The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Manage Global Settings

Global settings for the Web policy affects all rules and rulesets for the policy.

To access a global setting, navigate to Policies > Web Policy and click Global Settings.

Table of Contents

Microsoft 365 Compatibility

The Microsoft 365 Compatibility feature exempts Microsoft 365-related domains, marked as Optimize and Allow in Microsoft's endpoint categories, to bypass inspection and policy enforcement, allowing those domains to pass through the Umbrella infrastructure unaltered. The domains are excluded from HTTPS decryption and content filtering. The Microsoft 365 traffic appears in Umbrella reporting, however, because HTTPS inspection is disabled, traffic is logged only at the host/domain level and will not show the full URL.


  • Microsoft 365 traffic is still sent to Umbrella's web proxy service in all deployment methods (Tunnel, AnyConnect, PAC). To stop this traffic from hitting Umbrella entirely, add manual 'External Domain' entries or route the traffic direct to the internet from your connecting devices.
  • File Inspection will no longer apply to this traffic.
  • This will not change geo-location behavior for Microsoft 365
  • This will not prevent the Microsoft 365 traffic egressing from an Umbrella IP address
  • This does not apply to all Microsoft/Microsoft 365 domains. Only those categorized as important for performance by Microsoft.
  • Allows a number of important Microsoft 365 domains so web policies and filtering do not apply to them and prevents these domains from triggering Umbrella SAML authentication.

Tenant Controls

This feature is compatible with Tenant Controls. However, when Tenant Controls are configured for Microsoft 365, we do decrypt three Microsoft login domains (,, and for the purpose of tenant enforcement.

The domain is detected by analyzing the SNI (Server Name Indication) TLS extension. Some applications may not send SNI information in which case the exclusion does not apply.

Note: MS Intune sync requires "" to be added to the Selective Decryption List even when Microsoft365 Compatibility feature is enabled.

For more information, see the official Microsoft documentation.

Protected Files Bypass

Umbrella’s security protection is unable to scan protected files because these files are encrypted. The default web policy blocks protected files because they cannot be scanned for potential threats and are therefore high risk. The Protected File Bypass overrides the default policy by allowing protected files to be downloaded.
Note: Use with caution as Umbrella does not scan protected files. Cisco recommends downloading and opening files from trusted sources only.

Updated 2 months ago

Manage Global Settings

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.