O365 tenant restriction on Cloud SWG (formerly WSS) proxy without turning on O365 SSL interception
search cancel

O365 tenant restriction on Cloud SWG (formerly WSS) proxy without turning on O365 SSL interception

book

Article ID: 245215

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Enforce O365 tenant restriction on Cloud SWG without enabling O365 SSL/TLS interception in the Cloud Portal

Environment

Cloud Secure Web Gateway

Office 365 SSL Interception and Tenant Restriction

Cause

You can enable O365 tenant restriction within the Cloud SWG Portal by following these steps:

  1. Navigate to the Cloud SWG Portal.
  2. Go to Policy -> Header Modification -> Add rule.
  3. Add the following destinations:
    • login.microsoft.com
    • login.microsoftonline.com
    • login.windows.net
  4. Click Add header and select Azure AD.
  5. Fill in the appropriate fields.

Note: For the Restrict-Access-To-Tenants field, use a value of <permitted tenant list>. If defining more than one tenant, provide a comma-separated list of tenants you want to allow users to access.

To enable this O365 tenant restriction with the 'header modification' option, SSL inspection must be enabled, meaning the SSL/TLS 'do not intercept' option must be disabled. By default, O365 SSL/TLS interception is disabled, so header modification will not work unless interception is enabled.

Not all O365 websites are required for tenant restrictions, only those handling authentication. According to Microsoft's tenant restriction article, the following websites need to be SSL intercepted:

  • login.microsoft.com
  • login.microsoftonline.com
  • login.windows.net

There is no option to selectively enable SSL interception on these three websites while keeping the general O365 SSL/TLS option set to 'do not intercept'. Support can create a CPL snippet to intercept only these three websites and enable your header modification.

Resolution

If you are a Cloud SWG Portal administered tenant, please raise a technical support case to get this enabled.

If you are managing your Cloud SWG tenant via UPE, add the following logic under an existing or new CPL layer to achieve the same functionality:

define condition Azure_AD_login_urls
  url.domain="login.microsoft.com"
  url.domain="login.microsoftonline.com"
  url.domain="login.windows.net"
end

<ssl-intercept>
  condition=Azure_AD_login_urls ssl.forward_proxy(yes)
Powered by Wolken Software