search cancel

How to implement Microsoft Azure AD Tenant Restriction on WSS (previously known as Office 365 tenant restriction)


Article ID: 212259


Updated On:


Web Security Service - WSS


How to implement Azure AD Tenant Restriction on WSS portal tenant?


Since the release of the AUG.27.2021 WSS portal you can setup the Restrict-Access-Context / Restrict-Access-To-Tenants header in the Policy section of the WSS portal.

This is now a WSS standard configuration item that was previously implemented by Broadcom for the customer via WSS backend changes.

The header feature is located just above the "Server" sub-section [Image 1]. Click on the "Header modification" link and you will be presented with the Header modification view, which contains 2 sub-sections [Image 2]: "Global Rules" and "Specific header rules".

To setup your Azure AD header modification policy on the "Specific header rules" section, click Add. Then select the Conditions (Sources / Destinations) as applicable.

The destinations for Azure AD tenant restriction is a list of 3 urls (currently, based on Microsoft specifications).:


On the Verdict section select "Add Header > Azure AD". This will present you with the 2 expected fields "Restrict-Access-To-Tenants" and "Restrict-Access-Context" [Image 3].

Once you are satisfied that the rule is configured as desired you can save it by clicking "Add rule" and install the policy using the "Activate" button.

Image 1: Policy page screenshot

Image 2: "New Rule: Header Modification" view

Image 3: Verdict section showing the "Azure AD" custom fields


Additional Information

If you manage policies via Management Center (UPE) rather than via WSS Portal, please apply the VPM or CPL policy from the following document:
Controlling Office 365 access using tenant restrictions on ProxySG or Advanced Secure Gateway