Universal tenant restrictions significantly enhance the capabilities of tenant restriction v2 by utilizing Global Secure Access (GSA) to tag all traffic, regardless of the operating system, browser, or device form factor. This functionality supports both client and remote network connectivity, eliminating the need for administrators to manage proxy server configurations or complex network setups.
Universal Tenant Restrictions enforce policies using GSA-based policy signalling for both the authentication plane (generally available) and the data plane (in preview). Tenant restriction v2 empowers enterprises to prevent data exfiltration by users leveraging external tenant identities for Microsoft Entra-integrated applications like Microsoft Graph, SharePoint Online, and Exchange Online. These technologies collaboratively ensure comprehensive prevention of data exfiltration across all devices and networks.
The following table explains the steps taken at each point in the previous diagram.
Step | Description |
1 | Contoso configures a **tenant restrictions v2 ** policy in their cross-tenant access settings to block all external accounts and external apps. Contoso enforces the policy using Global Secure Access universal tenant restrictions. |
2 | A user with a Contoso-managed device tries to access a Microsoft Entra integrated app with an unsanctioned external identity. |
3 | Authentication plane protection: Using Microsoft Entra ID, Contoso’s policy blocks unsanctioned external accounts from accessing external tenants. |
4 | Data plane protection: If the user again tries to access an external unsanctioned application by copying an authentication response token they obtained outside of Contoso’s network and pasting it into the device, they’re blocked. The token mismatch triggers reauthentication and blocks access. For SharePoint Online, any attempt at anonymously accessing resources will be blocked. |
Universal Tenant Restrictions prevent data exfiltration across browsers, devices, and networks through the following mechanisms:
- Consistent Policy Enforcement: Microsoft Entra ID, Microsoft Accounts, and Microsoft applications can look up and enforce the associated tenant restrictions v2 policy, ensuring consistent policy application.
- Third-Party App Integration: These restrictions work with all Microsoft Entra-integrated third-party applications at the authentication plane during sign-in.
- Data Plane Protection: They also provide data plane protection (in preview) for Exchange, SharePoint, and Microsoft Graph.
Prerequisites
- The Global Secure Access Administrator role role to manage the GSA features.
- The Conditional Access Administrator to create & interact with Conditional Access policies.
Known limitations
- Data plane protection capabilities are in preview
- If you have enabled universal tenant restrictions and you are accessing the Microsoft Entra admin center for one of the allow listed tenants, you may see an “Access denied” error. Add the following feature flag to the Microsoft Entra admin center:
- ?feature.msaljs=true&exp.msaljsexp=true
- For example, you work for Contoso and you have allow listed Fabrikam as a partner tenant. You may see the error message for the Fabrikam tenant’s Microsoft Entra admin center.
- If you received the “access denied” error message for this URL: https://entra.microsoft.com/ then add the feature flag as follows: https://entra.microsoft.com/?feature.msaljs%253Dtrue%2526exp.msaljsexp%253Dtrue#home
Configure Tenant Restrictions v2 policy
Before an organization can use Universal Tenant Restrictions, they must configure both the default tenant restrictions and the restrictions for any specific partners.
To enhance security, you can limit what your users can access when they use an external account to sign in from your networks or devices. The Tenant Restrictions settings, included with cross-tenant access settings, allow you to create a policy to control access to external apps.
For example, if a user in your organization has created a separate account in an unknown tenant, or an external organization has provided your user with an account to sign in to their organization, you can use tenant restrictions to prevent the user from accessing some or all external apps while signed in with the external account on your network or devices.
Steps | Description |
1 | Contoso configures Tenant restrictions in their cross-tenant access settings to block all external accounts and external apps. Contoso adds TRv2 enforcement signaling with TRv2 header either via Universal TRv2 or a corporate proxy and Microsoft Entra ID will enforce TRv2 policy when the header is present on the request. |
2 | A user using a Contoso-managed device tries to sign in to an external app using an account from an unknown tenant. The TRv2 HTTP header with Contoso’s tenant ID and the tenant restrictions policy ID is added to the authentication request. |
3 | Authentication plane protection: Microsoft Entra ID will enforce Contoso’s TRv2 policy and block external accounts from accessing external tenants during the authentication as per the Contoso TRv2 policy. |
4 | Data plane protection (preview): Microsoft Entra ID will block any anonymous access to SharePoint file or anonymous teams meeting join as well as block user access to the resource with an infiltrated token. |
Tenant restrictions v2 provides options for both authentication plane protection and data plane protection.
- Authentication plane protection involves using a tenant restrictions v2 policy to block sign-ins with external identities. For instance, you can prevent a malicious insider from leaking data via external email by blocking their sign-in to a malicious tenant. This feature is generally available in tenant restrictions v2.
- Data plane protection aims to prevent attacks that bypass authentication. For example, an attacker might try to access malicious tenant apps through Teams anonymous meeting join or SharePoint anonymous file access, or they might copy an access token from a device in a malicious tenant and import it to your organizational device. Tenant restrictions v2 data plane protection ensures the user must authenticate when attempting to access a resource, blocking access if authentication fails.
