How to implement Microsoft Azure AD Tenant Restriction on Cloud SWG (previously known as Office 365 tenant restriction)
search cancel

How to implement Microsoft Azure AD Tenant Restriction on Cloud SWG (previously known as Office 365 tenant restriction)

book

Article ID: 212259

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

How to implement Azure AD Tenant Restriction on Cloud SWG portal tenant?

Environment

Cloud SWG

Resolution

Since the release of the AUG.27.2021 Cloud SWG portal you can setup the Restrict-Access-Context / Restrict-Access-To-Tenants header in the Policy section of the Cloud SWG portal.

This is now a Cloud SWG standard configuration item that was previously implemented by Broadcom for the customer via Cloud SWG backend changes.

The header feature is located just above the "Server" sub-section [Image 1]. Click on the "Header modification" link and you will be presented with the Header modification view, which contains 2 sub-sections [Image 2]: "Global Rules" and "Specific header rules".

To setup your Azure AD header modification policy on the "Specific header rules" section, click Add. Then select the Conditions (Sources / Destinations) as applicable.

The destinations for Azure AD tenant restriction is a list of 3 urls (currently, based on Microsoft specifications).:

  • login.microsoft.com
  • login.microsoftonline.com
  • login.windows.net

On the Verdict section select "Add Header > Azure AD". This will present you with the 2 expected fields "Restrict-Access-To-Tenants" and "Restrict-Access-Context" [Image 3].

Once you are satisfied that the rule is configured as desired you can save it by clicking "Add rule" and install the policy using the "Activate" button.

Image 1: Policy page screenshot

Image 2: "New Rule: Header Modification" view

Image 3: Verdict section showing the "Azure AD" custom fields

 

Additional Information

If you manage policies via Management Center (UPE) rather than via WSS Portal, please apply the VPM or CPL policy from the following document:
Controlling Office 365 access using tenant restrictions on ProxySG or Advanced Secure Gateway