Restrict access to a tenant in Azure Active Directory

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

Large organizations that prioritize security want to migrate to cloud services such as Microsoft 365, but they must ensure that their users can only access approved resources. Companies have traditionally restricted access by restricting domain names or IP addresses. This strategy fails in a world where software as a service (SaaS) apps are hosted in the public cloud and use shared domain names such as outlook.office.com and login.microsoftonline.com. Instead of restricting users to approved identities and resources, blocking these addresses would prevent them from accessing Outlook on the web entirely.

Tenant restrictions are a feature in Azure Active Directory (Azure AD) that addresses this issue. Organizations can control access to SaaS cloud applications using tenant restrictions based on the Azure AD tenant the applications use for single sign-on. For example, you might want to grant access to your organization’s Microsoft 365 applications while restricting access to other organizations’ instances of the same applications.

Organizations can use tenant restrictions to specify which tenants users on their network can access. Azure AD then only grants access to these permitted tenants; all other tenants, including those in which your

How it operates

Azure AD: If the Restrict-Access-To-Tenants: <permitted tenant list> header is present, Azure AD only issues security tokens to the permitted tenants.

On-premises proxy server infrastructure: This infrastructure consists of a proxy device that can inspect Transport Layer Security (TLS). You must configure the proxy to insert a header containing the list of permitted tenants into Azure AD traffic.

Client software: In order for the proxy infrastructure to intercept traffic, client software must request tokens directly from Azure AD. Tenant restrictions are currently supported by browser-based Microsoft 365 applications, as well as Office clients that use modern authentication (like OAuth 2.0).

Modern Authentication:  To use tenant restrictions and block access to all non-permitted tenants, cloud services must use modern authentication. Microsoft 365 cloud services must be configured to use modern authentication protocols by default. Read Updated Office 365 modern authentication for the most recent information on Microsoft 365 support for modern authentication.

 

The diagram below depicts the high-level traffic flow. Tenant restrictions necessitate TLS inspection only on Azure AD traffic, not on traffic to Microsoft 365 cloud services. This distinction is significant because traffic volume for Azure AD authentication is typically much lower than traffic volume for SaaS applications such as Exchange Online and SharePoint Online.

Prerequisites

  • The proxy must be able to intercept TLS traffic, insert HTTP headers, and filter destinations using FQDNs/URLs.
  • For TLS communications, clients must trust the certificate chain presented by the proxy. For example, if certificates from an internal public key infrastructure (PKI) are used, the certificate issued by the internal issuing root certificate authority must be trusted.
  • Tenant Restrictions require Azure AD Premium 1 licenses to be used.

    Professional Labs is the Best Cloud Managed Services Provider UAE, for more details contact
    Contact Us | Professional labs (prolabsit.com)