Forum Discussion
Restricting client access to other Office 365 tenants
That`s something I have to deal with, too.
For me it is allowing access only to company devices. Intune doesn`t offer that.
Ben, for other Office 365 tenants you simple give to user no license in this tenant. So they will have no Mail account there.
As for orther mail systems you can block the URLs for example.
Hope that helps.
Mark
Hi Mark,
Thanks for the reply. I undertstand around the restrictions for logging onto our own tenant and we have those in place.
The scenario I'm thinking about is when say for example a contractor was logged on to one of our corporate machines and they had their own tenant. Whats to stop them from spinning up a browser or outlook and logging on to their own account and emailing information out that way. All we would see at the proxy level is legitimate encrypted traffic to outlook.office365.com.
I'm interested to see how other people have dealt with this.
Cheers,
-Ben
- Like I mentioned before, the solution for this is a technology called tenant restrictions. This will prevent a contractor from loggin in to another Tenant, whilst on your network / devices. It is exatcly the same solution that Google has as mentioned above.
One way to prevent this would be to implement Rights Management. When the contractor has finished their job, the rights to the affected files will no longer be available to them.
Another way to mititigate this risk is to ensure that the appropriate clauses are in your contracts and to have the contractors sign an appropriate "terms of use" document.
- Tenant restrictions will do the job, Rights management will also, but there are way more considerations for Rights management. For example, if you have CAD drawings or content types that does not support Rights Management encryption natively, then Tenant restrictions would solve the issue. Rights management is better for Zero Trust models however, so should not be overlooked, but rather combined with tenant Restrictions.
Hi Dean,
Thanks for the reply. Both are good suggestions but unfortunatley I can't see them as being practical ways to prevent data leakage. To encrypt all our data and work out an effective rights management policy would take a very long time and although its an extreme example, I'm pretty sure Snowden filled out some sort of AUP :-)
The only way I can see to restrict data leakage to another tenant at the moment is to look at SSL Inspection and apply some form or URL filtering ... whilst it could be effective, it's not a supported solution by Microsoft and they activley discourage it.
-Ben
If Rights Management had been enabled Snowden would not have been able to use the files he stole.IRM/RMS is the most effective way to mitigate the risks associated with data that has leaked.
The Data Loss Prevention policies in O365 and now in Flow can help mitigate the risks.
Advanced Threat Analytics (ATA) can be used to identify abnormal behavior, such as large number of file downloads, but this is only good for on-premises systems.
Azure Security Center can be used to monitor network traffic from many applications for suspicios behavior, see https://azure.microsoft.com/en-us/documentation/articles/security-center-detection-capabilities/
