Forum Discussion

Ben Hicks's avatar
Ben Hicks
Copper Contributor
Nov 10, 2016

Restricting client access to other Office 365 tenants

Hi,

   When allowing connectivity into Office 365, is there a way to restrict access to a single a tenant? For the purposes of DLP I need to prevent internal machines logging onto any another email service including other 365 tenants, how could this be acheived? 

 

Google offer a way to restrict this by using additional headers -> https://support.google.com/a/answer/1668854?hl=en

 

Many thanks,

 

-Ben

20 Replies

  • Pieter Rossouw's avatar
    Pieter Rossouw
    Copper Contributor

    Hi This is done Through Tenant Restrictions.

     

    You'll configure your outbound Proxy server, to insert a "Restrict-Access-To-Tenants: <permitted tenant list> header in packets bound to login.microsoftonline.com, login.microsoft.com, and login.windows.net

     

    You'' then Go to your O365 Tenant, and configure Tenant restrictions.

     

    For this to work, the Proxy needs to support SSL inspection, in order to insert the header.

     

    End result will be:

    Scenario: User tries to access outlook.office.com to get access to his Tenant (contractor.onmicrosoft.com)

     

    Once he enters the url, open outlook / client to access Saas service, he gets redirected to AzureAD (url's listed above for login)

     

    Proxy intercepts traffic to AAD and inserts HTTP header, indicating yourtenant.onmicrosoft.com is the only allowed tenant, and controcator.onmicrosoft.com is not allowed.

     

    AAD does not issue a service token for the contractor.onmicrosoft.com user, so the client cannot Authenticate to gain access to the Saas Service.

     

     

    This works for controlling access to Microsoft Tenants from your Network, so if the Contractor can connect his mobile phone as a hotspot, or bypass your network security controlls (Proxy Server), then this wont work. So additional controls might need to be implemented to ensure your DLP controls are enforced when using Tenant restrictions in O365.

  • There's no way to do this in O365, even if you have AD FS in place. You can probably use a similar solution to what's described in the article, with inspecting all traffic to O365, but I wouldnt really recommend such approach. As Dean mentioned, there are plenty controls available as part of O365 or additional services to secure access to your data, one of them (or a combination) should meet your needs.

    • Pieter Rossouw's avatar
      Pieter Rossouw
      Copper Contributor
      This is not true. Tenant Restrictions is the name of the technology to acheive this. Google / Bing "microsoft tenant Restrictions"
    • Chris Roth's avatar
      Chris Roth
      Copper Contributor

      This article is pretty recent and describes how to perform tenant restrictions if you use a modern authentication client.  Enables you to restrict what tenants can be accessed from your network.

      https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions

      • VasilMichev's avatar
        VasilMichev
        MVP

        Yup, now we do have options. It's great to see how many things can change around O365 in just few months!

  • Mark Glaser's avatar
    Mark Glaser
    Copper Contributor

    That`s something I have to deal with, too.

     

    For me it is allowing access only to company devices. Intune doesn`t offer that.

     

    Ben, for other Office 365 tenants you simple give to user no license in this tenant. So they will have no Mail account there.

     

    As for orther mail systems you can block the URLs for example.

     

    Hope that helps.

     

    Mark

    • Daniel Kharman's avatar
      Daniel Kharman
      Brass Contributor
      You can use Intune's Conditional Access function to restrict access to company devices. Assuming that your definition of a 'company device' is one that is enrolled in Intune.
      • Pieter Rossouw's avatar
        Pieter Rossouw
        Copper Contributor
        This still does not address the issue of accessing another tenant, when on the company owned device. Conditional access only applied to the tenant you're accessing. Tenant restrictions addresses the ability to be able to log into an untrusted O365 tenant from a company device.
    • Ben Hicks's avatar
      Ben Hicks
      Copper Contributor

      Hi Mark,

           Thanks for the reply. I undertstand around the restrictions for logging onto our own tenant and we have those in place.

       

      The scenario I'm thinking about is when say for example a contractor was logged on to one of our corporate machines and they had their own tenant. Whats to stop them from spinning up a browser or outlook and logging on to their own account and emailing information out that way. All we would see at the proxy level is legitimate encrypted traffic to outlook.office365.com.

       

      I'm interested to see how other people have dealt with this.

       

      Cheers,

       

      -Ben

       

       

      • Pieter Rossouw's avatar
        Pieter Rossouw
        Copper Contributor
        Like I mentioned before, the solution for this is a technology called tenant restrictions. This will prevent a contractor from loggin in to another Tenant, whilst on your network / devices. It is exatcly the same solution that Google has as mentioned above.

Resources