Tenant Restrictions v2 in windows Defender is Insecure

Iron Contributor

Recently I had a conversation with Microsoft and an implementation partner around direct access from managed laptops to M365 services. My contention was this is inherently insecure as without tenant restrictions in place users can go to their personal tenants and exfiltrate data. As such we bring everything back in our VPN to our corporate proxy and implement tenant restrictions there.

This is not an ideal user experience though as it means the user must have the VPN connected to access M365 and this adds bandwidth load to our VPN and is a generally poorer experience. We do split-tunnel MS teams traffic but only when the VPN is connected.

 

Both Microsoft and the parent indicated that Global Secure Access might be a future solution but this is not generally available. They also dictated to me that Tenant Restrictions V2 in Windows defender would work i.e. implement it directly in Widows 10

 

Now when I read the guide here Configure tenant restrictions - Microsoft Entra ID - Microsoft Entra External ID | Microsoft Learn it states

 

Tenant restrictions V2 on Windows is a partial solution that protects the authentication and data planes for some scenarios. It works on managed Windows devices and does not protect .NET stack, Chrome, or Firefox. The Windows solution provides a temporary solution until general availability of Universal tenant restrictions in Microsoft Entra Global Secure Access (preview).

 

As such, how can this be secure if a user simply needs to use powershell/.NET or Google chrome to bypass it?

3 Replies
This has nothing to do with Defender for Endpoint, please re-post in the correct forum.
Why has it nothing to do with defender if the article states we can implement it with Windows Defender?
The article does not state that tenant restrictions can be implemented using Defender.