Implement Microsoft 365 Network Connectivity Assessments and Insights

9 minutes

Microsoft has existing network measurements from several Office desktop and web clients, which support the operation of Microsoft 365. These measurements include aggregated network connectivity metrics collected from your Microsoft 365 tenant. They provide network architecture design insights and a network assessment, which are displayed in the Microsoft 365 admin center under Health > Network connectivity.

Network connectivity insights, their related performance recommendations, and network assessments are intended to help in designing network perimeters for your office locations. Each insight provides details about the performance characteristics for a specific common networking issue for each geographic location where users are accessing your tenant. Performance recommendations for each network insight offer specific network architecture design changes you can make to improve user experience related to Microsoft 365 network connectivity. The network assessment shows how network connectivity impacts user experience, allowing for comparison of different user location network connections.

Prerequisites for network connectivity assessments to appear

When you first navigate to the network connectivity page, you must configure your locations in order to see:

The map of global network performance
A network assessment scoped to the entire tenant
Percentage of your users working remotely versus onsite
A list of current issues to take action on and/or to research further

To prepare for network connectivity assessments, you must perform one of the following tasks:

Option 1 - Turn on your location opt-in setting to automatically collect data from devices using Windows Location Services.
Option 2 - Go to your Locations list to manually add or upload location data.
Option 3 - Run the Microsoft 365 network connectivity test from your office locations.

These three options for office location information are examined in greater detail in the following sections. While network connectivity can be evaluated across the organization, any network design improvements must be done for specific office locations. Network connectivity information is provided for each office location once those locations can be determined. The following sections examine these three options for getting network assessments from your office locations.

Option 1 - Turn on your location opt-in setting to automatically collect data from devices using Windows Location Services

For this option, you must have at least two computers running at each office location that support the prerequisites. The OneDrive for Windows version must be up-to-date and installed on each computer. Network tests are only run no more than once a day at a random time.

Windows Location Service must be consented on the machines. As a test, you can run the Maps app and locate yourself. You can enable it on a single machine through Settings > Privacy > Location, where you enable the setting Allow apps to access your location. You can also deploy Windows Location Services consent to PCs using MDM or Group Policy with the setting LetAppsAccessLocation.

You don't need to add locations in the Microsoft 365 admin center with this method as they're automatically identified at the city resolution. Multiple office locations within the same city aren't shown when using Windows Location Services. Location information is rounded to the nearest 300 meters by 300 meters so that more precise location information isn't accessed. Use of Windows Location Services for network measurements is Off by default for customers. You must enable it in the Network Connectivity Settings Location flyout.

Screenshot showing the Network Connectivity Settings Location dialog box and the Location detection setting.

The machines should have Wi-Fi networking rather than an ethernet cable. Machines with ethernet cables don't have accurate location information.

Measurement samples and office locations should start to appear 24 hours after these prerequisites are met. Office locations discovered from Windows Location Services are aggregated per City and are retained in your view for 90 days after samples are no longer received. You can disable Windows Location Services and hide all discovered locations if you choose to switch to office locations added by the Administrator with LAN subnet information. They'll be removed after the 90-day period.

Option 2 - Go to your Locations list to manually add or upload location data

For this option, Windows Location Services and Wi-Fi aren't required. Instead, your OneDrive for Windows version must be up-to-date and installed on at least one computer at the location. You must also know the LAN subnet information for each of your offices. With this option, you must either manually add locations in the Locations tab or import them from a CSV file. You can also upload them from other sources.

This option allows you to define multiple office locations per city, and you can name your office locations. The added locations must include your office LAN subnet information. In the dialog for adding or editing a location, you can specify multiple LAN subnets and public egress IP subnets. The LAN subnets are required. One of them must match the LAN subnet attribute on a received network assessment for results to show up.

Microsoft supports matching of all subnets under a given network when you add locations using LAN subnets. The main advantage of this approach is that you no longer need to define exact matches for LAN subnets when you add locations. For example, let's assume you added a location using /20 as the LAN subnet definition. In the network assessment, Microsoft received a LAN subnet attribute containing /24, which is part of the supernet you defined using /20. If there's no other specific match for the /24 subnet, Microsoft maps this network assessment to the location you added using the /20 LAN subnet definition.

Usually, LAN subnets are private IP address ranges as defined in RFC1918, such that the use of public IP addresses as the LAN subnets is likely to be incorrect. The dialog shows suggestions of LAN subnets that appeared in recent network assessment tests for your organization so that you can choose.

If you add public egress IP addresses, they're used as a secondary differentiator and are intended for when you have multiple sites using the same LAN subnet IP address ranges. To make sure your test results show up, you should start by leaving the public egress IP address ranges blank. If they're included, then a test result must match both one of the LAN subnet IP address ranges and one of the public egress IP address ranges.

