Tenant restrictions in Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-42784%22%20slang%3D%22en-US%22%3ETenant%20restrictions%20in%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-42784%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Azure%20AD%20teams%20keeps%20on%20delivering%20on%20important%20features%2C%20the%20latest%20one%20being%20the%20ability%20to%20%22lock%22%20your%20users%20to%20only%20use%20specific%20Office%20365%20tenant.%20This%20is%20done%20by%20inspecting%20the%20logon%20request%20and%20validating%20the%20value%20of%20two%20headers%2C%20%3CEM%3ERestrict-Access-To-Tenants%3C%2FEM%3E%20and%20%3CEM%3ERestrict-Access-Context%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20blog%20announcement%20is%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F01%2F31%2Fnew-enhanced-access-controls-in-azure-ad-tenant-restrictions-is-now-generally-available%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F01%2F31%2Fnew-enhanced-access-controls-in-azure-ad-tenant-restrictions-is-now-generally-available%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDetailed%20instructions%20as%20well%20as%20an%20easy%20to%20use%20software-based%20proof%20of%20concept%20method%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-tenant-restrictions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-tenant-restrictions%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-42784%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276529%22%20slang%3D%22en-US%22%3ERe%3A%20Tenant%20restrictions%20in%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276529%22%20slang%3D%22en-US%22%3E%3CP%3Eyou%20need%20to%20inspect%20only%20login.microsoftonline.com%20side.%20not%20o365%20sites%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ealso%20SSL%20inspection%20is%20not%20that%20great%20at%20DLP.%20protect%20te%20resource%20with%20DRM%20(like%20AIP)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-274489%22%20slang%3D%22en-US%22%3ERe%3A%20Tenant%20restrictions%20in%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-274489%22%20slang%3D%22en-US%22%3E%3CP%3ESadly%20these%20controls%20don't%20work%20for%20Microsoft's%20own%20SaaS%3A%20Office%20365.%20Though%20I%20hope%20someone%26nbsp%3Bwill%20prove%20me%20wrong.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETurns%20our%20Azure%20tenant%20controls%20require%20SSL%20inspection%20but%20Office%20365%20uses%20SSL%20pinning.%20How%20do%20people%20deal%20with%20DLP%20risks%20in%20Office%20365%3F!%20and%20then%20I%20mean%20for%20uploads%20to%20a%20tenant%20over%20than%20my%20own.%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

The Azure AD teams keeps on delivering on important features, the latest one being the ability to "lock" your users to only use specific Office 365 tenant. This is done by inspecting the logon request and validating the value of two headers, Restrict-Access-To-Tenants and Restrict-Access-Context.

 

The blog announcement is here: https://blogs.technet.microsoft.com/enterprisemobility/2017/01/31/new-enhanced-access-controls-in-az...

 

Detailed instructions as well as an easy to use software-based proof of concept method can be found here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions

2 Replies

Sadly these controls don't work for Microsoft's own SaaS: Office 365. Though I hope someone will prove me wrong.

 

Turns our Azure tenant controls require SSL inspection but Office 365 uses SSL pinning. How do people deal with DLP risks in Office 365?! and then I mean for uploads to a tenant over than my own.

you need to inspect only login.microsoftonline.com side. not o365 sites

 

also SSL inspection is not that great at DLP. protect te resource with DRM (like AIP)