holistic for all needs
• Poor data in == Poor data out
• Microsoft generally recommended monitoring pilot users and extrapolate data out
Beta Solution using Azure Service Map & Log Analytics
How it works?
• Pilot batch user is using Office 365 services from home,
office or school Cloud, Office 365

Administrator has setup a Log analytics workspace in

Azure OMS
• subscription

Azure
• The user has MMA & Dependency agent installed and
connected to the Azure log analytics workspace OMS

• Dependency agent is sending user connection

information metadata to log analytics workspace in Azure
• Administrator can connect to the log analytics workspace
and query the connection information for multiple users
or a specific user
Demo
Network Bandwidth estimation using
Azure Log analytics and Service Map
Microsoft Office 365 Networking Partner Program

Collaborate with networking Simplify customer network Qualified networking partner

industry and identify solutions
that meet Office 365
connectivity principles in
solution design, configuration,
customer guidance and
deployment.
onboarding to Office 365 solutions are titled as “Works
using qualified networking with Office 365.”
solutions that deliver a high
aka.ms/Office365NPP
performing Office 365 end-user
experience in alignment with
Microsoft recommendations.
Microsoft Office 365 Networking Partner Program

The following solutions are working toward the “Works with Office 365” designation as a part of
Office 365 Networking Partner Program.

Cisco SD-WAN NSX SD-WAN by VeloCloud Citrix SD-WAN

cs.co/onRampO365 bit.ly/VeloCloud-O365 bit.ly/2puHp2a 

SteelConnect SD-WAN Zscaler Internet Access

rvbd.ly/2O6AxWH bit.ly/2Dgk5im
Takeaways
1. SaaS is disrupting network and security. Re-envision how you
connect and protect your enterprise. Expand your existing network
and security boundary with the concept of the SaaS tenant.
2. User experience is paramount for enterprise success with SaaS.
Best user experience can be provided by embracing local and direct
Internet escape. Don’t forget DNS name resolution path.
3. SaaS will evolve and attempt to move closer to user. Make it work
for you by minimizing the (hidden) private network backhaul.
4. Use Office 365 connectivity principles to keep network strategy for
your company SaaS optimal and future proof.
5. Send this presentation to your network and security team. It’s their
decisions that hold the keys to a delightful Office 365 end user
experience!
Please evaluate this session
Your feedback is important to us!

Please evaluate this session through

MyEvaluations on the mobile app
or website.
Download the app:
https://aka.ms/ignite.mobileApp

Go to the website:
https://myignite.techcommunity.microsoft.com/evaluations
© Copyright Microsoft Corporation. All rights reserved.