This option allows you to have multiple offices defined within a city.

All test measurements from client machines include the LAN subnet information, which is correlated with the office location details that you entered. Measurement samples and office locations should start to appear 24 hours after these prerequisites are met.

Option 3 - Run the Microsoft 365 network connectivity test from your office locations

For this option, you must first identify a person at each location. Ask them to browse to Microsoft 365 network connectivity test on a Windows machine on which they have administrative permissions. On the web site, they must sign in to their Microsoft 365 account for the same organization that you want to see the results. Then they should select Run test. During the test there's a downloaded Connectivity test EXE file, which they must open and execute. Once the tests are completed, the test result is uploaded to the Microsoft 365 admin center.

Test reports are linked to a location if it was added with LAN subnet information. Otherwise, they're shown at the discovered City location only. Measurement samples and office locations should start to appear 2-3 minutes after a test report is completed. For more information, see Microsoft 365 network connectivity test.

Warning

When you currently add your office locations to Microsoft 365 network connectivity in the Microsoft 365 admin center, you can provide only IPv4 addresses for your LAN subnets. Egress IP addresses must use IPv4.

Network connectivity in the Microsoft 365 admin center

By default, approximate location information associated with the network measurements identifies the city where client devices are located. The network assessment at each location is shown with color and the relative number of users at each location is represented by the size of the circle. These insights are available to view only by administrative users in your tenant.

Screenshot showing a company's map of global performance on the Network Connectivity page.

The Overview tab on the Microsoft 365 network connectivity page also shows the network assessment for the customer as a weighted average across all office locations.

Screenshot showing a company's network assessment score the Network Connectivity page.

From the Locations tab on the Microsoft 365 network connectivity page, you can drill down to view specific network performance metrics and issues by location. Locations with specific recommendations might also include an estimated potential latency improvement. This value is calculated by taking the median latency of your organization users at the location and subtracting the median latency for all organizations in the same city. For more information, see Network performance overview in the Microsoft 365 Admin Center.

To access the Microsoft 365 network connectivity page, you must be an administrator for the organization within Microsoft 365.

The Report Reader administrative role has Read access to this information.
An administrator must have the Service Support Administrator role to configure locations and other elements of network connectivity.

Note

Network connectivity in the Admin Center supports tenants in WW Commercial but not GCC Moderate, GCC High, DoD or China.

How do I use this information?

Network assessments distill an aggregate of many network performance metrics into a snapshot of your enterprise network health. Each assessment is represented by a points value from 0 - 100. Network assessments are scoped to both the entire tenant and for each geographic location from which users connect to your tenant. This design provides Microsoft 365 administrators with an easy way to instantly grasp a holistic view of the enterprise's network health. It also enables them to quickly display a detailed report for any global office location.

Complex enterprises with multiple office locations and nontrivial network perimeter architectures can benefit from this information either during their initial onboarding to Microsoft 365 or when remediating network performance issues discovered with usage growth. Small businesses that use Microsoft 365 usually don't require this task. Nor do enterprises who already have simple and direct network connectivity. Enterprises with over 500 users and multiple office locations are expected to benefit the most.

Enterprise network connectivity challenges

Many enterprises have network perimeter configurations that grew over time and are primarily designed to accommodate employee Internet web site access. In these instances, most of the web sites aren't known in advance and are untrusted. The prevailing and necessary focus is avoiding malware and phishing attacks from these unknown web sites. This network configuration strategy, while helpful for security purposes, can lead to degradation of Microsoft 365 user performance and user experience.

So how can companies address these challenges? Enterprises can improve general user experience and secure their environment by following Microsoft's Office 365 connectivity principles and by using the Microsoft 365 admin center Network Connectivity feature. In most cases, following these general principles has a significant positive effect on end-user latency, service reliability, and overall performance of Microsoft 365.

Microsoft is sometimes asked to investigate network performance issues with Microsoft 365 for large enterprise customers. These issues frequently have a root cause related to the customer's network perimeter infrastructure. When a common root cause of a customer network perimeter issue is found, Microsoft seeks to identify simple test measurements. A test with a measurement threshold that identifies a specific problem is valuable because Microsoft can test the same measurement at any location, tell whether this root cause is present there, and share it as a network insight with the administrator.

Some network insights merely indicate a problem that needs further investigation. A network insight where Microsoft has enough tests to show a specific remediation action to correct the root cause is listed as a recommended action. These recommendations, based on live metrics that reveal values that fall outside a predetermined threshold, are much more valuable than general best practice advice. Their value lies in the fact that they're specific to your environment. As such, they show the actual improvement once the recommended changes are made.

