Tenant Restrictions in Microsoft O365 for SWG (On-Prem)
The tenant restriction rules prevent you from accessing Microsoft O365 services through personal accounts while allowing access through the configured accounts.
Blocking Sign-ins from Other Corporate Domains
Your clients need to connect to the following Microsoft Entra URLs for authentication to use tenant restrictions:
- login.microsoftonline.com
- login.microsoft.com
- login.windows.net
Do the following to allow access only to the domains specified in the rule and will display the prompt below when accessed using a different corporate account.
- Rule Condition: URL.Host is login.microsoftonline.com, login.microsoft.com, login.windows.net
- Action: Continue
- Events:
Header.Add("Restrict-Access-To-Tenants","domain.com")
Header.RemoveAll("Restrict-Access-To-Tenants-Set-Header")
Sample output as shown below:
Blocking Personal Domains
Microsoft uses login.live.com
for personal domains, and you can configure the sec-Restrict-Tenant-Access-Policy
header with the value restrict-msa.
Do the following:
- Rule Condition: URL.Host is "login.live.com "
- Action: Continue
- Events:
Header.Add("sec-Restrict-Tenant-Access-Policy header"," restrict-msa")
Sample output when accessed with personal domains:
For more information, see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tenant-restrictions.