Home

How to avoid login to other tenants?

%3CLINGO-SUB%20id%3D%22lingo-sub-288768%22%20slang%3D%22en-US%22%3EHow%20to%20avoid%20login%20to%20other%20tenants%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288768%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EI%20have%20been%20investigating%20a%20bit%20how%20we%20could%20avoid%20situation%20were%20end-users%20by%20accidentally%20start%20sign-in%20to%20another%20tenant.%20E.g.%20you%20get%20the%20login%20screen%20on%20Skype%2FTeams%2FOutlook%2FEtc..%20and%20write%20credentials%20to%20your%20personal%20tenant%20or%20any%20other%20third%20part%20tenant.%20On%20the%20corporate%20device%20that%20might%20not%20be%20the%20best%20thing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20found%20two%20threads%20to%20speak%20about%20this%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIdentity-Authentication%2FRestricting-client-access-to-other-Office-365-tenants%2Ftd-p%2F28612%22%20target%3D%22_blank%22%3ERestricting%20client%20access%20to%20other%20Office%20365%20tenants%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2FBlock-users-from-becoming-Guest-in-another-Office-365-Tenant%2Ftd-p%2F196649%22%20target%3D%22_blank%22%3EBlock%20users%20from%20becoming%20Guest%20in%20another%20Office%20365%20Tenant%3C%2FA%3E%3C%2FP%3E%3CP%3Ebut%20both%20of%20them%20does%20the%20blocking%20on%20the%20proxy.%20Microsoft%20in%20my%20mind%20is%20trying%20to%20advice%20us%20to%20bypass%20the%20proxy%20as%20many%20services%20are%20working%20better%20like%20Skype%2FTeams%20without%20proxy.%20But%20how%20I'm%20able%20block%20the%20incorrect%20sing-in%20to%20wrong%20tenant%20on%20the%20workstation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anybody%20has%20seen%20if%20MDM%2FIntune%20could%20bring%20some%20help%20on%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-288768%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-297990%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20avoid%20login%20to%20other%20tenants%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-297990%22%20slang%3D%22en-US%22%3EMicrosoft%20is%20suggesting%20that%20you%20bypass%20proxies%2C%20but%20that%20is%20so%20that%20data%20access%20is%20not%20limited%20and%20cause%20applications%20to%20run%20slow.%20But%20to%20do%20tenant%20restrictions%20you%20need%20to%20proxy%20authentication%20traffic%2C%20and%20not%20all%20traffic%20-%20so%20you%20can%20do%20it%20and%20not%20impact%20performance%2C%20but%20it%20takes%20time%20and%20a%20good%20design%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-293691%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20avoid%20login%20to%20other%20tenants%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-293691%22%20slang%3D%22en-US%22%3E%3CP%3EWhilst%20the%20options%20available%20right%20now%20are%20not%20as%20mature%20as%20you%20would%20like%2C%20the%20proxy%20solution%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Fmanage-apps%2Ftenant-restrictions%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eas%20detailed%20here%3C%2FA%3E%20is%20a%20sound%20configuration.%20Saying%20that%20however%2C%20certain%20functions%20are%20unique%20to%20certain%20service%20workloads.%20For%20example%20you%20can%20block%20synchronisation%20of%20OneDrive%20for%20Business%20unless%20the%20workstation%20is%20on%20a%20specific%20domain%20as%20an%20example.%20This%20doesn't%20need%20Intune%2C%20it's%20available%20in%20the%20OneDrive%20for%20Business%20Admin%20Center.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20any%20case%2C%20expect%20protocols%20on%20how%20we%20access%20apps%20and%20data%20to%20change%20and%20evolve%20quite%20radically%20in%20the%20next%2018%20months.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288833%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20avoid%20login%20to%20other%20tenants%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288833%22%20slang%3D%22en-US%22%3E%3CP%3EAdam%2C%3C%2FP%3E%3CP%3EAt%20first%2C%20big%20thanks%20about%20your%20great%20answer!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFew%20ideas%20comes%20to%20my%20mind%2C%20I%20do%20not%20expect%20that%20Microsoft%20should%20be%20aware%20into%20which%20tenant%20I%20should%20go.