Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (2024)

search cancel

Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway.

book

Article ID: 169870

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Microsoft has published an article describing how to control Office 365 access using tenant restrictions. The article can be seen at: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions

In the article from Microsoft is a summary of headers to add to proxy devices to control Office 365 access using tenant restrictions. This article describes how to implement those headers on Edge Secure Web Gateway (formerly ProxySG) and Advanced Secure Gateway (ASG).

Note: Tenant control only works with the Protected Resources. A publicly shared resource can not be controlled using tenant restrictions.

Resolution

Restricting Access to Office365 Organizational Tenants

Follow the steps below to modify request headers to restrict the tenant used for Office 365 access:

  1. Access the Edge SWG (ProxySG) or Advanced Secure Gateway (ASG) Management Console.
  2. Launch the Visual Policy Manager (VPM) by going to Configuration->Policy->Visual Policy Manager and press the Launch button in the Management Console.
  3. Within VPM click the Policy menu item and press Add Web Access Layer... Optionally, give the new Web Access Layer a distinctive name (O365 Tenant Restriction Layer in this example) and press OK.
  4. In the first rule edit the Destination 'Any' object by right-clicking on it. In the pop-up window press the New button and add a Combined Destination Object. In that Combined Object give it a distinctive name (optional) and Add New Request URL entries for the following hosts: login.microsoftonline.com, login.microsoft.com, and login.windows.net. Add those Request URL objects to the upper right box of the Combined Destination Object and press OK. The completed Destination Object will look like the following:
    Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (1)
  5. In the first rule edit the Action 'Deny' object by right-clicking on it. In the pop-up window press the New button and add a Combined Action Object. In that Combined Action Object give it a distinctive name (optional) and add two Control Request Header objects for headers Restrict-Access-To-Tenants and Restrict-Access-Context. Using the 'Contoso' example from Microsoft's article, here are screenshots of what the two Control Request Header objects for each header would look like individually and add to the combined object:
    Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (2)Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (3)
    Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (4)
  6. The completed layer and rule will look like the following:
    Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (5)
  7. Press the Install policy button in VPM to apply the policy.


Microsoft has also provided further clarity regarding the following:

For the header Restrict-Access-Context you cannot configure the tenant ID for multiple domains by design, this header is for reporting purposes and for stating which is the tenant that has enabled the policy.

The tenant ID inserted here will be the tenant where you will be able to check the reports: “A second header, called Restrict-Access-Context, is used to enable reporting capabilities and help Microsoft support troubleshoot issues. Restrict-Access-Context needs to include the tenant which is configuring the policy. For example, the following header would indicate that Contoso configured the policy, and reporting would be enabled in the Contoso tenant: Restrict-Access-Context: contoso.onmicrosoft.com”

Optionally, if CPL is preferred over using the VPM the following CPL can be installed in a local policy file or CPL layer within the VPM that will accomplish the same goal:

; ------- Beginning of O365 Tenant Restriction CPL -----------
; References:
; https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions
; https://support.symantec.com/en_US/article.TECH247092.html
<Proxy>
condition=TenantRestrictionDestinations action.Restrict-Access-Context-Set-Header(yes) action.Restrict-Access-To-Tenants-Set-Header(yes) define condition TenantRestrictionDestinations
url.domain="login.microsoft.com"
url.domain="login.microsoftonline.com"
url.domain="login.windows.net"
end condition TenantRestrictionDestinations
; Change directory ID below:
define action Restrict-Access-Context-Set-Header
set(request.x_header.Restrict-Access-Context, "456ff232-35l2-5h23-b3b3-3236w0826f3d")
end action Restrict-Access-Context-Set-Header
; Change tenant list below:
define action Restrict-Access-To-Tenants-Set-Header
set(request.x_header.Restrict-Access-To-Tenants, "contoso.onmicrosoft.com")
end action Restrict-Access-To-Tenants-Set-Header
; ------- End of O365 Tenant Restriction CPL -----------

Note: Below is an optional method which provides an 'AND', 'OR' policy in CPL. Please review this policy as this may be more suitable to your needs.

