Forum Discussion

Ben Hicks's avatar
Ben Hicks
Copper Contributor
Nov 10, 2016

Restricting client access to other Office 365 tenants

Hi,    When allowing connectivity into Office 365, is there a way to restrict access to a single a tenant? For the purposes of DLP I need to prevent internal machines logging onto any another email ...
Authentication
exchange
office 365
security
Mark Glaser's avatar
Mark Glaser
Copper Contributor
Nov 11, 2016

That`s something I have to deal with, too.

 

For me it is allowing access only to company devices. Intune doesn`t offer that.

 

Ben, for other Office 365 tenants you simple give to user no license in this tenant. So they will have no Mail account there.

 

As for orther mail systems you can block the URLs for example.

 

Hope that helps.

 

Mark

  • Daniel Kharman's avatar
    Daniel Kharman
    Brass Contributor
    Aug 07, 2017
    You can use Intune's Conditional Access function to restrict access to company devices. Assuming that your definition of a 'company device' is one that is enrolled in Intune.
    • Pieter Rossouw's avatar
      Pieter Rossouw
      Copper Contributor
      Mar 22, 2022
      This still does not address the issue of accessing another tenant, when on the company owned device. Conditional access only applied to the tenant you're accessing. Tenant restrictions addresses the ability to be able to log into an untrusted O365 tenant from a company device.
  • Ben Hicks's avatar
    Ben Hicks
    Copper Contributor
    Nov 11, 2016

    Hi Mark,

         Thanks for the reply. I undertstand around the restrictions for logging onto our own tenant and we have those in place.

     

    The scenario I'm thinking about is when say for example a contractor was logged on to one of our corporate machines and they had their own tenant. Whats to stop them from spinning up a browser or outlook and logging on to their own account and emailing information out that way. All we would see at the proxy level is legitimate encrypted traffic to outlook.office365.com.

     

    I'm interested to see how other people have dealt with this.

     

    Cheers,

     

    -Ben

     

     

    • Pieter Rossouw's avatar
      Pieter Rossouw
      Copper Contributor
      Mar 22, 2022
      Like I mentioned before, the solution for this is a technology called tenant restrictions. This will prevent a contractor from loggin in to another Tenant, whilst on your network / devices. It is exatcly the same solution that Google has as mentioned above.
    • Dean_Gross's avatar
      Dean_Gross
      Silver Contributor
      Nov 11, 2016

      One way to prevent this would be to implement Rights Management. When the contractor has finished their job, the rights to the affected files will no longer be available to them.

       

      Another way to mititigate this risk is to ensure that the appropriate clauses are in your contracts and to have the contractors sign an appropriate "terms of use" document.

      • Pieter Rossouw's avatar
        Pieter Rossouw
        Copper Contributor
        Mar 22, 2022
        Tenant restrictions will do the job, Rights management will also, but there are way more considerations for Rights management. For example, if you have CAD drawings or content types that does not support Rights Management encryption natively, then Tenant restrictions would solve the issue. Rights management is better for Zero Trust models however, so should not be overlooked, but rather combined with tenant Restrictions.

Resources