%20But%20isn't%20great%20if%20we%20could%20define%20on%20the%20MDM%2FIntune%20that%20when%20EndUserA%20sign-in%20to%20our%20Skype-%2FExchange%20online%20administrator%20could%20define%20into%20which%20tenant%20that%20user%20can%20go%20until%20with%20those%20apps%3F%20So%20I'm%20a%20bit%20wishing%20to%20see%20that%20applications%20can%20be%20aware%20of%20what%20is%20allowed%20to%20be%20done%20and%20what%20is%20not.%3C%2FP%3E%3CP%3EAlso%20it%20is%20important%20to%20see%20that%20none%20of%20the%20solutions%20are%20bullet%20proofs%2C%20but%20sometimes%20some%20tiny%20block%20could%20save%20your%20day.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288813%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20avoid%20login%20to%20other%20tenants%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288813%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20reason%20you%20see%20this%20done%20at%20the%20proxy%20is%20because%20of%20how%20logistically%20this%20works.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20your%20end%20user%20is%20getting%20the%20prompt%2Flogin%20to%20an%20incorrect%20tenant%2C%20or%20they%20themselves%20are%20navigating%20to%20an%20incorrect%20tenant%2C%20how%20is%20Microsoft%20supposed%20to%20do%20anything%20to%20re-direct%20or%20block%20that.%20They%20can%20deny%20the%20login%2C%20but%20they%20do%20not%20control%20your%20users%20network.%20Also%20keep%20in%20mind%2C%20for%20many%20O365%20users%2C%20end%20users%20from%20tenant%20A%20can%20login%20to%20the%20same%20spot%20as%20end%20users%20from%20tenant%20B.%20Its%20only%20when%20you%20get%20to%20on-prem%20resources%20and%20hybrid%20setups%20that%20you%20are%20getting%20to%20unique%20login%20locations.%20(ADFS%20anyone%3F).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEven%20stuff%20like%20conditional%20access%20are%20designed%20around%20restricting%20access%20into%20your%20tenant%2C%20not%20restricting%20your%20users%20access%20into%20other%20places.%3CBR%20%2F%3E%3CBR%20%2F%3EHence%20why%20all%20the%20solutions%20you%20are%20finding%20about%20a%20proxy%2C%20as%20then%20you%20have%20a%20way%20to%20control%20the%20outbound%20traffic%20of%20your%20users%20from%20your%20network.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20MDM%2FIntune%2C%20once%20the%20devices%20are%20registered%20and%20online%2C%20you%20then%20do%20have%20more%20autonomy.%20You%20can%20do%20things%20like%20prescribe%20down%20the%20applications%20and%20settings%20your%20users%20are%20using%20so%20that%20they%20are%20not%20only%20connecting%20to%20your%20system%2Fwifi%2Fwhatever%20as%20you%20want%2C%20but%20doing%20it%20on%20a%20certain%20version%20of%20a%20browser%20or%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20you%20have%20here%20is%20similar%20to%20the%20proxy%20conversation%20though.%20This%20only%20works%20once%20your%20users%20are%20registered%20or%20joined%20to%20the%20Intune%2FMDM%20system.%20Prior%20to%20their%20devices%20being%20joined%2C%20Microsoft%20again%20has%20no%20control%20over%20where%20they%20browse%20or%20navigate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20a%20chain%20problem%20with%20this%2C%20then%20yes%20Intune%20could%20kind%20of%20solve%20this%20for%20you%2C%20if%20you%20are%20controlling%20the%20device%20and%20getting%20it%20registered%20into%20Intune%20prior%20to%20giving%20it%20to%20the%20user.%20If%20the%20user%20gets%20the%20phone%2C%20and%20the%20first%20thing%20they%20are%20required%20to%20do%20is%20register%20it%2C%20this%20could%20help%20too.%20But%20if%20you%20send%20me%20a%20phone%2C%20and%20I%20go%20to%20a%20clients%20system%20before%20registering%20with%20Intune%2C%20and%20their%20wifi%20tries%20to%20get%20me%20to%20login%20to%20their%20Skype%20server%2C%20well%20if%20I%20give%20it%20the%20credentials%2C%20thats%20on%20me%20as%20a%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20makes%20sense.%20Intune%20may%20be%20a%20good%20solution%20if%20you%20are%20really%20worried%20about%20this%20problem.%20To%20me%20though%20this%20sounds%20like%20an%20end%20user%20knowledge%2Feducation%20issue%2C%20not%20one%20that%20inherently%20needs%20a%20technology%20solution%20outside%20of%20what%20exists%20today.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdam%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi all,

