Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Tenant Restrictions in Microsoft O365 for SWG (On-Prem)

The tenant restriction rules prevent you from accessing Microsoft O365 services through personal accounts while allowing access through the configured accounts.

Blocking Sign-ins from Other Corporate Domains

Your clients need to connect to the following Microsoft Entra URLs for authentication to use tenant restrictions:

  • login.microsoftonline.com
  • login.microsoft.com
  • login.windows.net

Do the following to allow access only to the domains specified in the rule and will display the prompt below when accessed using a different corporate account.

  • Rule Condition: URL.Host is login.microsoftonline.com,  login.microsoft.com, login.windows.net
  • Action: Continue
  • Events: 

Header.Add("Restrict-Access-To-Tenants","domain.com")

Header.RemoveAll("Restrict-Access-To-Tenants-Set-Header")

Sample output as shown below:

clipboard_e8dc01711b8f1c3d90fea8153cb25dd5e.png

Blocking Personal Domains

Microsoft uses login.live.com for personal domains, and you can configure the sec-Restrict-Tenant-Access-Policy header with the value restrict-msa.

Do the following:

  • Rule Condition: URL.Host is "login.live.com "
  • Action: Continue
  • Events: Header.Add("sec-Restrict-Tenant-Access-Policy header"," restrict-msa")

Sample output when accessed with personal domains:

clipboard_efe0b61d9c9305d27b59b88bafcdd7e1e.png

For more information, see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tenant-restrictions.

 

 

 

  • Was this article helpful?