Upgrade your tenant restrictions to v2 (2024)

In a previous blog in the Data Exfiltration series, we discussed different types of tenant restrictions policy. In this blog, we’ll discuss migrating from tenant restrictions v1 to authentication plane tenant restrictions v2. In future blogs, we’ll discuss migrating to Universal tenant restrictions v2.

Tenant restrictions are a vital tool to help prevent data exfiltration from unauthorized access to external Microsoft Entra ID tenants and consumer Microsoft accounts. Tenant restrictions v1 lets you create an allow list of tenant IDs and Microsoft sign-in endpoints to ensure that users access external tenants that your organization authorizes. While tenant restrictions v1 served well for many years, tenant restrictions v2 offers more granularity and easier policy management with no additional licensing requirements.

Tenant restrictions v2 has several benefits over tenant restrictions v1. For example, admins can:

  • Update the policy from the Microsoft Entra portal rather than from each network proxy. There’s no need to update the header.
  • Increase the size limitations of your maximum proxy header length. There’s no limit to the number of partners you can add with tenant restrictions v2.
  • Selectively indicate which user groups access which apps in external tenants rather than allowing entire tenants for all identities.

In this blog post, I’ll explain the differences between how the two tenant restriction types work independently from, and in tandem with, cross-tenant access settings (outbound) to highlight the benefits of upgrading to tenant restrictions v2.

Getting started with tenant restrictions

Tenant restrictions require routing all user authentication traffic through a proxy. Typically, the proxy is the on-premises network egress, but it can also be a cloud-based proxy. The proxy injects a header indicating that an allow list of destinations is enforced on the traffic, regardless of the originating device or network location. In tenant restrictions v1, the destination allow list is in the header. In tenant restrictions v2, the header has a tenant ID and policy ID. Traffic arrives at Microsoft Entra ID, which reads the header and enforces the policy. If the traffic destination isn’t in the allow list, the user receives an error message.

Upgrade your tenant restrictions to v2 (1)Figure 1: Example of a user getting blocked by tenant restrictions

How tenant restrictions v1 works

There are two types of identities: internal and external. Your organization creates and manages internal identities with your identity provider (IdP) but doesn’t manage external identities such as personal accounts or those created by an external organization. Tenant restrictions v1 applies to both account types.

In the following diagrams, two types of identities (green is internal and black is external) are on the corporate network or connected with a virtual private network (VPN). Both identity types go through the corporate network egress proxy when attempting to access Microsoft 365 services. Typically, both receive the same header injection of allowed destinations. This enforcement has some limitations. If you maintain the allow list in the network proxies, administrators update the header at each proxy when you add or remove a tenant. It’s also important to note that the headers have size limitations.

Upgrade your tenant restrictions to v2 (2)Figure 2: Tenant restrictions v1 applies to external tenant destinations equally with no user or app granularity

You can improve tenant restrictions v1 by adding cross-tenant access settings.

Tenant restrictions v1 with outbound cross-tenant access settings

In Microsoft Entra ID, you can configure the cross-tenant access settings feature to control outbound access on a per-user, per-group, and per-application basis. This policy applies to your internal identities, regardless of device or network location.

In the following diagram, the users go through the egress proxy. Cross-tenant access settings and tenant restrictions are applied. However, the tenant restrictions v1 allow list is the only policy that applies to external identities. This option improves internal user management, but the architecture has limitations.

Both tenant restriction v1 and cross-tenant access settings are evaluated, and the most restrictive policy is applied. However, cross-tenant access settings only apply to internal identities. If you allow access to an external tenant for your users, even with group or application restrictions, you enable all external identities to access any resource in those tenants.

Upgrade your tenant restrictions to v2 (3)Figure 3: Cross-tenant access settings adds user and app granularity for internal identities

Tenant restriction v2 with cross-tenant access settings

Tenant restriction v2 works in tandem with cross-tenant access settings. Tenant restriction v2 is a cloud-based policy that applies to external identities. Internal users’ access is controlled by cross-tenant access settings. This separation allows per-user and per-application granularity for internal and external identity scenarios.

In the following example, the organization puts group and application restrictions on their internal identities. However, they can block other external identities from accessing external tenants unless they create exceptions. In this case, an exception is made for Bob from Tenant C. He is allowed access to only Microsoft Exchange so he can check email while on the corporate network.

