How to implement Microsoft Azure AD Tenant Restriction on Cloud SWG (previously known as Office 365 tenant restriction)
Article ID: 212259
Updated On:
Products
Issue/Introduction
How to implement Azure AD Tenant Restriction on Cloud SWG portal tenant?
Environment
Cloud SWG
Resolution
Since the release of the AUG.27.2021 Cloud SWG portal you can setup the Restrict-Access-Context / Restrict-Access-To-Tenants header in the Policy section of the Cloud SWG portal.
This is now a Cloud SWG standard configuration item that was previously implemented by Broadcom for the customer via Cloud SWG backend changes.
The header feature is located just above the "Server" sub-section [Image 1]. Click on the "Header modification" link and you will be presented with the Header modification view, which contains 2 sub-sections [Image 2]: "Global Rules" and "Specific header rules".
To setup your Azure AD header modification policy on the "Specific header rules" section, click Add. Then select the Conditions (Sources / Destinations) as applicable.
The destinations for Azure AD tenant restriction is a list of 3 urls (currently, based on Microsoft specifications).:
- login.microsoft.com
- login.microsoftonline.com
- login.windows.net
On the Verdict section select "Add Header > Azure AD". This will present you with the 2 expected fields "Restrict-Access-To-Tenants" and "Restrict-Access-Context" [Image 3].
Once you are satisfied that the rule is configured as desired you can save it by clicking "Add rule" and install the policy using the "Activate" button.
Image 1: Policy page screenshot
Image 2: "New Rule: Header Modification" view
Image 3: Verdict section showing the "Azure AD" custom fields
Additional Information
If you manage policies via Management Center (UPE) rather than via WSS Portal, please apply the VPM or CPL policy from the following document:
Controlling Office 365 access using tenant restrictions on ProxySG or Advanced Secure Gateway
Feedback