; ------- Beginning of O365 Tenant Restriction CPL -----------

; References:
; https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions
; https://support.symantec.com/en_US/article.TECH247092.html
<Proxy>
condition=TenantRestrictionDestinations action.Restrict-Access-Context-Set-Header(yes) action.Restrict-Access-To-Tenants-Set-Header(yes) define condition TenantRestrictionDestinations
url.domain="login.microsoft.com"
url.domain="login.microsoftonline.com"
url.domain="login.windows.net"
end condition TenantRestrictionDestinations

; Set the Restrict-Access-Context to the tenantID
; of the administrator setting the restrictions
define action Restrict-Access-Context-Set-Header
set(request.x_header.Restrict-Access-Context, "58201163-08a8-4385-aac7-2fcb6ec95c20")
end action Restrict-Access-Context-Set-Header

; Set the Restrict-Access-To-Tenants header
; to a comma separated list of tenants
define action Restrict-Access-To-Tenants-Set-Header
set(request.x_header.Restrict-Access-To-Tenants, "getnetcombr.onmicrosoft.com, getnetbr.onmicrosoft.com")
end action Restrict-Access-To-Tenants-Set-Header

; ------- End of O365 Tenant Restriction CPL -----------

Client HTTPS requests to hosts login.microsoftonline.com, login.microsoft.com, and login.windows.net will have the headers added to them if SSL interception is enabled on the proxy.

For Proxy to have visibility to the headers, SSL interception for O365 URLs is required.

Please note the Tenant ID is not strictly speaking needed for this policy to work, it is added here for completeness.

Restricting Access to Microsoft Consumer Apps

Tenant restrictions can also be used to block access to personal consumer applications, such as a personal OneDrive account.

To enforce this, the header sec-Restrict-Tenant-Access-Policy must be set with the value restrict-msa for requests to login.live.com

As the destination criteria and action differ from the policy used above for organizational tenants, this policy should be implemented in a separate rule.

Visual Policy Manager Configuration Steps

  1. Create a new rule.
  2. Set the Destination to a Request URL Object and enter login.live.com

    Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (6)

  3. Set the Action to a Control Request Header Object with the header name sec-Restrict-Tenant-Access-Policy and value restrict-msa

    Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (7)

  4. The completed layer with the added rule will look like the following:

    Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (8)

Content Policy Language Configuration

Add the following CPL layer and definitions to your policy.

; ------- Beginning of Microsoft Consumer Apps Restriction CPL -----------<Proxy>url.domain=//login.live.com/ action.sec-Restrict-Tenant-Access-Policy(yes) define action sec-Restrict-Tenant-Access-Policy set( request.x_header.sec-Restrict-Tenant-Access-Policy, "restrict-msa" )end; ------- End of Microsoft Consumer Apps Restriction CPL -----------

Feedback

thumb_up Yes

thumb_down No

Powered by Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (9)

Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (2024)

FAQs

Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway.? ›

You can use tenant restrictions to prevent the user from using some or all external apps while they're signed in with the external account on your network or devices. Contoso configures Tenant restrictions in their cross-tenant access settings to block all external accounts and external apps.

How do I restrict access to Office 365? ›

5. Enable Office 365 Device Restriction
  1. Go to Policies >> App Login Policy from the left navigation bar.
  2. Click on Edit option against your selected app.
  3. Set your application name in the Application and select password as Login Method.
  4. Enable Adaptive Authentication.

How to secure your Office 365 tenant? ›

Top 10 ways to secure your business data
  1. Use multi-factor authentication (MFA), also known as two-step verification. ...
  2. Set up and protect your administrator accounts. ...
  3. Use preset security policies to protect email and collaboration content. ...
  4. Protect all devices, including personal and company devices.
May 31, 2024

What are Azure tenant restrictions? ›

You can use tenant restrictions to prevent the user from using some or all external apps while they're signed in with the external account on your network or devices. Contoso configures Tenant restrictions in their cross-tenant access settings to block all external accounts and external apps.

How would you secure access to office Microsoft 365 resources? ›

Use Microsoft Entra Password Protection. Use multifactor authentication (MFA) Deploy identity and device access configurations. Protect against credential compromise with Microsoft Entra ID Protection.

How do I manage user permissions in Office 365? ›

In the Microsoft 365 admin center, you can go to Role assignments, and then select any role to open its detail pane. Select the Permissions tab to view the detailed list of what admins assigned that role have permissions to do. Select the Assigned or Assigned admins tab to add users to roles.

Which Microsoft 365 feature can you use to restrict? ›

You can restrict access to non-group connected sites by specifying Entra security groups or Microsoft 365 groups that contain the people who should be allowed access to the site. You can configure up to 10 Entra security groups or Microsoft 365 groups.

What is the difference between an Azure account and tenant? ›

An Azure Subscription is primarily a bucket that you can put Azure resources into. The linked Tenant/Azure Active Directory provides a user database: You can assign users from that Tenant access to the Subscription or to specific resources within the subscription.

What are tenant level restrictions? ›

Tenant-level restrictions are applied for an organization by injecting an "x-monday-allowed-accounts" HTTP header for all requests that are sent from that organization's network. This can be done either via an on-premises SSL proxy through which all network requests pass, or through a cloud-based one.

What are tenant restrictions in cloud app security? ›

With tenant restrictions, the organisation can control access to Software-as-a-Service (SaaS) cloud applications, based on the Entra ID tenant the applications use for single sign-on. With tenant restrictions, the organisation can specify the list of tenants that their users are permitted to access.

