Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway.
search cancel

Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway.

book

Article ID: 169870

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Microsoft has published an article describing how to control Office 365 access using tenant restrictions. The article can be seen at: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions

In the article from Microsoft is a summary of headers to add to proxy devices to control Office 365 access using tenant restrictions. This article describes how to implement those headers on Edge Secure Web Gateway (formerly ProxySG) and Advanced Secure Gateway (ASG).

Note: Tenant control only works with the Protected Resources. A publicly shared resource can not be controlled using tenant restrictions.

Resolution

Restricting Access to Office365 Organizational Tenants

Follow the steps below to modify request headers to restrict the tenant used for Office 365 access:

  1. Access the Edge SWG (ProxySG) or Advanced Secure Gateway (ASG) Management Console.
  2. Launch the Visual Policy Manager (VPM) by going to Configuration->Policy->Visual Policy Manager and press the Launch button in the Management Console.
  3. Within VPM click the Policy menu item and press Add Web Access Layer...  Optionally, give the new Web Access Layer a distinctive name (O365 Tenant Restriction Layer in this example) and press OK.
  4. In the first rule edit the Destination 'Any' object by right-clicking on it. In the pop-up window press the New button and add a Combined Destination Object.  In that Combined Object give it a distinctive name (optional) and Add New Request URL entries for the following hosts: login.microsoftonline.com, login.microsoft.com, and login.windows.net.  Add those Request URL objects to the upper right box of the Combined Destination Object and press OK. The completed Destination Object will look like the following:
  5. In the first rule edit the Action 'Deny' object by right-clicking on it. In the pop-up window press the New button and add a Combined Action Object.  In that Combined Action Object give it a distinctive name (optional) and add two Control Request Header objects for headers Restrict-Access-To-Tenants and Restrict-Access-Context.  Using the 'Contoso' example from Microsoft's article, here are screenshots of what the two Control Request Header objects for each header would look like individually and add to the combined object:

  6. The completed layer and rule will look like the following:
  7. Press the Install policy button in VPM to apply the policy.


Microsoft has also provided further clarity regarding the following:

For the header Restrict-Access-Context you cannot configure the tenant ID for multiple domains by design, this header is for reporting purposes and for stating which is the tenant that has enabled the policy.

The tenant ID inserted here will be the tenant where you will be able to check the reports: “A second header, called Restrict-Access-Context, is used to enable reporting capabilities and help Microsoft support troubleshoot issues. Restrict-Access-Context needs to include the tenant which is configuring the policy. For example, the following header would indicate that Contoso configured the policy, and reporting would be enabled in the Contoso tenant: Restrict-Access-Context: contoso.onmicrosoft.com” 

 

Optionally, if CPL is preferred over using the VPM the following CPL can be installed in a local policy file or CPL layer within the VPM that will accomplish the same goal:

; ------- Beginning of O365 Tenant Restriction CPL -----------
; References:
; https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions
; https://support.symantec.com/en_US/article.TECH247092.html


<Proxy>
condition=TenantRestrictionDestinations action.Restrict-Access-Context-Set-Header(yes) action.Restrict-Access-To-Tenants-Set-Header(yes)

define condition TenantRestrictionDestinations
    url.domain="login.microsoft.com"
    url.domain="login.microsoftonline.com"
    url.domain="login.windows.net"
end condition TenantRestrictionDestinations


; Change directory ID below:
define action Restrict-Access-Context-Set-Header
    set(request.x_header.Restrict-Access-Context, "456ff232-35l2-5h23-b3b3-3236w0826f3d")
end action Restrict-Access-Context-Set-Header

; Change tenant list below:
define action Restrict-Access-To-Tenants-Set-Header
    set(request.x_header.Restrict-Access-To-Tenants, "contoso.onmicrosoft.com")
end action Restrict-Access-To-Tenants-Set-Header


; ------- End of O365 Tenant Restriction CPL -----------
 
Note: Below is an optional method which provides an 'AND', 'OR' policy in CPL.  Please review this policy as this may be more suitable to your needs. 
 
; ------- Beginning of O365 Tenant Restriction CPL -----------
; References:
; https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions
; https://support.symantec.com/en_US/article.TECH247092.html


<Proxy>
condition=TenantRestrictionDestinations action.Restrict-Access-Context-Set-Header(yes) action.Restrict-Access-To-Tenants-Set-Header(yes)

define condition TenantRestrictionDestinations
    url.domain="login.microsoft.com"
    url.domain="login.microsoftonline.com"
    url.domain="login.windows.net"
end condition TenantRestrictionDestinations


; Set the Restrict-Access-Context to the tenantID
; of the administrator setting the restrictions
define action Restrict-Access-Context-Set-Header
    set(request.x_header.Restrict-Access-Context, "58201163-08a8-4385-aac7-2fcb6ec95c20")
end action Restrict-Access-Context-Set-Header

; Set the Restrict-Access-To-Tenants header
; to a comma separated list of tenants
define action Restrict-Access-To-Tenants-Set-Header
    set(request.x_header.Restrict-Access-To-Tenants, "getnetcombr.onmicrosoft.com, getnetbr.onmicrosoft.com")
end action Restrict-Access-To-Tenants-Set-Header

; ------- End of O365 Tenant Restriction CPL -----------
 

Client HTTPS requests to hosts login.microsoftonline.com, login.microsoft.com, and login.windows.net will have the headers added to them if SSL interception is enabled on the proxy.

For Proxy to have visibility to the headers, SSL interception for O365 URLs is required.

Please note the Tenant ID is not strictly speaking needed for this policy to work, it is added here for completeness.

 

Restricting Access to Microsoft Consumer Apps

Tenant restrictions can also be used to block access to personal consumer applications, such as a personal OneDrive account.

To enforce this, the header sec-Restrict-Tenant-Access-Policy must be set with the value restrict-msa for requests to login.live.com

As the destination criteria and action differ from the policy used above for organizational tenants, this policy should be implemented in a separate rule.

Visual Policy Manager Configuration Steps

  1. Create a new rule.

  2. Set the Destination to a Request URL Object and enter login.live.com



  3. Set the Action to a Control Request Header Object with the header name sec-Restrict-Tenant-Access-Policy and value restrict-msa



  4. The completed layer with the added rule will look like the following:

 

Content Policy Language Configuration

Add the following CPL layer and definitions to your policy.

; ------- Beginning of Microsoft Consumer Apps Restriction CPL -----------
<Proxy>
url.domain=//login.live.com/ action.sec-Restrict-Tenant-Access-Policy(yes) 


define action sec-Restrict-Tenant-Access-Policy
  set( request.x_header.sec-Restrict-Tenant-Access-Policy, "restrict-msa" )
end
; ------- End of Microsoft Consumer Apps Restriction CPL -----------