Blog Post

Microsoft Entra Blog
3 MIN READ

New enhanced access controls in Azure AD: Tenant Restrictions is now Generally Available!

Alex Simons (AZURE)'s avatar
Sep 07, 2018
First published on CloudBlogs on Jan, 31 2017
Howdy folks, Today I'm happy to announce that our new Tenant Restrictions capability is Generally Available! We built Tenant Restrictions with extensive input from our customer in finance, healthcare and pharmaceutical, industries which have relatively strict information access and compliance requirements. Tenant restrictions gives customers with these kinds of requirements enhanced control over access to SaaS cloud applications. Admins can now restrict employees using their corporate network to only being able to use Azure AD identities in tenants they have approved. To give you the details about this important new capability, I've asked Yossi Banai, a PM in our Identity Security and Protection team to write a blog about this feature. You'll find it below. I those of you in highly regulated industries will find this feature useful! And as always, we would love to receive any feedback or suggestions you have! Best Regards,  Alex Simons (Twitter: @Alex_A_Simons )  Director of Program Management  Microsoft Identity Division  ________  Hello,   I'm Yossi Banai, a Program Manager on the Azure Active Directory team. In today's blog post I'll cover Tenant Restrictions – a new feature we released today for general availability.

Overview

Companies that want to move their employees to SaaS apps like Office 365 are sometimes worried about opening their networks to information leaks. If users can access Office 365 with their corporate identity, they can also access these same services with other identities.

Before cloud services, network admins could simply block access to unwanted apps or websites by blocking their URL or IP address. This is no longer an option with SaaS apps, where a single endpoint (like outlook.office.com) is used by all consumers of the SaaS app.

Our solution for this common IT challenge is Tenant Restrictions. This new feature enables organizations to control access based on the Azure AD tenant the applications use for single sign-on. For example, you can use Tenant Restrictions to allow access to your organization's Office 365 applications, while preventing access to other organizations' instances of these same applications.

How it works

An on-premises proxy server is configured to intercept authentication traffic going to Azure AD. The Proxy inserts a new header called "Restrict-Access-To-Tenants" that lists the tenants that users on the network are permitted to access. Azure AD reads the permitted tenant list from the header, and only issues security tokens if the user or resource is in a tenant on that list.

The following diagram illustrates the high-level traffic flow.

End-user Experience

If a user on the Contoso network tries to sign in to the outlook.office.com instance of an unpermitted tenant, he or she will see this message on the web page:

Admin Experience

While configuration of Tenant Restrictions is done on the corporate proxy infrastructure, admins can access the Tenant Restrictions reports in the Azure Portal directly from the Overview page of Azure Active Directory, under 'Other capabilities'. Using the report, the admin for the tenant specified as the "Restricted-Access-Context" can see all sign-ins blocked because of the Tenant Restrictions policy, including the identity used and the target Tenant ID:

Learn more

When you're ready to get started, see Use Tenant Restrictions to manage access to SaaS cloud applications for more information.

We appreciate your feedback

As always, we want to hear your feedback about this new feature. If you have any feedback, questions, or issues to report, please leave a comment at the bottom of this post or tweet with the hashtag #AzureAD.

Best regards, Yossi
Updated Jul 28, 2020
Version 6.0
  • Sesu-'s avatar
    Sesu-
    Brass Contributor

    Hi @  I know you posted this years ago but I was wondering if you could help with understanding how this is set up in the Azure portal.

    We recently started using 'Force point' who we thought could help us restrict this although their advice was we have to whitelist their data center in our Conditional access policies blocking locations.

    I felt that the whitelisting option was a bit insecure for our tenant therefore started reading around the Azure tenant restriction which is not entirely clear to me if i will need the web proxy to achieve this or can simple set it up in the Azure portal and it immediately starts without any third party integration.

     

    Thanks