Generate Office 365 PAC Files with PowerShell

If you have a proxy server in your environment and are using (or thinking about using) Office 365 then you will hit some pain barriers. As awesome as Office 365 is, she just isn’t a fan of proxies.

We used to be left to our own initiative, creating complex proxy bypass rules and guessing which URLs we had to exclude. This process is compounded if you also maintain a strict CIDR range on your Firewall for Office 365 endpoints.

Introducing Get-PacFile

This script will access updated information to create a PAC file to prioritize Microsoft 365 Urls for better access to the service. This script will allow you to create different types of files depending on how traffic needs to be prioritized.

Microsoft Gallery Comment

Head over to the Gallery to view the script

Go ahead and install it by using the command:-


You will be prompted to also install the “NuGet Provider”. Go ahead.


Below is a list of parameters you can pass to the script to customize the generated PAC.

Type – The type of the proxy PAC file that you want to generate. 

  • 1 – Send Optimize endpoint traffic direct and everything else to the proxy server. 
  • 2 – Send Optimize and Allow endpoint traffic direct and everything else to the proxy server. This type can also be used to send all supported ExpressRoute for Office 365 traffic to ExpressRoute network segments and everything else to the proxy server. 

ClientRequestID – This is required and is a GUID passed to the web service that represents the client machine making the call. 


Instance – The Office 365 service instance which defaults to Worldwide. Also passed to the web service. 

  • Worldwide
  • Germany
  • China
  • USGovDoD
  • USGovGCCHigh

Tenant Name – Your Office 365 tenant name. Passed to the web service and used as a replaceable parameter in some Office 365 URLs.

DefaultProxySettings – Your Proxy Server and Port preceded with the word “PROXY”


DirectProxySettings  – The direct proxy settings for priority traffic. 

ServiceAreas – What Services do you want defined in the PAC

  • Exchange – Exchange Online and Exchange Online Protection 
  • SharePoint – SharePoint Online and OneDrive for Business 
  • Skype – Skype for Business and Microsoft Teams 
  • Common – Office 365 Pro Plus, Office Online, Azure AD and other common network endpoints 

LowerCase – Flag this to include lowercase transformation into the PAC file for the host name matching.



.\Get-PacFile.ps1 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -DefaultProxySettings “PROXY” > type1.pac 


.\Get-PacFile.ps1 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -Instance China -Type 2 -DefaultProxySettings “PROXY” > type2.pac 


.\Get-PacFile.ps1 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -Instance WorldWide -Lowercase -TenantName tenantName -ServiceAreas Sharepoint,Skyp

Examples given in the script

Don’t forget to export the PAC to a file using >file.txt

Example of PAC Generated
“Tenant” parameter passed and highlighted in the generated PAC file
3.5/5 - (2 votes)

10 thoughts on “Generate Office 365 PAC Files with PowerShell”

  1. I only get a few lines when running the script:

    if(shExpMatch(host, “”)
    || shExpMatch(host, “”)
    || shExpMatch(host, “”)
    || shExpMatch(host, “”))

    Any ideas?

    1. Hey Robert, thanks for stopping by the post. At a guess, the “-ServiceAreas Common” parameter isn’t parsing.
      Can you share what command you are using to generate that file? Ill see if I can help.

        1. is that the whole command? Are you not outputting to a file?
          Here is the example I gave again, you need to pass the “ServiceAreas” parameter to populate the PAC with all Office 365 URLs

          Get-PacFile -type 2 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -Instance Worldwide -DefaultProxySettings “PROXY” -LowerCase -TenantName byteben -ServiceAreas Sharepoint,Skype,Exchange,Common > D:\pac.pac

          1. That worked a lot better. Thanks!
            It seems a bit short though. I ran a different PS script earlier that used the XML feed that is discontinued now. Then there was also a long list of IP subnets. Is those no longer needed?

  2. Hi,

    In the JSON file that the script uses some of the URLs are marked with a category of “DEFAULT”. the script only processes URLs with ALLOWED and OPTOMISED into a type 2 PAC file. What is the reason for the Default category URLs?

    1. Hi John,

      Hope this explanation helps:-

      For a small number of endpoints that require low latency unimpeded connectivity which should bypass proxy servers, network SSL break and inspect devices, and network hairpins.

      For a larger number of endpoints that benefit from low latency unimpeded connectivity. Although not expected to cause failures, we also recommend bypassing proxy servers, network SSL break and inspect devices, and network hairpins. Good connectivity to these endpoints is required for Office 365 to operate normally.

      For other Office 365 endpoints which can be directed to the default internet egress location for the company WAN.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.


This site uses Akismet to reduce spam. Learn how your comment data is processed.