11-10-2016 03:17 AM
11-10-2016 03:17 AM
When allowing connectivity into Office 365, is there a way to restrict access to a single a tenant? For the purposes of DLP I need to prevent internal machines logging onto any another email service including other 365 tenants, how could this be acheived?
Google offer a way to restrict this by using additional headers -> https://support.google.com/a/answer/1668854?hl=en
11-11-2016 01:51 AM
That`s something I have to deal with, too.
For me it is allowing access only to company devices. Intune doesn`t offer that.
Ben, for other Office 365 tenants you simple give to user no license in this tenant. So they will have no Mail account there.
As for orther mail systems you can block the URLs for example.
Hope that helps.
11-11-2016 02:22 AM
Thanks for the reply. I undertstand around the restrictions for logging onto our own tenant and we have those in place.
The scenario I'm thinking about is when say for example a contractor was logged on to one of our corporate machines and they had their own tenant. Whats to stop them from spinning up a browser or outlook and logging on to their own account and emailing information out that way. All we would see at the proxy level is legitimate encrypted traffic to outlook.office365.com.
I'm interested to see how other people have dealt with this.
11-11-2016 03:13 AM - edited 11-11-2016 03:15 AM
One way to prevent this would be to implement Rights Management. When the contractor has finished their job, the rights to the affected files will no longer be available to them.
11-11-2016 03:26 AM
Thanks for the reply. Both are good suggestions but unfortunatley I can't see them as being practical ways to prevent data leakage. To encrypt all our data and work out an effective rights management policy would take a very long time and although its an extreme example, I'm pretty sure Snowden filled out some sort of AUP :)
The only way I can see to restrict data leakage to another tenant at the moment is to look at SSL Inspection and apply some form or URL filtering ... whilst it could be effective, it's not a supported solution by Microsoft and they activley discourage it.
11-11-2016 05:38 AM
If Rights Management had been enabled Snowden would not have been able to use the files he stole.IRM/RMS is the most effective way to mitigate the risks associated with data that has leaked.
The Data Loss Prevention policies in O365 and now in Flow can help mitigate the risks.
Advanced Threat Analytics (ATA) can be used to identify abnormal behavior, such as large number of file downloads, but this is only good for on-premises systems.
Azure Security Center can be used to monitor network traffic from many applications for suspicios behavior, see https://azure.microsoft.com/en-us/documentation/articles/security-center-detection-capabilities/
11-11-2016 02:04 PM
There's no way to do this in O365, even if you have AD FS in place. You can probably use a similar solution to what's described in the article, with inspecting all traffic to O365, but I wouldnt really recommend such approach. As Dean mentioned, there are plenty controls available as part of O365 or additional services to secure access to your data, one of them (or a combination) should meet your needs.
03-08-2017 05:32 AM
This article is pretty recent and describes how to perform tenant restrictions if you use a modern authentication client. Enables you to restrict what tenants can be accessed from your network.
03-08-2017 10:15 AM
Yup, now we do have options. It's great to see how many things can change around O365 in just few months!
03-09-2017 12:13 PM
Good an bad there. Only works with your network as the accessing permiter. Off your LAN/VPN it doesn't help. Also you need Azure AD P1 licensing to use it. And there is overhead with SSL decryption, inject a header, and encrypt to send it on its way.
03-28-2017 07:31 AM
Currently Azure AD tenant restrictions is the way to accomplish this. Can you give an example of scenario where you would have to restrict access when your users are not on your network? Say for example that one of your employees work for a non profit or volunteers at a school that has O365, or they get invited by their kids to review their schoolwork on their school OneDrive. The only way to really accomplish that blocking would be to have your company laptops limit access in the local firewall (feature we dont have today to do what tenant restriction does but do it client side).
- Azure AD Customer Success team
08-06-2017 08:03 PM
Hi This is done Through Tenant Restrictions.
You'll configure your outbound Proxy server, to insert a "Restrict-Access-To-Tenants: <permitted tenant list> header in packets bound to login.microsoftonline.com, login.microsoft.com, and login.windows.net
You'' then Go to your O365 Tenant, and configure Tenant restrictions.
For this to work, the Proxy needs to support SSL inspection, in order to insert the header.
End result will be:
Scenario: User tries to access outlook.office.com to get access to his Tenant (contractor.onmicrosoft.com)
Once he enters the url, open outlook / client to access Saas service, he gets redirected to AzureAD (url's listed above for login)
Proxy intercepts traffic to AAD and inserts HTTP header, indicating yourtenant.onmicrosoft.com is the only allowed tenant, and controcator.onmicrosoft.com is not allowed.
AAD does not issue a service token for the contractor.onmicrosoft.com user, so the client cannot Authenticate to gain access to the Saas Service.
This works for controlling access to Microsoft Tenants from your Network, so if the Contractor can connect his mobile phone as a hotspot, or bypass your network security controlls (Proxy Server), then this wont work. So additional controls might need to be implemented to ensure your DLP controls are enforced when using Tenant restrictions in O365.
08-07-2017 03:51 PM
11-08-2018 05:42 PM
Although not a complete solution, admins can configure Outlook client to prevent users from adding new accounts/profiles. This would stop employees from accessing other email services from the desktop client. However, OWA and other browser-based services would still be accessible without another control in place.
02-26-2019 05:58 AM