Restrict and Control Office 365 access using multi-tenants restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway.
search cancel

Restrict and Control Office 365 access using multi-tenants restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway.

book

Article ID: 373387

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS SWG VA-100 Advanced Secure Gateway Software - ASG

Issue/Introduction

In case you have successfully implemented a single O365 tenant restriction for tenants on SWG by following the KB article Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) or Advanced Secure Gateway. (broadcom.com), But if for any reason, there is a need to add more tenants to your rule or handle and restrict multi-tenants O365 scenario, This can be achieved by following this KB.

Environment

 Edge SWG (ProxySG) or Advanced Secure Gateway.

Resolution

1- In this scenario, we have only 2 O365 tenants allowed to login by users:

XXXX and YYYY are the allowed tenants.

Client HTTPS requests to hosts login.microsoftonline.com, login.microsoft.com, and login.windows.net will have the headers added to them, therefore SSL interception should enabled on the proxy For the Proxy to have visibility to the headers, SSL interception for O365 URLs is required.

2- Create a web access layer and add a rule inside this layer :

 

In the rule edit the Destination 'Any' object by right-clicking on it. In the pop-up window press the New button and add a Combined Destination Object. In that Combined Object give it a distinctive name (optional) and Add New Request URL entries for the following hosts: login.microsoftonline.com, login.microsoft.com, and login.windows.net  .

 

3- In the rule edit the Action 'Deny' object by right-clicking on it. In the pop-up window press the New button and add a Combined Action Object. In that Combined Action Object give it a distinctive name (optional) and add two Control Request Header objects for headers Restrict-Access-To-Tenants and Restrict-Access-Context.

Add to the Restrict-Access-To-Tenants and the .onmicrosoft.com value for each tenant for allowed XXXX and YYYY  , "yourorganization.onmicrosoft.com"

as described by Microsoft doc , For Restrict-Access-To-Tenants, use a value of  <permitted tenant list>, which is a comma-separated list of tenants you want to allow users to accessUse tenant restrictions to manage access to SaaS apps - Microsoft Entra ID | Microsoft Learn

in Restrict-Access-Context. you can add one of the allowed Tenants IDs to be inserted, in this case, we will add XXXX and YYYY Tenant ID.

 



Now you can test it. logging into the XXXX and YYYY O365 tenants allows successful access. However, attempting to log into the ZZZZ O365 tenant results in an access "block by the admin" on Microsoft login page, as shown in the screenshot below:

 

Alternatively, If CPLs are favored over VPM, you can install the following CPLs in a local policy file or a CPL layer within the VPM to reach the same goal:

define condition TenantRestrictionDestinations

 url.domain="login.microsoftonline.com"

 url.domain="login.microsoft.com"

 url.domain=" login.windows.net"

end condition TenantRestrictionDestinations


;; Tab: [ O365 Tenant Restriction Layer]

<Proxy>

    condition=TenantRestrictionDestinations action.Restrict-Access-To-Tenants(yes) action.Restrict-Access-Context(yes)  ; Rule 1


define action Restrict-Access-To-Tenants

        set(request.x_header.Restrict-Access-To-Tenants,"XXXXX.onmicrosoft.com, YYYYY.onmicrosoft.com")

end action Restrict-Access-To-Tenants

define action Restrict-Access-Context

        set(request.x_header.Restrict-Access-Context,"9XXXXXX-XXXX-XXX-XXXX-XXXX6, 8YYYYY-YYYY-YYYY-YYYY-YYYYf")

end action Restrict-Access-Context

 

Powered by Wolken Software