How to implement Azure AD Tenant Restriction on WSS portal tenant?
Since the release of the AUG.27.2021 WSS portal you can setup the Restrict-Access-Context / Restrict-Access-To-Tenants header in the Policy section of the WSS portal.
This is now a WSS standard configuration item that was previously implemented by Broadcom for the customer via WSS backend changes.
The header feature is located just above the "Server" sub-section [Image 1]. Click on the "Header modification" link and you will be presented with the Header modification view, which contains 2 sub-sections [Image 2]: "Global Rules" and "Specific header rules".
To setup your Azure AD header modification policy on the "Specific header rules" section, click Add. Then select the Conditions (Sources / Destinations) as applicable.
The destinations for Azure AD tenant restriction is a list of 3 urls (currently, based on Microsoft specifications).:
On the Verdict section select "Add Header > Azure AD". This will present you with the 2 expected fields "Restrict-Access-To-Tenants" and "Restrict-Access-Context" [Image 3].
Once you are satisfied that the rule is configured as desired you can save it by clicking "Add rule" and install the policy using the "Activate" button.
If you manage policies via Management Center (UPE) rather than via WSS Portal, please apply the VPM or CPL policy from the following document:
Controlling Office 365 access using tenant restrictions on ProxySG or Advanced Secure Gateway