Restricting client access to other Office 365 tenants

Hi This is done Through Tenant Restrictions.

You'll configure your outbound Proxy server, to insert a "Restrict-Access-To-Tenants: <permitted tenant list> header in packets bound to login.microsoftonline.com, login.microsoft.com, and login.windows.net

You'' then Go to your O365 Tenant, and configure Tenant restrictions.

For this to work, the Proxy needs to support SSL inspection, in order to insert the header.

End result will be:

Scenario: User tries to access outlook.office.com to get access to his Tenant (contractor.onmicrosoft.com)

Once he enters the url, open outlook / client to access Saas service, he gets redirected to AzureAD (url's listed above for login)

Proxy intercepts traffic to AAD and inserts HTTP header, indicating yourtenant.onmicrosoft.com is the only allowed tenant, and controcator.onmicrosoft.com is not allowed.

AAD does not issue a service token for the contractor.onmicrosoft.com user, so the client cannot Authenticate to gain access to the Saas Service.

This works for controlling access to Microsoft Tenants from your Network, so if the Contractor can connect his mobile phone as a hotspot, or bypass your network security controlls (Proxy Server), then this wont work. So additional controls might need to be implemented to ensure your DLP controls are enforced when using Tenant restrictions in O365.