Tenant restrictions v2 overview
In your organization’s cross-tenant access settings, you can configure a tenant restrictions v2 policy. After you create the policy, there are three ways to apply the policy in your organization.
- Universal Tenant Restrictions v2: This option provides both authentication plane and data plane protection without needing a corporate proxy. Universal tenant restrictions use Global Secure Access (preview) to tag all traffic, regardless of the operating system, browser, or device form factor. It supports both client and remote network connectivity.
- Authentication Plane Tenant Restrictions v2: You can deploy a corporate proxy in your organization and configure the proxy to set tenant restrictions v2 signals on all traffic to Microsoft Entra ID and Microsoft Accounts (MSA).
- Windows Tenant Restrictions v2: For your corporate-owned Windows devices, you can enforce both authentication plane and data plane protection by applying tenant restrictions directly on the devices. These restrictions are enforced upon resource access, providing data path coverage and protection against token infiltration. A corporate proxy is not required for policy enforcement. Devices can be Microsoft Entra ID managed or domain-joined and managed via Group Policy.
Prerequisites
To configure tenant restrictions, you need:
- Microsoft Entra ID P1 or P2
- Account with a role of at least Security Administrator
- Windows devices running Windows 10/11 with the latest updates
Configure default tenant restrictions v2
Settings for tenant restrictions v2 can be found in the Microsoft Entra admin center under Cross-tenant access settings. First, configure the default tenant restrictions you want to apply to all users, groups, apps, and organizations. If you need partner-specific configurations, you can then add a partner’s organization and customize any settings that differ from your defaults.
To configure default tenant restrictions:
- Go to Identity > External Identities > Cross-tenant access settings, select Cross-tenant access settings.
- Select Default settings tab.
- Scroll to the Tenant restrictions section.
- Select Edit tenant restrictions defaults link.
- If a default policy doesn’t exist yet in the tenant, next to the Policy ID a Create Policy link appears, select it.
- The Tenant restrictions page displays the Tenant ID and Policy ID. Copy both of these values as you will need them later.
- Select External users and groups. Under Access status, choose one of the following:
- Allow access: Allows all users who are signed in with external accounts to access external apps (specified on the External applications tab).
- Block access: Blocks all users who are signed in with external accounts from accessing external apps (specified on the External applications tab).
- Select External applications tab. Under Access status, choose one of the following:
- Allow access: Allows all users who are signed in with external accounts to access the apps specified in the Applies to section.
- Block access: Blocks all users who are signed in with external accounts from accessing the apps specified in the Applies to section.
- Under Applies to, select one of the following:
- All external applications: Applies action to all external apps. If you block access to all external apps, you also need to block access for all of your users and groups (on the Users and groups tab).
- Select external applications: Choose external apps you want the action under Access status to apply to. To select applications, choose Add Microsoft applications or Add other applications. Then search by the application name or the application ID (either the client app ID or the resource app ID) and select the app. If you want to add more apps, use the Add button. When you’re done, select Submit.
- Select Save.
Enable tagging for Tenant Restrictions v2
Once you have created the tenant restriction v2 policies, you can utilize Global Secure Access to apply tagging for tenant restrictions v2. An administrator with both the Global Secure Access Administrator and Security Administrator roles must follow these steps to enable enforcement with Global Secure Access.
- Go to Global Secure Access > Global Settings > Session Management > Tenant Restrictions.
- Select the toggle to Enable tagging to enforce tenant restrictions on your network.
- Select Save.
Try Universal Tenant Restrictions
Tenant restrictions are not enforced when a user (or a guest user) attempts to access resources in the tenant where the policies are configured. Tenant restriction policies are processed only when an identity from a different tenant attempts to sign in and/or access resources. For example, if you configure a Tenant Restrictions v2 policy in the tenant contoso.com to block all organizations except fabrikam.com, the policy will apply as follows:
User | Type | Tenant | TRv2 policy processed? | Authenticated access allowed? | Anonymous access allowed? |
alice@contoso.com | Member | contoso.com | No(same tenant) | Yes | No |
alice@fabrikam.com | Member | fabrikam.com | Yes | Yes(tenant allowed by policy) | No |
bob@northwinds.com | Member | northwinds.com | Yes | No(tenant not allowed by policy) | No |
alice@contoso.com | Member | contoso.com | No(same tenant) | Yes | No |
bob_northwinds.com#EXT#@contoso.com | Guest | contoso.com | No(guest user) | Yes | No |
Validate the authentication plane protection
- Browser to https://myapps.microsoft.com/ and sign in with an external identity that isn’t allow-listed in a tenant restrictions v2 policy.
- The user will be blocked from authenticating to MyApps with the following error message:
Validate the data plane protection
- Browser to https://yourcompany.sharepoint.com/ and sign in with an external identity that isn’t allow-listed in a tenant restrictions v2 policy.
- The user sees that their access is now blocked saying:
Web Content Filtering
Another great feature of Microsoft Entra Internet Access is web content filtering. Please read my new blog about what this is and how to configure it.