Microsoft has published an article describing how to control Office 365 access using tenant restrictions. The article can be seen at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions
In the article from Microsoft is a summary of headers to add to proxy devices to control Office 365 access using tenant restrictions. This article describes how to implement those headers on ProxySG and Advanced Secure Gateway (ASG).
Follow steps below to modify request headers to restrict the tenant used for Office 365 access:
Microsoft has also provided further clarity regarding the the following:
For the header Restrict-Access-Context you cannot configure the tenant ID for multiple domains by design, this header is for reporting purposes and for stating which is the tenant that has enabled the policy.
The tenant ID inserted here will be the tenant where you will be able to check the reports: “A second header, called Restrict-Access-Context, is used to enable reporting capabilities and help Microsoft support troubleshoot issues. Restrict-Access-Context needs to include the tenant which is configuring the policy. For example, the following header would indicate that Contoso configured the policy, and reporting would be enabled in the Contoso tenant: Restrict-Access-Context: contoso.onmicrosoft.com”
Optionally, if CPL is preferred over using the VPM the following CPL can be installed in a local policy file or CPL layer within the VPM that will accomplish the same goal:
; ------- Beginning of O365 Tenant Restriction CPL -----------
<Proxy> condition=TenantRestrictionDestinations action.Restrict-Access-Context-Set-Header(yes) action.Restrict-Access-To-Tenants-Set-Header(yes)
define condition TenantRestrictionDestinations
end condition TenantRestrictionDestinations
; Change directory ID below:
define action Restrict-Access-Context-Set-Header
end action Restrict-Access-Context-Set-Header
; Change tenant list below:
define action Restrict-Access-To-Tenants-Set-Header
end action Restrict-Access-To-Tenants-Set-Header
; ------- End of O365 Tenant Restriction CPL -----------
Client HTTPS requests to hosts login.microsoftonline.com, login.microsoft.com, and login.windows.net will have the headers added to them if SSL interception is enabled on the proxy. See article Enable SSL interception in Web Security Service for details on how to enable SSL interception
Please note the Tenant ID is not strickly speaking needed for this policy to work, it is added here for completeness.