Upgrade your tenant restrictions to v2 (4)Figure 4: Tenant restrictions v2 adds granular user and app awareness to external identities

The previous diagram demonstrates the flexibility that tenant restrictions v2 offers. Because tenant restrictions v1 and v2 have the same licensing requirements, the one-time migration involves recreating policies and updating the header injection at your network proxies.

You can learn more in the tenant restrictions v2 migration deployment plan.

To further enhance tenant restrictions, learn about Universal tenant restrictions. This feature adds data layer protection and prevents token infiltration that can bypass your corporate network proxy’s tenant restrictions header injection. The feature injects the headers and has a low latency connection to Microsoft 365 resources without needing to hairpin traffic through your corpnet proxies.

Jeff Bley

Senior Product Manager, Microsoft

LinkedIn

Learn more about Microsoft Entra:

  • Related Articles:
    • Learn more at Configure Tenant Restrictions v2
  • See recent Microsoft Entra blogs
  • Dive into Microsoft Entra technical documentation
  • Learn more at Azure Active Directory (Azure AD) rename to Microsoft Entra ID
  • Join the conversation on the Microsoft Entra discussion space
  • Learn more about Microsoft Security
Upgrade your tenant restrictions to v2 (2024)

FAQs

What is a tenant restriction v2 policy? ›

Tenant restriction v2 is a cloud-based policy that applies to external identities. Internal users' access is controlled by cross-tenant access settings. This separation allows per-user and per-application granularity for internal and external identity scenarios.

What is the difference between Microsoft tenant restrictions v1 and v2? ›

In tenant restrictions v1, the destination allow list is in the header. In tenant restrictions v2, the header has a tenant ID and policy ID. Traffic arrives at Microsoft Entra ID, which reads the header and enforces the policy. If the traffic destination isn't in the allow list, the user receives an error message.

What are tenant level restrictions? ›

Tenant-level restrictions are applied for an organization by injecting an "x-monday-allowed-accounts" HTTP header for all requests that are sent from that organization's network. This can be done either via an on-premises SSL proxy through which all network requests pass, or through a cloud-based one.

What is TRv2? ›

TRv2: With Tenant Restrictions v2 (TRv2), the configuration is moved to the server side cloud policy and there is no need for the TRv1 header. On your corporate proxy, you should remove tenant restrictions v1 header, Restrict-Access-To-Tenants: <allowed-tenant-list> .

What does it mean when a tenant is restricted? ›

With tenant restrictions, organizations can specify the list of tenants that users on their network are permitted to access. Microsoft Entra ID then only grants access to these permitted tenants - all other tenants are blocked, even ones that your users might be guests in.

What is tenant level policy? ›

Tenant-level policies can be defined to include or exclude specific environments. To follow the steps described in this article for tenant-level policies, log in as a user with the Power Platform Administrator role. Learn more about the Power Platform Administrator role at Use service admin roles to manage your tenant.

Can a company have multiple Microsoft tenants? ›

If your organization manages multiple Microsoft 365 tenants, you can set up a multitenant organization in Microsoft 365 to facilitate collaboration and resource access between tenants.

How do Microsoft tenants work? ›

Your Microsoft 365 tenant is the set of services assigned to your organization. Typically, this tenant is associated with one or more of your public DNS domain names and acts as a central and isolated container for different subscriptions and the licenses within them that you assign to user accounts.

Can a Microsoft tenant have multiple domains? ›

You can have multiple domains in the same Exchange Online tenant, and as long as they're "verified", you can assign aliases associated with them to your users/mailboxes. For example, a user can have a user@keyman .com and user@anotherdomain.com addresses, and receive messages directly on both.

How long can you go without paying rent in NYC? ›

If they still haven't paid rent and continue living in the property by the end of the fourteen days, the landlord can continue with the eviction lawsuit. In the state of New York, landlords may charge a late fee for the late rent payment. They may only do so after the statewide grace period of five days.

How long does it take to evict someone in NYC? ›

New York Eviction Time Estimates
ActionDuration
Maximum continuance14 days
Issuance of warrant of possessionUnspecified
Time to quit after writ is posted14 days
Total1-5 months
4 more rows
Nov 3, 2023

What is tenant level setting? ›

Tenant settings are used to define the parameters for the system functionalities for Tenant level operations. The configuration for tenant settings applies to all tenants and devices within the facility.

What is a two-way TRV? ›

It is called a two way valve, as it can be fitted on the flow or return pipe (older valves could only be fitted on the flow). We also have the head part on its own as a spare. Myson TRV symbols.

