How to implement Microsoft Azure AD Tenant Restriction on WSS (previously known as Office 365 tenant restriction)


Article ID: 212259


Updated On:


Web Security Service - WSS


How to implement Azure AD Tenant Restriction on WSS portal tenant?


Since the release of the AUG.27.2021 WSS portal you can setup the Restrict-Access-Context / Restrict-Access-To-Tenants header in the Policy section of the WSS portal.

This is now a WSS standard configuration item that was previously implemented by Broadcom for the customer via WSS backend changes.

The header feature is located just above the "Server" sub-section [Image 1]. Click on the "Header modification" link and you will be presented with the Header modification view, which contains 2 sub-sections [Image 2]: "Global Rules" and "Specific header rules".

To setup your Azure AD header modification policy on the "Specific header rules" section, click Add. Then select the Conditions (Sources / Destinations) as applicable.

The destinations for Azure AD tenant restriction is a list of 3 urls (currently, based on Microsoft specifications).:


On the Verdict section select "Add Header > Azure AD". This will present you with the 2 expected fields "Restrict-Access-To-Tenants" and "Restrict-Access-Context" [Image 3].

Once you are satisfied that the rule is configured as desired you can save it by clicking "Add rule" and install the policy using the "Activate" button.

Image 1: Policy page screenshot

Image 2: "New Rule: Header Modification" view

Image 3: Verdict section showing the "Azure AD" custom fields