SOLVED

Azure tenant restriction headers setup

%3CLINGO-SUB%20id%3D%22lingo-sub-1316607%22%20slang%3D%22en-US%22%3EAzure%20tenant%20restriction%20headers%20setup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1316607%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22CommentList%20lia-component-comment-list%22%3E%3CDIV%20class%3D%22lia-panel-message%20message-uid-1315283%22%3E%3CDIV%20class%3D%22lia-message-view-wrapper%20lia-js-data-messageUid-1315283%20lia-component-forums-widget-message-view-two%22%3E%3CDIV%20class%3D%22MessageView%20lia-message-view-blog-reply-message%20lia-message-view-display%20lia-row-standard-read%20lia-thread-reply%20lia-message-authored-by-you%22%3E%3CDIV%20class%3D%22lia-quilt%20lia-quilt-blog-reply-message%20lia-quilt-layout-one-column-message%22%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-main%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-24%20lia-quilt-column-single%20lia-quilt-column-main%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-single%22%3E%3CDIV%20class%3D%22lia-message-body-wrapper%20lia-component-message-view-widget-body%22%3E%3CDIV%20class%3D%22lia-message-body%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20recently%20read%20about%20Azure%20tenant%20restriction%20headers%20which%20can%20be%20used%20to%20restrict%20web%20proxies%20of%20other%20tenants%20except%20ours%20when%20we%20sign%20in%20to%20office.com%20or%20outlook%20web%20app%20and%20others%20like%20that.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20also%20recently%20started%20using%20'Force%20point'%20who%20we%20thought%20could%20help%20us%20restrict%20this%20although%20their%20advice%20was%20we%20have%20to%20white%20list%20their%20data%20centre%20IP%20addresses%20in%20our%20Conditional%20access%20policies%20blocking%20locations.%3C%2FP%3E%3CP%3EI%20felt%20that%20the%20white%20listing%20option%20was%20a%20bit%20insecure%20for%20our%20tenant%20therefore%20started%20reading%20around%20the%20Azure%20tenant%20restriction%20which%20is%20not%20entirely%20clear%20to%20me%20if%20i%20will%20need%20the%20web%20proxy%20to%20achieve%20this%20or%20can%20simple%20set%20it%20up%20in%20the%20Azure%20portal%20and%20it%20immediately%20starts%20working%20without%20any%20third%20party%20integration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-footer%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-12%20lia-quilt-column-left%20lia-quilt-column-footer-left%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-left%22%3E%3CDIV%20class%3D%22KudosButton%20lia-button-image-kudos-wrapper%20lia-component-kudos-widget-button-version-3%20lia-component-kudos-widget-button-horizontal%20lia-component-kudos-widget-button%20lia-component-kudos-action%20lia-component-message-view-widget-kudos-action%22%3E%3CDIV%20class%3D%22lia-button-image-kudos%20lia-button-image-kudos-horizontal%20lia-button-image-kudos-disabled%20lia-button-image-kudos-not-kudoed%20lia-button%22%3E%3CDIV%20class%3D%22lia-button-image-kudos-count%22%3E%3CSPAN%20class%3D%22lia-link-navigation%20kudos-count-link%20lia-link-disabled%22%3E%3CSPAN%20class%3D%22MessageKudosCount%20lia-component-kudos-widget-message-kudos-count%22%3E0%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-button-image-kudos-label%20lia-component-kudos-widget-kudos-count-label%22%3ELikes%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-button-image-kudos-give%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-mod-controls%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-24%20lia-quilt-column-single%20lia-quilt-column-mod-controls-main%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-sub-footer%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22lia-CommentEditor-form%20lia-editor-gte-2%20lia-component-comment-editor%22%3E%3CDIV%20class%3D%22t-invisible%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-inline-ajax-feedback%22%3E%3CDIV%20class%3D%22AjaxFeedback%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-form-fieldset-wrapper%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1316607%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1317393%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20tenant%20restriction%20headers%20setup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1317393%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3EThe%20use%20case%20for%20AAD%20tenant%20restrictions%20is%20to%20prevent%20your%20on%20premises%20users%20from%20accessing%20SaaS%20apps%20from%20other%20AAD%20tenants%20other%20than%20your%20own.%3CBR%20%2F%3E%3CBR%20%2F%3EYes%20you%20will%20need%20some%20form%20of%20proxy%20server%20to%20add%20the%202%20required%20http%20headers%20in%20the%20request%20to%20AAD%20during%20authentication.%20This%20is%20what%20allows%20AAD%20to%20know%20which%20tenants%20to%20permit%20for%20authentication.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20read%20more%20about%20the%20feature%20in%20the%20link%20below.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Ftenant-restrictions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Ftenant-restrictions%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1315283%22%20slang%3D%22en-US%22%3ERe%3A%20New%20enhanced%20access%20controls%20in%20Azure%20AD%3A%20Tenant%20Restrictions%20is%20now%20Generally%20Available!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1315283%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%40%26nbsp%3B%20I%20know%20you%20posted%20this%20years%20ago%20but%20I%20was%20wondering%20if%20you%20could%20help%20with%20understanding%20how%20this%20is%20set%20up%20in%20the%20Azure%20portal.%3C%2FP%3E%3CP%3EWe%20recently%20started%20using%20'Force%20point'%20who%20we%20thought%20could%20help%20us%20restrict%20this%20although%20their%20advice%20was%20we%20have%20to%20whitelist%20their%20data%20center%20in%20our%20Conditional%20access%20policies%20blocking%20locations.%3C%2FP%3E%3CP%3EI%20felt%20that%20the%20whitelisting%20option%20was%20a%20bit%20insecure%20for%20our%20tenant%20therefore%20started%20reading%20around%20the%20Azure%20tenant%20restriction%20which%20is%20not%20entirely%20clear%20to%20me%20if%20i%20will%20need%20the%20web%20proxy%20to%20achieve%20this%20or%20can%20simple%20set%20it%20up%20in%20the%20Azure%20portal%20and%20it%20immediately%20starts%20without%20any%20third%20party%20integration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

I recently read about Azure tenant restriction headers which can be used to restrict web proxies of other tenants except ours when we sign in to office.com or outlook web app and others like that. 

We also recently started using 'Force point' who we thought could help us restrict this although their advice was we have to white list their data centre IP addresses in our Conditional access policies blocking locations.

I felt that the white listing option was a bit insecure for our tenant therefore started reading around the Azure tenant restriction which is not entirely clear to me if i will need the web proxy to achieve this or can simple set it up in the Azure portal and it immediately starts working without any third party integration.

 

Thanks

 

 

 
 
 
2 Replies
best response confirmed by Sesu- (Occasional Contributor)
Solution
Hello,
The use case for AAD tenant restrictions is to prevent your on premises users from accessing SaaS apps from other AAD tenants other than your own.

Yes you will need some form of proxy server to add the 2 required http headers in the request to AAD during authentication. This is what allows AAD to know which tenants to permit for authentication.

You can read more about the feature in the link below.

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions