Home

Restricting client access to other Office 365 tenants

%3CLINGO-SUB%20id%3D%22lingo-sub-218279%22%20slang%3D%22en-US%22%3ERestricting%20client%20access%20to%20other%20Office%20365%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218279%22%20slang%3D%22en-US%22%3E%3CP%3EQuestion%20based%20on%20the%20following%20article%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Ftenant-restrictions%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Ftenant-restrictions%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20restrict%20access%20from%20our%20company%20network%20to%20only%20our%203%20tenants%20(dev%2C%20test%2C%20prod).%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3ESo%20first%20point%20is%20clear%2C%20I%20need%20to%20insert%20the%20list%20of%20tenants%20in%20the%20SSL%20header%20with%20the%20%22%3CSPAN%3ERestrict-Access-To-Tenants%22%20statement.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWhat%20is%20unclear%20for%20me%20is%20the%20second%20header%20I%20need%20to%20apply%20-%20the%20%22Restrict-Access-Context%22%2C%20but%20which%20Tenant%20ID%20should%20I%20use%3F%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EEach%20tenant%20has%20it's%20own%20on-prem%20AD%20synced%20to%20AAD.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMicrosoft%20Germany%20has%20been%20asked%20too%2C%20but%20they%20seems%20to%20have%20problem%20to%20find%20the%20right%20person%20to%20answer%20(because%20of%20holiday%20seasons%20and%20fiscal%20year%20end).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMaybe%20someone%20here%20able%20to%20help%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ECheers%20Peter%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-218279%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-218692%22%20slang%3D%22en-US%22%3ERe%3A%20Restricting%20client%20access%20to%20other%20Office%20365%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218692%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20-%20we%20are%20not%20hosted%20in%20the%20German%20Cloud%20but%20in%20the%20%22normal%22%20European%20Cloud.%20Will%20check%20back%20with%20Microsoft%20on%20this%20-%20thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-218482%22%20slang%3D%22en-US%22%3ERe%3A%20Restricting%20client%20access%20to%20other%20Office%20365%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218482%22%20slang%3D%22en-US%22%3E%3CP%3EAfaik%2C%20it%20does%20support%20multiple%20tenants.%20However%2C%20that%20feature%20is%20available%20only%20in%20the%20%22global%22%2C%20multi-tenant%20O365%20instance%2C%20I'm%20almost%20100%25%20sure%20that%20the%20DE%20instance%20does%20not%20have%20it.%20So%20best%20check%20with%20the%20support%20team.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-218310%22%20slang%3D%22en-US%22%3ERe%3A%20Restricting%20client%20access%20to%20other%20Office%20365%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218310%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Peter%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20that%20tenant%20restrictions%20is%20meant%20for%20a%20single%20tenant%20environment.%20That%20is%2C%20all%20users%20are%20authenticating%20against%20a%20single%20tenant.%20In%20this%20case%2C%20your%20users%20should%20authenticate%20always%20to%20prod%20tenant%2C%20even%20when%20using%20dev%20and%20test%20tenant's%20services.%20I%20don't%20think%20this%20would%20work%20in%20your%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20as%20the%20proxy%20is%20intercepting%20the%20traffic%20anyways%2C%20you%20may%20inspect%20the%20request%20and%20try%20to%20identify%20which%20tenant%20users%20are%20trying%20to%20access.%20The%20login%20username%20would%20be%20a%20good%20candidate%20for%20that.%20Based%20on%20that%2C%20you%20could%20give%20a%20correct%20tenant%20ID%20for%20the%20Restrict-Access-Context.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Peter Heck - Admin
New Contributor

Question based on the following article:

 

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions

 

We want to restrict access from our company network to only our 3 tenants (dev, test, prod). 

So first point is clear, I need to insert the list of tenants in the SSL header with the "Restrict-Access-To-Tenants" statement.

What is unclear for me is the second header I need to apply - the "Restrict-Access-Context", but which Tenant ID should I use?

 

Each tenant has it's own on-prem AD synced to AAD. 

 

Microsoft Germany has been asked too, but they seems to have problem to find the right person to answer (because of holiday seasons and fiscal year end).

 

Maybe someone here able to help?

 

Cheers Peter

3 Replies

Hi Peter,

 

It seems that tenant restrictions is meant for a single tenant environment. That is, all users are authenticating against a single tenant. In this case, your users should authenticate always to prod tenant, even when using dev and test tenant's services. I don't think this would work in your scenario.

 

However, as the proxy is intercepting the traffic anyways, you may inspect the request and try to identify which tenant users are trying to access. The login username would be a good candidate for that. Based on that, you could give a correct tenant ID for the Restrict-Access-Context.

Afaik, it does support multiple tenants. However, that feature is available only in the "global", multi-tenant O365 instance, I'm almost 100% sure that the DE instance does not have it. So best check with the support team.

Well - we are not hosted in the German Cloud but in the "normal" European Cloud. Will check back with Microsoft on this - thanks!