Learn Editor: Update network-intermediation.md

roshansabapaty · roshansabapaty · commit efb1d61f98a5 · 2025-07-02T16:01:57.000-07:00
diff --git a/microsoft-365/enterprise/network-intermediation.md b/microsoft-365/enterprise/network-intermediation.md
@@ -50,7 +50,7 @@ Manipulating Microsoft 365 traffic typically means using a proxy or firewall to
 
 1. __Don’t Undermine Performance & Innovation:__ __Microsoft engineers continually improve Microsoft 365’s protocols__ (e.g. moving from HTTP/2 to HTTP/3 (QUIC), enabling modern TLS features, using WebSockets for live services). If you intercept traffic, you often force the system to fall back to older, slower protocols. For instance, QUIC (HTTP/3) normally speeds up data transfer; an inspecting proxy that doesn’t understand QUIC will prevent its use, degrading performance to legacy HTTP/1.1 or 2. Similarly, WebSocket connections used by apps like Copilot may be blocked or broken by deep inspection, disabling key functionality. In short, inspecting Microsoft 365 traffic can negate years of performance innovation, leaving users with a slower, legacy experience.
 
-1. __New Unified Domains = Known Good Traffic__: Microsoft 365 is consolidating services under dedicated domains like *.cloud.microsoft (for core services), *.static.microsoft (for static content), and *.usercontent.microsoft. Everything on these domains is controlled by Microsoft and requires authentication. This means your network can reliably trust traffic to these domains – it’s not "unknown" internet traffic, but Microsoft’s own cloud. The unified domain effort (drastically reducing the number of endpoints) is specifically to help customers stop treating Microsoft 365 traffic like a risk. If the traffic is headed to *.cloud.microsoft, you can be confident it’s legitimate Microsoft 365 data and not a risky third-party site. Decrypting and inspecting such traffic provides virtually no security gain – it’s already Microsoft-managed, encrypted, and authenticated – but does add latency and potential breakage.
+1. __New Unified Domains = Known Good Traffic__: Microsoft 365 is consolidating services under dedicated domains like *.cloud.microsoft (for core services), *.static.microsoft (for static content), and *.usercontent.microsoft. The unified domain effort (drastically reducing the number of endpoints) is specifically to help customers stop treating Microsoft 365 traffic like a risk. If the traffic is headed to *.cloud.microsoft, you can be confident it’s legitimate Microsoft 365 data and not a risky third-party site. Decrypting and inspecting such traffic provides virtually no security gain – it’s already Microsoft-managed, encrypted, and authenticated – but does add latency and potential breakage.
 
 1. __No Lasting Value – Use Built-in Security:__ Microsoft 365 includes extensive, native security features (encryptions, threat detection, data loss prevention, etc.) engineered for its traffic. Inserting your own inspection layer usually duplicates these controls or, worse, interferes with them. There's little long-term benefit to these inspections. In fact, maintaining complex proxy rulesets for Microsoft 365’s ever-updating endpoints is a heavy burden (endpoints can change weekly). It’s far more effective to leverage trust in Microsoft’s cloud security and focus your inspection devices on truly unknown external traffic. As Microsoft bluntly states: there’s no durable value in decrypting Microsoft 365 traffic – it only adds cost and complexity for customers, without appreciable security improvement.
 
