As an Administrator, I want to be able to give my organization the ability to specify the list of tenants that their users are permitted to access.

Web Security Service

SSL Interception Required

When enabling the Azure AD / Office 365 Tenant Restriction: SSL interception is a requirement as the Web Security Service will need to intercept for login.microsoftonline.com, login.microsoft.com, and login.windows.net domains.

Note: Make sure that any of these destination URLs are not exempt from SSL interception.

Azure AD / Office 365 Exemptions

The two policy toggles under Solutions > Office 365 will also need to be disabled as the tenant restriction will not apply and work if you already have any O365 URLs that are not working in the current condition.

• Enable authentication exemptions for all Office 365 applications.
• Enable SSL interception exemptions for all Office 365 applications. This option requires you to also enable SSL Interception (Service > Network > SSL Interception).

Note! Ensure to install the appropriate intercepting WSS root CA on client PCs before enabling.

References:

• Microsoft:
  • Use Tenant Restrictions to manage access to SaaS cloud applications
• Broadcom:
  • Proxy SG: Controlling Office 365 access using tenant restrictions on ProxySG or Advanced Secure Gateway
  • WSS: How to implement Microsoft Azure AD Tenant Restriction on WSS (previously known as Office 365 tenant restriction)