Home

Tenant restrictions in Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-42784%22%20slang%3D%22en-US%22%3ETenant%20restrictions%20in%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-42784%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Azure%20AD%20teams%20keeps%20on%20delivering%20on%20important%20features%2C%20the%20latest%20one%20being%20the%20ability%20to%20%22lock%22%20your%20users%20to%20only%20use%20specific%20Office%20365%20tenant.%20This%20is%20done%20by%20inspecting%20the%20logon%20request%20and%20validating%20the%20value%20of%20two%20headers%2C%20%3CEM%3ERestrict-Access-To-Tenants%3C%2FEM%3E%20and%20%3CEM%3ERestrict-Access-Context%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20blog%20announcement%20is%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F01%2F31%2Fnew-enhanced-access-controls-in-azure-ad-tenant-restrictions-is-now-generally-available%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F01%2F31%2Fnew-enhanced-access-controls-in-azure-ad-tenant-restrictions-is-now-generally-available%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDetailed%20instructions%20as%20well%20as%20an%20easy%20to%20use%20software-based%20proof%20of%20concept%20method%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-tenant-restrictions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-tenant-restrictions%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-42784%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276529%22%20slang%3D%22en-US%22%3ERe%3A%20Tenant%20restrictions%20in%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276529%22%20slang%3D%22en-US%22%3E%3CP%3Eyou%20need%20to%20inspect%20only%20login.microsoftonline.com%20side.%20not%20o365%20sites%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ealso%20SSL%20inspection%20is%20not%20that%20great%20at%20DLP.%20protect%20te%20resource%20with%20DRM%20(like%20AIP)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-274489%22%20slang%3D%22en-US%22%3ERe%3A%20Tenant%20restrictions%20in%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-274489%22%20slang%3D%22en-US%22%3E%3CP%3ESadly%20these%20controls%20don't%20work%20for%20Microsoft's%20own%20SaaS%3A%20Office%20365.%20Though%20I%20hope%20someone%26nbsp%3Bwill%20prove%20me%20wrong.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETurns%20our%20Azure%20tenant%20controls%20require%20SSL%20inspection%20but%20Office%20365%20uses%20SSL%20pinning.%20How%20do%20people%20deal%20with%20DLP%20risks%20in%20Office%20365%3F!%20and%20then%20I%20mean%20for%20uploads%20to%20a%20tenant%20over%20than%20my%20own.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Vasil Michev
MVP

The Azure AD teams keeps on delivering on important features, the latest one being the ability to "lock" your users to only use specific Office 365 tenant. This is done by inspecting the logon request and validating the value of two headers, Restrict-Access-To-Tenants and Restrict-Access-Context.

 

The blog announcement is here: https://blogs.technet.microsoft.com/enterprisemobility/2017/01/31/new-enhanced-access-controls-in-az...

 

Detailed instructions as well as an easy to use software-based proof of concept method can be found here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions

2 Replies

Sadly these controls don't work for Microsoft's own SaaS: Office 365. Though I hope someone will prove me wrong.

 

Turns our Azure tenant controls require SSL inspection but Office 365 uses SSL pinning. How do people deal with DLP risks in Office 365?! and then I mean for uploads to a tenant over than my own.

you need to inspect only login.microsoftonline.com side. not o365 sites

 

also SSL inspection is not that great at DLP. protect te resource with DRM (like AIP)

Related Conversations
Dont see any Contact in Teams
nicb in Microsoft Teams on
2 Replies
Question Restrictions
juryk in Microsoft Forms on
2 Replies
OUTLOOK JUNK FOLDER DUPLICATION BUG
Phil Gibbs in Office 365 on
1 Replies
Control External Access in SFB Online
Vineet Arora in Skype for Business IT Pro on
2 Replies
Problem with Office 365 ProPlusRetail Deployment tool
Matej_Brcic in Deployment on
2 Replies