Global Settings for Access Rules

Global Settings affect all rules of the applicable type (internet access rules and/or private access rules.)

Some global settings are intended only for troubleshooting purposes.

Change these settings only if you have good reason to do so.

To change these settings, see Edit Rule Defaults and Global Settings.

Global Settings for Access Rules

Microsoft 365 Compatibility

This setting applies only to web security features, not to IPS.

The Microsoft 365 Compatibility feature exempts Microsoft 365-related domains, marked as Optimize and Allow in Microsoft's endpoint categories, to bypass inspection and policy enforcement by web security features, allowing traffic to those domains to pass through unaltered. The domains are excluded from HTTPS decryption and content filtering. The Microsoft 365 traffic appears in the Secure Access reports, however, since HTTPS inspection is disabled, traffic is logged only at the host/domain level and does not show the full URL.

Tenant Controls

If you use tenant controls for Microsoft 365, see additional information at Use Tenant Controls in Access Rules.


  • Microsoft 365 traffic is still sent to Secure Access's web proxy service in all deployment methods (Tunnel, AnyConnect, PAC). To stop this traffic from hitting Secure Access entirely, add manual 'External Domain' entries or route the traffic direct to the internet from your connecting devices.
  • File Inspection will no longer apply to this traffic.
  • This will not prevent the Microsoft 365 traffic egressing from a Secure Access IP address
  • This does not apply to all Microsoft/Microsoft 365 domains. Only those categorized as important for performance by Microsoft.
  • This setting allows a number of important Microsoft 365 domains so web security and filtering do not apply to them, and prevents these domains from triggering Secure Access SAML authentication.

Note: MS Intune sync requires "" to be added to the Do Not Decrypt List(s) used in the relevant rules even when Microsoft365 Compatibility is enabled.
For more information, see the official Microsoft documentation.

Decryption for IPS

Intrusion prevention requires decryption in order to be effective. Generally, you will disable decryption for IPS only for troubleshooting purposes. This setting applies to both private access rules and internet access rules.

For information about other decryption settings, see Manage Traffic Decryption.

Decryption Logging

You can enable or disable decryption logging globally in Global Settings, for traffic to private resources or internet destinations or both.

Certificate Pinning

Certificate pinning is an Internet security mechanism which allows applications to resist impersonation against HTTPS servers using mis-issued or otherwise fraudulent digital certificates. However, if this security feature causes problems when users attempt to access destinations that are both essential and trusted, you may bypass this security feature for destinations that use certificate pinning.

Rule Defaults: Default Settings for Access Rules < Manage Global Settings > Edit Rule Defaults and Global Settings