Forum Discussion
Restricting client access to other Office 365 tenants
There's no way to do this in O365, even if you have AD FS in place. You can probably use a similar solution to what's described in the article, with inspecting all traffic to O365, but I wouldnt really recommend such approach. As Dean mentioned, there are plenty controls available as part of O365 or additional services to secure access to your data, one of them (or a combination) should meet your needs.
This article is pretty recent and describes how to perform tenant restrictions if you use a modern authentication client. Enables you to restrict what tenants can be accessed from your network.
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions
Yup, now we do have options. It's great to see how many things can change around O365 in just few months!
Good an bad there. Only works with your network as the accessing permiter. Off your LAN/VPN it doesn't help. Also you need Azure AD P1 licensing to use it. And there is overhead with SSL decryption, inject a header, and encrypt to send it on its way.
- Deployed this for a Bank,. used a cloud proxy and GPO configurations to force clients through the proxy service to always ensure tenant restricions are applied. You also have the option from some AV vendors, to do the header insertion when accessing the login URL's. Combine this with conditional access, and you can get a solution that covers all scenarios. In terms of the SSL header injection overhead, it is just for the 3 login urls, when signing in to the service, so overhead is absolutely minimal.