Microsoft 365 Network Insights

Network Insights are performance metrics collected from your Microsoft 365 tenant. They're only accessible by administrative users in your tenant. Insights are intended to help in designing network perimeters for your office locations. Each insight provides live details about the performance characteristics for a specific common issue for each geographic location where users are accessing your tenant.

For each office location, the Network Insights that you see might include:

Backhauled network egress. This insight displays if the network insights service detects that the distance from a given user location to the network egress is greater than 500 miles (800 kilometers). This insight might indicate that Microsoft 365 traffic is being backhauled to a common Internet edge device or proxy. With this insight, the office location is identified by an obfuscated client machine location and the network egress location is identified by using reverse IP Address to location databases. The office location might be inaccurate if Windows Location Services is disabled on machines. The network egress location might be inaccurate if the reverse IP address database information is inaccurate. Microsoft recommends network egress as close as possible to the office location. Microsoft 365 traffic should route optimally to Microsoft's global network and to the nearest Microsoft 365 service front door. Having close network egress to users’ office locations also allows for improved performance as Microsoft expands both network points of presence and Microsoft 365 service front doors in the future. This insight is abbreviated as "Egress" in some summary views.
Network intermediary device. This insight displays if Microsoft detects devices between your users and Microsoft's network. Microsoft recommends that latency-sensitive Microsoft 365 network traffic bypass such devices. Network intermediary devices such as proxy servers, VPNs, and data loss prevention devices can affect performance and stability of Microsoft 365 clients where traffic is intermediated. As such, organizations should configure the network intermediary device that was detected to bypass processing for Microsoft 365 network traffic.
Better performance detected for customers near you. This insight displays if the network insights service detects that a significant number of customers in your metro area have better performance than users at this office location. This insight examines the aggregate performance of Microsoft 365 customers in the same city as this office location. This insight displays if the average latency of your users is 10% greater than the average latency of neighboring tenants. There could be many reasons for this condition, including latency in your corporate network or ISP, bottlenecks, or architecture design issues. Examine the latency between each hop in the route between your office network and the current Microsoft 365 front door. This insight is abbreviated as "Peers" in some summary views.
Use of a non-optimal Exchange Online service front door. This insight displays if the network insights service detects that users in a specific location aren't connecting to an optimal Exchange Online service front door. Microsoft lists Exchange Online service front doors that are suitable for use from the office location city. If the current test shows use of an Exchange Online service front door not on this list, then Microsoft makes this recommendation. Network backhaul might cause use of a non-optimal Exchange Online service front door, in which case Microsoft recommends local and direct network egress. For organizations that implement a remote DNS Recursive Resolver server, Microsoft recommends aligning the server configuration with the network egress. This insight is abbreviated as "Routing" in some summary views.
Use of a non-optimal SharePoint Online service front door. This insight displays if the network insights service detects that users in a specific location aren't connecting to the closest SharePoint Online service front door. Microsoft identifies the SharePoint Online service front door that the test client is connecting to. It then compares the office location city to the expected SharePoint Online service front door for that city. If the test client service front door and the expected service front door match, Microsoft recommends connecting to a SharePoint service front door closer to the office location. Network backhaul before the corporate network egress could cause non-optimal SharePoint Online service front door use. If so, organizations should try local and direct network egress. Non-optimal SharePoint Online service front door use could also be caused by a remote DNS Recursive Resolver server. In this case, Microsoft recommends aligning the DNS Recursive Resolver server with the network egress. This insight is abbreviated as "Afd" in some summary views.
Low download speed from SharePoint front door. This insight displays if the network insights service detects that bandwidth between the specific office location and SharePoint Online is less than 1 MBps. The download speed that a user can get from service front doors for SharePoint Online and OneDrive is measured in megabytes per second (MBps). If this value is less than 1 MBps, then this insight appears. To improve download speeds, an organization might need to increase bandwidth. Alternatively, network congestion might exist between computers at the office location and the SharePoint Online service front door. This condition restricts the download speed available to users even if sufficient bandwidth is available. This insight is abbreviated as "Throughput" in some summary views.
China user optimal network egress. This insight displays if an organization has users in China connecting to its Microsoft 365 tenant in other geographic locations. If an organization has private WAN connectivity, Microsoft recommends configuring a network WAN circuit from the organization's office locations in China that have network egress to the Internet in any of the following locations:
- Hong Kong Special Administrative Region
- Japan
- Taiwan
- South Korea
- Singapore
- MalaysiaInternet egress farther away from users than these locations reduces performance, and egress in China might cause high latency and connectivity issues due to cross-border congestion.

Important

These insights are valuable for optimizing your network setup and ensuring smooth Microsoft 365 usage. Aim for network egress as close as possible to your office locations to enhance performance and minimize latency.

The following tenant-level network insights might also be shown for your tenant:

Knowledge check

Choose the best response for the following question.