Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG)

search cancel

Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) - TRv1 and TRv2

book

Article ID: 169870

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Referring to Microsoft how to guides at:

"Learn -> Microsoft Entra -> Microsoft Entra ID -> Enterprise applications -> Restrict access to a tenant" - TRv1 (https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tenant-restrictions)
"Learn -> Microsoft Entra -> External ID -> Set up tenant restrictions v2" - TRv2 (https://learn.microsoft.com/en-us/entra/external-id/tenant-restrictions-v2)

TRv1:

For each outgoing request to login.microsoftonline.com, login.microsoft.com, and login.windows.net, insert two HTTP headers: Restrict-Access-To-Tenants and Restrict-Access-Context
Tenant Restrictions v1 (TRv1) lets you create an allow list of tenant IDs and/or Microsoft sign-in endpoints to ensure that users access external tenants that your organization authorizes. TRv1 achieved it by adding Restrict-Access-To-Tenants: <allowed-tenant-list> header on the proxy. For example: `Restrict-Access-To-Tenants: " contoso.com, fabrikam.com, dogfood.com"

TRv2:

With Tenant Restrictions v2 (TRv2), the configuration is moved to the server side cloud policy and there is no need for the TRv1 header. On your corporate proxy, you should remove tenant restrictions v1 header, Restrict-Access-To-Tenants: <allowed-tenant-list>
You can configure the corporate proxy to enable client-side tagging of the tenant restrictions V2 header by using the following corporate proxy setting:

sec-Restrict-Tenant-Access-Policy: <DirectoryID>:<policyGUID>

where

<DirectoryID> is your Microsoft Entra tenant ID

Find this value by signing in to the Microsoft Entra admin center as an administrator and browsing to Identity > Overview and selecting the Overview tab.

and

<policyGUID> is the object ID for your cross-tenant access policy.

Find this value by calling /crosstenantaccesspolicy/default and using the “id” field returned.

In the above articles from Microsoft is a summary of headers to add to proxy devices to control Office 365 access using tenant restrictions. This article describes how to implement those headers on Edge Secure Web Gateway (formerly ProxySG) and Advanced Secure Gateway (ASG).

Note: Tenant control only works with the Protected Resources. A publicly shared resource can not be controlled using tenant restrictions.

Resolution

Restricting Access to Office365 Organizational Tenants

Follow the steps below to modify request headers to restrict the tenant used for Office 365 access:

Access the Edge SWG (ProxySG) or Advanced Secure Gateway (ASG) Management Console.
Launch the Visual Policy Manager (VPM) by going to Configuration->Policy->Visual Policy Manager and press the Launch button in the Management Console.
Within VPM click the Policy menu item and press Add Web Access Layer... Optionally, give the new Web Access Layer a distinctive name (O365 Tenant Restriction Layer in this example) and press OK.
In the first rule edit the Destination 'Any' object by right-clicking on it. In the pop-up window press the New button and add a Combined Destination Object. In that Combined Object give it a distinctive name (optional) and Add New Request URL entries for the following hosts: login.microsoftonline.com, login.microsoft.com, and login.windows.net. Add those Request URL objects to the upper right box of the Combined Destination Object and press OK. The completed Destination Object will look like the following:
In the first rule edit the Action 'Deny' object by right-clicking on it. In the pop-up window press the New button and add a Combined Action Object. In that Combined Action Object give it a distinctive name (optional) and add two Control Request Header objects for headers Restrict-Access-To-Tenants and Restrict-Access-Context. Using the 'Contoso' example from Microsoft's article, here are screenshots of what the two Control Request Header objects for each header would look like individually and add to the combined object:
The completed layer and rule will look like the following:
Press the Install policy button in VPM to apply the policy.

Microsoft has also provided further clarity regarding the following:

For the header Restrict-Access-Context you cannot configure the tenant ID for multiple domains by design, this header is for reporting purposes and for stating which is the tenant that has enabled the policy.

The tenant ID inserted here will be the tenant where you will be able to check the reports: “A second header, called Restrict-Access-Context, is used to enable reporting capabilities and help Microsoft support troubleshoot issues. Restrict-Access-Context needs to include the tenant which is configuring the policy. For example, the following header would indicate that Contoso configured the policy, and reporting would be enabled in the Contoso tenant: Restrict-Access-Context: contoso.onmicrosoft.com”

Optionally, if CPL is preferred over using the VPM the following CPL can be installed in a local policy file or CPL layer within the VPM that will accomplish the same goal:

; ------- Beginning of O365 Tenant Restriction CPL - TRv1 ----------- ; References: ; https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions ; https://support.symantec.com/en_US/article.TECH247092.html

<Proxy>

condition=TenantRestrictionDestinations action.Restrict-Access-Context-Set-Header(yes) action.Restrict-Access-To-Tenants-Set-Header(yes)

define condition TenantRestrictionDestinations url.domain="login.microsoft.com" url.domain="login.microsoftonline.com" url.domain="login.windows.net" end condition TenantRestrictionDestinations

; Change directory ID below: define action Restrict-Access-Context-Set-Header set(request.x_header.Restrict-Access-Context, "456ff232-35l2-5h23-b3b3-3236w0826f3d") end action Restrict-Access-Context-Set-Header ; Change tenant list below: define action Restrict-Access-To-Tenants-Set-Header set(request.x_header.Restrict-Access-To-Tenants, "contoso.onmicrosoft.com") end action Restrict-Access-To-Tenants-Set-Header

; ------- End of O365 Tenant Restriction CPL -----------

Note: Below is an optional method which provides an 'AND', 'OR' policy in CPL. Please review this policy as this may be more suitable to your needs.