I have been investigating a bit how we could avoid situation were end-users by accidentally start sign-in to another tenant. E.g. you get the login screen on Skype/Teams/Outlook/Etc.. and write credentials to your personal tenant or any other third part tenant. On the corporate device that might not be the best thing.

 

I found two threads to speak about this:

Restricting client access to other Office 365 tenants

Block users from becoming Guest in another Office 365 Tenant

but both of them does the blocking on the proxy. Microsoft in my mind is trying to advice us to bypass the proxy as many services are working better like Skype/Teams without proxy. But how I'm able block the incorrect sing-in to wrong tenant on the workstation.

 

Does anybody has seen if MDM/Intune could bring some help on this?

4 Replies

Hello,


The reason you see this done at the proxy is because of how logistically this works.

 

If your end user is getting the prompt/login to an incorrect tenant, or they themselves are navigating to an incorrect tenant, how is Microsoft supposed to do anything to re-direct or block that. They can deny the login, but they do not control your users network. Also keep in mind, for many O365 users, end users from tenant A can login to the same spot as end users from tenant B. Its only when you get to on-prem resources and hybrid setups that you are getting to unique login locations. (ADFS anyone?).

 

Even stuff like conditional access are designed around restricting access into your tenant, not restricting your users access into other places.

Hence why all the solutions you are finding about a proxy, as then you have a way to control the outbound traffic of your users from your network. 

 

In MDM/Intune, once the devices are registered and online, you then do have more autonomy. You can do things like prescribe down the applications and settings your users are using so that they are not only connecting to your system/wifi/whatever as you want, but doing it on a certain version of a browser or application.

 

The issue you have here is similar to the proxy conversation though. This only works once your users are registered or joined to the Intune/MDM system. Prior to their devices being joined, Microsoft again has no control over where they browse or navigate.

 

If you have a chain problem with this, then yes Intune could kind of solve this for you, if you are controlling the device and getting it registered into Intune prior to giving it to the user. If the user gets the phone, and the first thing they are required to do is register it, this could help too. But if you send me a phone, and I go to a clients system before registering with Intune, and their wifi tries to get me to login to their Skype server, well if I give it the credentials, thats on me as a user.

 

Hope this makes sense. Intune may be a good solution if you are really worried about this problem. To me though this sounds like an end user knowledge/education issue, not one that inherently needs a technology solution outside of what exists today.

 

Adam

 

Adam,

At first, big thanks about your great answer!

 

Few ideas comes to my mind, I do not expect that Microsoft should be aware into which tenant I should go. But isn't great if we could define on the MDM/Intune that when EndUserA sign-in to our Skype-/Exchange online administrator could define into which tenant that user can go until with those apps? So I'm a bit wishing to see that applications can be aware of what is allowed to be done and what is not.

Also it is important to see that none of the solutions are bullet proofs, but sometimes some tiny block could save your day.

Whilst the options available right now are not as mature as you would like, the proxy solution as detailed here is a sound configuration. Saying that however, certain functions are unique to certain service workloads. For example you can block synchronisation of OneDrive for Business unless the workstation is on a specific domain as an example. This doesn't need Intune, it's available in the OneDrive for Business Admin Center.

 

In any case, expect protocols on how we access apps and data to change and evolve quite radically in the next 18 months.

Microsoft is suggesting that you bypass proxies, but that is so that data access is not limited and cause applications to run slow. But to do tenant restrictions you need to proxy authentication traffic, and not all traffic - so you can do it and not impact performance, but it takes time and a good design
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies