Tenant Restrictions in Microsoft O365
The tenant restriction rules prevent you from accessing Microsoft O365 services through personal accounts while allowing access through the configured accounts.
Blocking Sign-Ins from Other Corporate Domains
Your clients need to connect to the following Microsoft Entra URLs for authentication to use tenant restrictions:
Do the following to allow access only to the domains specified in the rule and will display the prompt below when accessed using a different corporate account.
- Rule Condition: URL.Host is login.microsoftonline.com, login.microsoft.com, login.windows.net
- Action: Continue
- Events:
Header.RemoveAII("Restrict-Access-To-Tenants")
Header.Add("Restrict-Access-To-Tenants", "<List of tenant identifiers>")
OR
Header.AddMultiple("Restrict-Access-To-Tenants", Microsoft 365 Allowed Tenants)
Header.RemoveAll("Restrict-Access-Context")
Header.Add("Restrict-Access-Context", "<Your directory ID>")
Sample Output:
Blocking Personal Domains
Microsoft uses login.live.com for personal domains, and you can configure the sec-Restrict-Tenant-Access-Policy header with restrict-msa value.
Perform the following:
- Rule Condition: URL.Host is login.live.com
- Action: Continue
- Events:
Header.Add("sec-Restrict-Tenant-Access-Policy","restrict-msa")
Sample Output:
OR
For more information, see https://learn.microsoft.com/en-us/en...t-restrictions.