Blog Post

Microsoft Entra Blog
4 MIN READ

Tenant Restriction v2 is now Public Preview!

Robin Goldstein's avatar
May 25, 2023

Hello friends,   

 

I'm pleased to announce the public preview of tenant restrictions version 2 (TRv2) across our commercial clouds!  

 

With TRv2, you can enable safe and productive cross-company collaboration while containing data exfiltration risk. Tenant restriction settings enable you to control what external tenants your users can access from your devices or network using externally issued identities and provide granular access control on a per org, user, group, and application basis.   

 

Tenant restriction is a much-awaited expansion of the previously released cross-tenant access settings for external collaboration. Together these provide the most granular control over your cross-company security and collaboration policies.  

 

To tell you more about the support for TRv2, I’ve invited Vimala Ranganathan, Product Manager on Microsoft Entra, to walk you through the details.     
 

Best regards,   

Robin Goldstein (Twitter: @RobinGo_MS)  

Partner Director of Product Management  

Microsoft Identity Division  

 

---------------------------------------------------------------------------------------------------------- 

 

Hi everyone,  

   

I’m Vimala from the Identity PM team, and I’m excited to walk you through Tenant Restrictions V2 (TRv2).  

   

We've been hearing that data exfiltration is a big concern for our customers moving to M365 cloud services, especially those with a need to collaborate across organizational boundaries. TRv2 addresses those concerns by preventing information leaks due to token infiltration, anonymous access of external SharePoint online data, or anonymous join of external Teams meetings, and enables secure external collaboration.  

 

Trv2 improves on current Tenant Restrictions which uses an on-premises proxy server with enforcement happening only during cloud authentication with Azure Active Directory (Azure AD). Tenant restrictions V2 let an organization admin control whether your users can access external applications from your network or devices using externally issued identities, including accounts issued by external organizations and accounts created in unknown tenants. 

 

TRv2 uses a cloud policy and offers both authentication and data plane protection. It enforces policies during user authentication, and on data plane access with Exchange Online, SharePoint Online, Teams, and MSGraph.  

 

Tenant Restrictions V2 (TRv2)   

Unlike TRv1, TRv2 allows tenant admins to control which external tenants their users can access on org-owned devices and while on the organization's network using externally issued identities.   

 

For example, Alice is an employee of Contoso and does consulting work with Fabrikam. Fabrikam issues a user account to Alice to access Fabrikam resources. Alice needs to access Fabrikam resources while using the Contoso-issued device on Contoso's network. Contoso admin Cathy wants to contain data exfiltration risk by blocking access for all other external identities from her organization devices except for enabling access to Alice's Fabrikam account. The TRv2 capabilities allow Alice to work across org boundaries while giving Contoso full control.  

 

 

Benefits of Tenant Restrictions V2 (TRv2)

TRv2 provides the following capabilities:  

 

  • Default policy configuration that applies to all the external tenants.  
  • Create partner-specific collaboration policies for external tenants.  
  • Control how externally issued user identities access other organizations.  
  • Limit access to only allow specific users and groups from specific organizations.    
  • Specify all apps or specific apps in external organizations you want your users to be able to access using identities issued by the external organizations.    
  • Disallowed tenant authentication requests are blocked by AAD – Auth plane protection. 
  • MS cloud services enforce TR policy on resource access – Data plane protection to protect against token infiltration.  
  • Blocks anonymous access to Teams meetings and blocks access to anonymously shared resources (“Anyone with the link”).  
  • Blocks access to external tenants, even if they allow Exchange Online basic auth.  
  • No overhead of managing corpnet proxies to add tenants to allow list Azure Active Directory (AAD) traffic.  
  • Portal UX support to set up cloud policy.  

 

 

 Setting up Tenant Restriction Policy  

 1. Set default TRv2 policy: 

Let's say Contoso wants to restrict how its users work with partners while using Contoso's network and devices. Contoso admin Cathy first sets up a default policy that will be applied for all partner tenants. In the default policy, the admin blocks access to all partner tenants and all external users and groups.  

 

 

 

 

 2. Set up tenant-specific TRv2 policy: 

 

Contoso admin Cathy will set up a specific partner policy for Fabrikam and allow only Alice to access certain applications like Office365 using Fabrikam identity.  

 

 

 

 

 

 3. Setting client-side TRv2 enablement on devices: 

Cathy, the tenant Admin can set the Tenant ID and Policy ID of the TRv2 cloud policy in the Windows GPO policy details, and OS will then inject a reference to the TRv2 policy into outgoing requests to Microsoft from all of Contoso devices.   

 

 

 

 

With the above setup, Contoso admin has blocked all access to external tenants using external identity from Contoso devices or network, and with Fabrikam partner-specific policy has allowed access only to Alice to Office365 apps on Fabrikam using Alice’s Fabrikam identity.  

 

Know who is accessing external organizations’ resources from your device/network  

Through the sign-in logs, Cathy the Contoso admin can see which external tenant the Contoso org users are using to access external organizations and getting blocked.   

 

 

 

 

 

Please read the documentation to learn more about tenant restrictions v2 under cross-tenant access settings.   

 

Thanks,  

Vimala  

 

 

Learn more about Microsoft identity:  

Updated May 17, 2023
Version 1.0
  • Great news!

     

    The screenshot for GPO device config in the documentation states "At least Windows Server 2016" but according to the same page, only Windows Server 2022 is supported. Are you planning to backport this feature on other server OS?

     

    Also, a bug in the Intune settings catalog prevents the "Cloud Policy Details" option to be configured, as "Hostnames", "IP Ranges" and "Subdomains" are set as optional but the profile cannot be created without these parameters configured.

  • z7abdulquadir's avatar
    z7abdulquadir
    Copper Contributor

    Hello,

     

    1. Does anyone know when the tenant restrictions V2 will be in General Availability?

    2. Does it require Microsoft Defender for Endpoint to be in Active mode? Or will MDE in passive mode doesnt pose any limitations?

     

    Thanks

  • alex335678 Yes, it is applied on access directly to resource as well. Unlike TRv1 which is only on auth plane, TRv2 does it on data plane (supported resource access) as well.

     

    Hkesarwani TRv2 requires P1 license or above.

     

    FabianoTrindadeBR TRv2 on proxy client side signaling is already GA. We are working on getting Universal TRv2 within Global Secure Access to GA and will update the ETA once available.

  • GeogAlthaus's avatar
    GeogAlthaus
    Copper Contributor

    In the documentation on learn.microsoft.com there is a section 'Block Chrome, Firefox and .NET applications like PowerShell'.
    The description of the GPO states that a WDAC policy has to tag the applications. Where can I find the steps to configure such a WDAC policy for this case? If I just enable the firewall protection I do not have any access to M365.

  • paul_rich's avatar
    paul_rich
    Copper Contributor

    Is there a timeline for when individual service end points (e.g. Azure RMS) will be able to be allowed?

  • alex335678's avatar
    alex335678
    Brass Contributor

    Do tenant restrictions v2 work apply when a user is already logged in and token is being refreshed?   One of the big limitations of tenant restrictions v1 is that it's only applied during authentication but once a user is signed in they are not very helpful in limiting what accounts are used if there is a change.