How do I configure privileged access management in Office 365? ›

In the Microsoft 365 admin center
  1. Sign into the Microsoft 365 admin center using credentials for an admin account in your organization.
  2. In the admin center, go to Settings > Org Settings > Security & Privacy > Privileged access.
  3. Select Manage access policies and requests.
  4. Select Configure policies.
Aug 21, 2023

What is the security protection for Office 365? ›

Help secure your email and Microsoft Teams with advanced protection against phishing, business email compromise, ransomware, and other cyberthreats.

What are the security options in Office 365? ›

It's important to be aware of the Microsoft security features you have while using a Microsoft 365 for business account:
  • Antiphishing, antispam, and antimalware protection for email.
  • Multi-factor authentication (MFA), which can prevent hackers from taking over if they know your password. ...
  • Preset security policies.

How do I make my Microsoft 365 private? ›

To access your privacy settings, open any Office application, select the app menu > Preferences > Privacy. This will open the Account Privacy settings dialog box where you can select your privacy options. On Mac these settings apply to Word, Excel, PowerPoint, Outlook, and OneNote.

How do I change permissions in Outlook 365? ›

Change permissions for a delegate
  1. Select the File tab, then select Account Settings > Delegate Access.
  2. Select the name of the delegate for whom you want to change permissions, and then select Permissions. ...
  3. Change the permissions for any Outlook folder that the delegate has access to.

How do I block or allow in Office 365? ›

How do I add a sender or domain?
  1. Sign in to Outlook Web App.
  2. At the top of the page, select Settings. , then select Mail > Junk email.
  3. To add an entry to Blocked senders and domains, Click Add, enter the email address or domain that you want to block, and then press [Enter].

Top Articles
PolyU SPEED - BA (Hons) in Business (Human Resource Management) - Part-time
Part-time Academics | People | Department of Logistics and Maritime Studies
Spirit Extractor Vault Hunters
888-490-1703
Safemark Grocery Exam Answers
3466051968
Goodwill Fairport
Naughty Nails Southern Charms
Syracuse Pets Craigslist
Ksl Classifieds Dirt Bikes
Tw's Bait And Tackle Fishing Report
Lab-grown 'mini-guts' link Crohn's disease severity to epigenetic changes - DSSJ
Knotty And Vixen
Musc Children's Health After Hours Care - North Charleston
Lynda Mclaughlin Age
Lanipopvip
Citymd West 104Th Urgent Care - Nyc Photos
Pch Sunken Treasures
Kelsi Monroe Eden West Gem Jewels
Kentucky Lottery Remaining Prizes
Zuercher Portal Inmates Clinton Iowa
Insidekp.kp.org Myhr Portal
Understanding the Brand Architecture of Proctor & Gamble (P&G)
St Patrick Catholic Church Palm Beach Gardens Mass Times
Implementation Project Manager III ($2K Sign-On Bonus)
Devotion Showtimes Near Maya Cinemas Delano
5Gomovies
Rs3 Rituals
Sarah Colman-Livengood Park Raytown Photos
Optimum Store Near Me To Return Equipment
Watermarke Tower Shooting
Feeling lucky? Top prizes still available for these Ohio Lottery scratch-off games
Jellyshroom Caves
Hilton Honors Punkte sammeln – Die 8 besten Möglichkeiten
Olde Kegg Bar & Grill Portage Menu
Yahoo Weather San Diego
Craigslist Houses For Rent In Pensacola Florida
Xre 00251
How to Search All of Craigslist From Any Device
Basketball Stars Unblocked Games Premium
Sumo Wrestling Wiki
No Hard Feelings Showtimes Near Amc Classic Ardmore 8
Violent Night Showtimes Near Century 14 Vallejo
Epiq Document Delivery
Fv-F Fv-G Pay Scale
Town Of Kearny Recycling Calendar
Hdmovie2 Sbs
Nyu Paralegal Program
Dfps Provider Portal And Training Hub
Edison 10K Watt Party System Manual
Mohamed 6 Style Vestimentaire
Latest Posts
Article information

Author: Patricia Veum II

Last Updated:

Views: 5233

Rating: 4.3 / 5 (44 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Patricia Veum II

Birthday: 1994-12-16

Address: 2064 Little Summit, Goldieton, MS 97651-0862

Phone: +6873952696715

Job: Principal Officer

Hobby: Rafting, Cabaret, Candle making, Jigsaw puzzles, Inline skating, Magic, Graffiti

Introduction: My name is Patricia Veum II, I am a vast, combative, smiling, famous, inexpensive, zealous, sparkling person who loves writing and wants to share my knowledge and understanding with you.