Forum Discussion

Ben Hicks's avatar
Ben Hicks
Copper Contributor
Nov 10, 2016

Restricting client access to other Office 365 tenants

Hi,    When allowing connectivity into Office 365, is there a way to restrict access to a single a tenant? For the purposes of DLP I need to prevent internal machines logging onto any another email ...
Authentication
exchange
office 365
security
Chris Roth's avatar
Chris Roth
Copper Contributor
Mar 08, 2017

This article is pretty recent and describes how to perform tenant restrictions if you use a modern authentication client.  Enables you to restrict what tenants can be accessed from your network.

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions

VasilMichev's avatar
VasilMichev
MVP
Mar 08, 2017

Yup, now we do have options. It's great to see how many things can change around O365 in just few months!

  • Chris Roth's avatar
    Chris Roth
    Copper Contributor
    Mar 09, 2017

    Good an bad there.  Only works with your network as the accessing permiter.  Off your LAN/VPN it doesn't help.  Also you need Azure AD P1 licensing to use it.  And there is overhead with SSL decryption, inject a header, and encrypt to send it on its way.

    • Pieter Rossouw's avatar
      Pieter Rossouw
      Copper Contributor
      Mar 22, 2022
      Deployed this for a Bank,. used a cloud proxy and GPO configurations to force clients through the proxy service to always ensure tenant restricions are applied. You also have the option from some AV vendors, to do the header insertion when accessing the login URL's. Combine this with conditional access, and you can get a solution that covers all scenarios. In terms of the SSL header injection overhead, it is just for the 3 login urls, when signing in to the service, so overhead is absolutely minimal.
    • BrjannBrekkan's avatar
      BrjannBrekkan
      Icon for Microsoft rankMicrosoft
      Mar 28, 2017

      Currently Azure AD tenant restrictions is the way to accomplish this. Can you give an example of scenario where you would have to restrict access when your users are not on your network? Say for example that one of your employees work for a non profit or volunteers at a school that has O365, or they get invited by their kids to review their schoolwork on their school OneDrive. The only way to really accomplish that blocking would be to have your company laptops limit access in the local firewall (feature we dont have today to do what tenant restriction does but do it client side).

       

      Brjann

      - Azure AD Customer Success team

      • tannerbriggs's avatar
        tannerbriggs
        Icon for Microsoft rankMicrosoft
        Nov 09, 2018

        Hi everyone,

         

        Although not a complete solution, admins can configure Outlook client to prevent users from adding new accounts/profiles. This would stop employees from accessing other email services from the desktop client. However, OWA and other browser-based services would still be accessible without another control in place. 

Resources