How do I restrict non admin users from creating tenants? ›

In the Azure portal, search for and select Microsoft Entra ID. Under Manage, select User Settings. Under Default user role permissions, for Restrict non-admin users from creating tenants, select Yes. At the top of the User Settings page, select Save.

How do I restrict access to Microsoft Entra ID? ›

Sign in to the Microsoft Entra admin center as a Global Administrator. Select Identity > External Identities. Select External collaboration settings. On the External collaboration settings page, select Guest user access is restricted to properties and memberships of their own directory objects option.

What is rent restriction in California? ›

Limits annual rent increases to no more than 5% + local CPI (CPI = inflation rate), or 10% whichever is lower. A tenant may not waive their rights to these protections and any agreement to do so by the tenant is void as contrary to public policy.

What is a tenant in code? ›

A tenant can be an individual user, but more frequently, it's a group of users—such as a customer organization—that shares common access to and privileges within the application instance.

What is tenant control? ›

With Gateway tenant control, you can allow your users access to corporate SaaS applications while blocking access to personal applications. This helps prevent the loss of sensitive or confidential data from a corporate network.

Top Articles
2024 Olympics: USWNT tops Brazil to win gold in women's soccer for first time in 12 years
Chic Women's Dressy Tops and Blouses at Affordable Prices | Dress to Impress With On-Trend Dressy Shirts for Juniors and Women - Lulus
Accuweather 15 Day Weather Forecast Philadelphia
Kirksville Mo Swap Shop
Used Safari Condo Alto R1723 For Sale
Coulters Hole Rockland Pa
Moana Nail Salon Katy Tx
Bank of America Routing Numbers and Wire Transfer Instructions
Contact Spectrum Customer Service
Stanley Steemer Medford Oregon
The 7 Best Nail Salons in Westport Connecticut in 2024
Abigail Letts O'brien Obituary
Gwenson Mallory Crutcher
TCP and UDP ports used by Apple software products - Apple Support
South Bend Weather Underground
St Anthony Hospital Crown Point Visiting Hours
دانلود فیلم سرزمین باکره ها دیجی موویز
When His Eyes Opened Chapter 2694: Release Date, Spoilers & Where To Read? - OtakuKart
Seafarers: Working conditions, health assessments and training requirements - Your Europe
11301 Lakeline Blvd Parkline Plaza Ctr Ste 150
[Top 5] Enter The Gungeon Best Synergies
Atrenosh Journal
Rob Long Net Worth
Pdq Menu Nutrition Facts
N3: Ninety-Nine Nights Review - IGN
Alabama Teachers Credit Union Albertville Al
East Texas Craiglist
Safety Jackpot Login
Shaws Myaci
Florida Mugshots Brevard County
Cars Under $1000 On Craigslist
855 700 4473
How To Power A Fabricator In Ark
Not Elaine from Seinfeld, Julia Louis-Dreyfus Missed Playing 1 TV Character the Most From Her Pre-Marvel Era
1800 Water Damage Princess Anne Va
Bekijk ons gevarieerde aanbod occasions in Oss.
Top 10 SEO Copywriting Service PowerPoint Presentation Templates in 2024
Top 12 Best World of Warships Mods (All Free) – FandomSpot
Chromazz Bikini
Mitch Fit Model Lpsg
Hope anchors the soul Zipper Pouch | CafePress
M12 X 1.5 : Thread Dimensions (Machining Doctor)
He bought a cruise ship on Craigslist and spent over $1 million restoring it. Then his dream sank
David Bromstad Salary Per Episode
Lahabraschools
Toro 21 Front Mount Dethatcher
Xnx Xnx Honeywell Analytics 40
Stranded Alien Dawn Cave Dweller
Survival Hunter Pets Guide - The War Within (Season 1)
Onelook Com Thesaurus
Latest Posts
Article information

Author: Tyson Zemlak

Last Updated:

Views: 5231

Rating: 4.2 / 5 (43 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Tyson Zemlak

Birthday: 1992-03-17

Address: Apt. 662 96191 Quigley Dam, Kubview, MA 42013

Phone: +441678032891

Job: Community-Services Orchestrator

Hobby: Coffee roasting, Calligraphy, Metalworking, Fashion, Vehicle restoration, Shopping, Photography

Introduction: My name is Tyson Zemlak, I am a excited, light, sparkling, super, open, fair, magnificent person who loves writing and wants to share my knowledge and understanding with you.