; ------- Beginning of O365 Tenant Restriction CPL -----------

; References: ; https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions ; https://support.symantec.com/en_US/article.TECH247092.html

<Proxy>

condition=TenantRestrictionDestinations action.Restrict-Access-Context-Set-Header(yes) action.Restrict-Access-To-Tenants-Set-Header(yes)

define condition TenantRestrictionDestinations url.domain="login.microsoft.com" url.domain="login.microsoftonline.com" url.domain="login.windows.net" end condition TenantRestrictionDestinations

; Set the Restrict-Access-Context to the tenantID
; of the administrator setting the restrictions
define action Restrict-Access-Context-Set-Header
set(request.x_header.Restrict-Access-Context, "58201163-08a8-4385-aac7-2fcb6ec95c20")
end action Restrict-Access-Context-Set-Header

; Set the Restrict-Access-To-Tenants header
; to a comma separated list of tenants
define action Restrict-Access-To-Tenants-Set-Header
set(request.x_header.Restrict-Access-To-Tenants, "getnetcombr.onmicrosoft.com, getnetbr.onmicrosoft.com")
end action Restrict-Access-To-Tenants-Set-Header
; ------- End of O365 Tenant Restriction CPL -----------

Client HTTPS requests to hosts login.microsoftonline.com, login.microsoft.com, and login.windows.net will have the headers added to them if SSL interception is enabled on the proxy.

For Proxy to have visibility to the headers, SSL interception for O365 URLs is required.

Please note the Tenant ID is not strictly speaking needed for this policy to work, it is added here for completeness.

Restricting Access to Microsoft Consumer Apps

Tenant restrictions can also be used to block access to personal consumer applications, such as a personal OneDrive account.

To enforce this, the header sec-Restrict-Tenant-Access-Policy must be set with the value restrict-msa for requests to login.live.com

As the destination criteria and action differ from the policy used above for organizational tenants, this policy should be implemented in a separate rule.

Visual Policy Manager Configuration Steps

Create a new rule.
Set the Destination to a Request URL Object and enter login.live.com
Set the Action to a Control Request Header Object with the header name sec-Restrict-Tenant-Access-Policy and value restrict-msa
The completed layer with the added rule will look like the following:

Content Policy Language Configuration

Add the following CPL layer and definitions to your policy.

; ------- Beginning of Microsoft Consumer Apps Restriction CPL -----------
<Proxy>
url.domain=//login.live.com/ action.sec-Restrict-Tenant-Access-Policy(yes) 


define action sec-Restrict-Tenant-Access-Policy
  set( request.x_header.sec-Restrict-Tenant-Access-Policy, "restrict-msa" )
end
; ------- End of Microsoft Consumer Apps Restriction CPL -----------

************************************* ************************************* *************************************

The main changes to carry out in the SWG policies when moving from TRv1 to TRv2 are::

Remove "Restrict-Access-To-Tenants" header injection
Add "new" "sec-Restrict-Tenant-Access-Policy" header injection

; ------- Beginning of O365 Tenant Restriction CPL - TRv2 -----------
; References:
; https://learn.microsoft.com/en-us/entra/external-id/tenant-restrictions-v2

define condition TenantRestrictionDestinations
url.domain="login.live.com"
url.domain="login.microsoft.com"
url.domain="login.microsoftonline.com"
url.domain="login.windows.net"
end condition TenantRestrictionDestinations

; Set the tenant that set the tenant restrictions policy
define action RestrictAccessContextSetHeader
set(request.x_header.Restrict-Access-Context, "456ff232-35l2-5h23-b3b3-3236w0826f3d")
end action RestrictAccessContextSetHeader

; define Tenant-Access-Policy header
define action TenantAccessPolicySetHeader
set(request.x_header.sec-Restrict-Tenant-Access-Policy, "12345678-1234-1234-1234-12345678912345:123456zy-1a2c-3d55-66aa-123fdfdfd")
end action TenantAccessPolicySetHeader

; inject Tenant-Access-Policy header
<Proxy>
condition=TenantRestrictionDestinations action.RestrictAccessContextSetHeader(yes) action.TenantAccessPolicySetHeader(yes)
; ------- End of O365 Tenant Restriction CPL - TRv2 -----------

Blocking Consumer account or Microsoft Account tenant:

TRv1: To not allow users to sign in to consumer applications. Trv1 needs the sec-Restrict-Tenant-Access-Policy header to be injected to traffic visiting login.live.com like sec-Restrict-Tenant-Access-Policy: restrict-msa
TRv2: With TRv2, the configuration is moved to the server side cloud policy and there is no need for the TRv1 header. On your corporate proxy, you should remove tenant restrictions v1 header sec-Restrict-Tenant-Access-Policy: restrict-msa`.(If you've previously set up tenant restrictions, you'll need to stop sending restrict-msa to login.live.com. Otherwise, the new settings will conflict with your existing instructions to the MSA login service.)

Feedback

thumb_up Yes

thumb_down No