Tenant Restrictions and B2B

%3CLINGO-SUB%20id%3D%22lingo-sub-85318%22%20slang%3D%22en-US%22%3ERe%3A%20Tenant%20Restrictions%20and%20B2B%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85318%22%20slang%3D%22en-US%22%3EHi%20Keith%20-%20that's%20a%20great%20scenario%20and%20we'll%20definitely%20consider%20this%20feature%20request.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85314%22%20slang%3D%22en-US%22%3ERe%3A%20Tenant%20Restrictions%20and%20B2B%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85314%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20tenant%20restrictions%20in%20place%20via%20our%20proxy%20(allowing%20only%20our%20tenant%2Fdomain)%2C%20is%20there%20a%20way%20that%20the%20access%20token%20can%20be%20granted%20to%20our%20users%20as%20guests%20of%20allowed%20partners%20we%20identify%20within%20our%20tenant%3F%20Tenant%20restrictions%20is%20great%20for%20preventing%20users%20to%20access%20tenants%20where%20they%20may%20have%20accounts%2C%20but%20how%20can%20we%20make%20this%20work%20for%20user%20accounts%20which%20exist%20in%20our%20own%20directory%20when%20invited%20as%20guest%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20either%20way%2C%20it%20would%20be%20useful%20to%20have%20a%20whitelist%20of%20organizations%20that%20our%20users%20are%20allowed%20to%20be%20invited%20as%20guests%20to.%26nbsp%3B%20Or%20auditing%20of%20such%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85266%22%20slang%3D%22en-US%22%3ERe%3A%20Tenant%20Restrictions%20and%20B2B%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85266%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%26nbsp%3Ballow%20%2F%20deny%20list%20coming%20up%20for%20managing%26nbsp%3Boutgoing%20relationships%2C%20but%20what%20is%20your%20scenario%20for%20restricting%20incoming%20relationships%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85243%22%20slang%3D%22en-US%22%3ETenant%20Restrictions%20and%20B2B%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85243%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20the%20implementation%20of%20tenant%20restrictions%20via%20proxy%20header%20injection%20prevent%20users%20in%20our%20directory%20who%20were%20invited%20as%20B2B%20guest%20users%20to%20another%20tenant%20from%20accessing%20that%20partner%20tenant%20from%20our%20network%20where%20tenant%20restrictions%20are%20in%20place%3F%26nbsp%3B%20I%20posed%20this%20question%20at%20a%20MS%20tech%20summit%20and%20was%20told%20no%20-%20the%20answer%20given%20was%20that%20as%20the%20authentication%20takes%20place%20in%20in%20the%20invitee's%20(our)%20tenant%20(as%20the%20identity%20directory).%26nbsp%3B%26nbsp%3B%20But%20isn't%20the%20access%20security%20token%20given%20by%20the%20resource%20tenant%20with%20their%20tenant%20ID%3F%26nbsp%3B%20My%20own%20testing%20with%20Fiddler%20has%20confirmed%20that%20indeed%20I%20cannot%20access%20a%20resource%20tenant%20as%20a%20guest%20user%20that%20isn't%20included%20in%20'Restrict-Access-To-Tenants'%20in%20our%20proxy%20header.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20mean%20updating%20on%20the%20proxy%20a%20list%20of%20organizations%20that%20we%20could%20partner%20with%20as%20invitees%2C%20which%20makes%20the%20feature%20not%20as%20practical%20or%20useful%20as%20we%20originally%20thought.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20thought%20of%20whitelisting%20companies%20for%20outgoing%20and%20incoming%20B2B%20relationships%20that%20can%20be%20maintained%20at%20the%20tenant%20level%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-85243%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EB2B%20collaboration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor

Will the implementation of tenant restrictions via proxy header injection prevent users in our directory who were invited as B2B guest users to another tenant from accessing that partner tenant from our network where tenant restrictions are in place?  I posed this question at a MS tech summit and was told no - the answer given was that as the authentication takes place in in the invitee's (our) tenant (as the identity directory).   But isn't the access security token given by the resource tenant with their tenant ID?  My own testing with Fiddler has confirmed that indeed I cannot access a resource tenant as a guest user that isn't included in 'Restrict-Access-To-Tenants' in our proxy header.

 

This would mean updating on the proxy a list of organizations that we could partner with as invitees, which makes the feature not as practical or useful as we originally thought.

 

Is there any thought of whitelisting companies for outgoing and incoming B2B relationships that can be maintained at the tenant level?

 

Many thanks!

 

 

3 Replies
Highlighted

We have a allow / deny list coming up for managing outgoing relationships, but what is your scenario for restricting incoming relationships?

Highlighted

With tenant restrictions in place via our proxy (allowing only our tenant/domain), is there a way that the access token can be granted to our users as guests of allowed partners we identify within our tenant? Tenant restrictions is great for preventing users to access tenants where they may have accounts, but how can we make this work for user accounts which exist in our own directory when invited as guest?

And either way, it would be useful to have a whitelist of organizations that our users are allowed to be invited as guests to.  Or auditing of such?

Highlighted
Hi Keith - that's a great scenario and we'll definitely consider this feature request.