As an Administrator, I want to be able to give my organization the ability to specify the list of tenants that their users are permitted to access.
Cloud SWG (formerly Web Security Service - WSS)
When enabling the Azure AD / Office 365 Tenant Restriction: SSL interception is a requirement as Cloud SWG will need to intercept for login.microsoftonline.com, login.microsoft.com, and login.windows.net domains.
Note: Make sure that any of these destination URLs are NOT exempt from SSL interception.
The two policy toggles under Solutions > Office 365 will also need to be disabled as the tenant restriction will not apply and work if you already have any O365 URLs that are not working in the current condition.
Note! Ensure to install the appropriate intercepting WSS root CA on client PCs before enabling.