topic Restrict Microsoft365 tenant in General Topics

Restrict Microsoft365 tenant

Teddyleung — Wed, 07 Feb 2024 03:50:35 GMT

Hi,

To restrict access to specified Microsoft 365 tenant (allow company M365 tenant only), I have tired to follow below link for configuration.

But it's didn't work. Users still available to logon with personal M365 account.

Since URL including below only, is it the root cause ?

I also tried to use External Dynamic Lists "https://saasedl.paloaltonetworks.com/feeds/m365/worldwide/any/all/url", but user then couldn't be access / browsing all Microsoft webpage.

External Dynamic List is provided by PaloAlto EDL Hosting Service (paloaltonetworks.com)

Secondly, refer to Decryption log, I found error Received fatal alert CertificateUnknown from client. CA Issuer URL (truncated):http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%2

Furthermore, URL filtering license expired is showed in URL filtering, is it impact to configuration?

May I know what's the best practice to achieve it ?

Thanks

OtakarKlier — Thu, 08 Feb 2024 21:18:43 GMT

Hello,

I'm facing a similar issue and havent had a chance to look into it. I'll post when I find something.

Regards,

gcollins5 — Thu, 26 Mar 2026 16:21:27 GMT

Hello All . Been wrestling with this for a week .

My starting point is to only allow connections to the entra joined domain for e,g, fred.onmicrosoft.com .

The rational is DLP - if I go to my browser and attempt to logon to another enterprise - dave.onmicrosoft.com it is blocked.

This is not consumer BTW - home tenants are blocked with the tenant restrictions I am about to describe...

For background , Entra has V1 & V2 implementations.

The palo method is :

Create a URL filter with the correct microsoft login domain .
Decrypt them
For V1 use header insertion -
- restrict-access-context : tenant value (login.microsoftoneline.com/login.microsoft.com/login windows.net )
- restrict-access-to-tenant : tenantvalue (same as above
- sec-restrict-tenant-access: restrict msa
V2 is just
- sec-restrict-tenant-access-policy : tenant value (same microsoft logins as above)

Then create a rule with a security profile with header & URl filter - restrict it to a test user !

Basically you decrypt microsoft logins an insert a header....

Test the logins from login.microsoftonline.com

You need to setup tenant restrictions on Entra with block inwards and outwards .

The idea is you pass the header to Entra and it decides whether you connect .

Problem is it doesnt work !

I can login to eberything...

The only way I have managed to get this to psuedo work is to use SaaS endpoint for M365 on a rule with no header insertion .

Only problem is - it stops the entra joined user greg@fred.onmicrosoft.com logging into dave@onmicrosoft.com

I doesnt stop dave@onmicrosoft.com from logging into dave@onmicrosoft.com which sort of deefats the object.

Did anyone get it working ????

I am also going to start a new thread for this