How to force O365 tenant restriction on Cloud SWG without turning on O365 SSL/TLS interception on Cloud Portal?

Cloud SWG

You can enable O365 tenant restriction here from within the Cloud SWG Portal via the following path:

  Cloud SWG Portal -> Policy -> Header Modification -> Add rule -> Add destinations 'login.microsoft.com', 'login.microsoftonline.com', 'login.windows.net' -> Click 'Add header' -> 'Azure AD' -> Fill appropriate fields.

NOTE: For the Restrict-Access-To-Tenants field, use a value of <permitted tenant list>, if defining more than one tenant it is a comma-seperated list of tenants you want to allow users to access.  

In order to enable this O365 tenant restriction with 'header modification' option, SSL inspection must be enabled i.e. SSL/TLS 'do not intercept' option must be disabled. By default O365 SSL/TLS interception is disabled and hence, header modification does not work.

Not all O365 websites are required for in tenant restrictions, but only those that handle the authentication. If we narrow down 'only websites required for tenant restriction', it requires only following websites to be ssl intercepted as per Microsoft's tenant restriction article.

login.microsoft.com
login.microsoftonline.com
login.windows.net

There is no option to selectively enable SSL interception on these 3 websites with keeping O365 SSL/TLS option to 'do not intercept'. Support can craft a CPL to intercept only these 3 websites and your header modification

Please raise a technical support case to get this enabled if you are a Cloud SWG Portal administered tenant.

If you are managing your Cloud SWG tenant via UPE, please add the following logic to provide same functionality:

define condition Azure_AD_login_urls
  url.domain="login.microsoft.com"
  url.domain="login.microsoftonline.com"
  url.domain="login.windows.net"
end

<ssl-intercept>
  condition=Azure_AD_login_urls ssl.forward_proxy(yes)