https://live.paloaltonetworks.com/t5/general-topics/prisma-access-and-microsoft-tenant-restrictions/m-p/1251093#M126205 <P>You need to put Tenant ID value on "<SPAN>restrict-access-context</SPAN><SPAN>".<BR /><BR />P.S. Ensure you block QUIC.</SPAN></P> Fri, 27 Mar 2026 18:28:02 GMT acsebav 2026-03-27T18:28:02Z https://live.paloaltonetworks.com/t5/general-topics/prisma-access-and-microsoft-tenant-restrictions/m-p/1251025#M126201 <P>Hello All . Been wrestling with this for a week .&nbsp;</P> <P>My starting point is&nbsp; to only allow connections to the entra joined domain&nbsp; for e,g,&nbsp; fred.onmicrosoft.com&nbsp; &nbsp;.</P> <P>The rational is DLP - if I go to my browser and attempt to logon to another enterprise - dave.onmicrosoft.com it is blocked.&nbsp;</P> <P>This is not consumer BTW - home tenants are blocked with&nbsp; the tenant restrictions I am about to describe...&nbsp;</P> <P>For background , Entra&nbsp; has V1 &amp; V2 implementations.&nbsp;</P> <P>The palo method is :&nbsp;</P> <UL> <LI>Create a URL filter with the correct microsoft login domain .&nbsp;</LI> <LI>Decrypt them&nbsp;</LI> <LI>For V1 use header insertion -&nbsp; <UL> <LI>restrict-access-context : tenant value&nbsp; (login.microsoftoneline.com/login.microsoft.com/login windows.net )&nbsp;</LI> <LI>restrict-access-to-tenant : tenantvalue (same as above</LI> <LI>sec-restrict-tenant-access: restrict msa&nbsp;</LI> </UL> </LI> <LI>V2 is just&nbsp; <UL> <LI>sec-restrict-tenant-access-policy : tenant value&nbsp; (same microsoft logins as above)</LI> </UL> </LI> </UL> <P>Then create a rule with a security profile with header &amp; URl filter - restrict it to a test user !</P> <P>Basically you&nbsp; decrypt microsoft logins an insert a header....&nbsp;</P> <P>Test the logins from login.microsoftonline.com&nbsp;</P> <P>&nbsp;</P> <P>You need to setup tenant restrictions on Entra with block inwards and outwards .&nbsp;</P> <P>The idea is you pass the header to Entra and it decides whether you connect .&nbsp;</P> <P>Problem is it doesnt work !</P> <P>&nbsp;</P> <P>I can login to eberything...&nbsp;</P> <P>The only way I have managed to get this to psuedo work is to use SaaS endpoint for M365&nbsp; &nbsp;on a rule&nbsp; with no header insertion .&nbsp;</P> <P data-unlink="true">Only problem is - it stops the entra joined user <A href="mailto:greg@fred.onmicrosoft.com" target="_blank">greg@fred.onmicrosoft.com&nbsp;</A>&nbsp; logging into <A href="mailto:dav@microsoftonline.com" target="_blank">dave@onmicrosoft.com&nbsp;</A></P> <P>I doesnt stop <A href="mailto:dave@onmicrosoft.com" target="_blank">dave@onmicrosoft.com </A>from logging into <A href="mailto:dave@onmicrosoft.com" target="_blank">dave@onmicrosoft.com</A>&nbsp;which sort of deefats the object.</P> <P>Did anyone get it working ????</P> Thu, 26 Mar 2026 16:22:04 GMT https://live.paloaltonetworks.com/t5/general-topics/prisma-access-and-microsoft-tenant-restrictions/m-p/1251025#M126201 gcollins5 2026-03-26T16:22:04Z https://live.paloaltonetworks.com/t5/general-topics/prisma-access-and-microsoft-tenant-restrictions/m-p/1251093#M126205 <P>You need to put Tenant ID value on "<SPAN>restrict-access-context</SPAN><SPAN>".<BR /><BR />P.S. Ensure you block QUIC.</SPAN></P> Fri, 27 Mar 2026 18:28:02 GMT https://live.paloaltonetworks.com/t5/general-topics/prisma-access-and-microsoft-tenant-restrictions/m-p/1251093#M126205 acsebav 2026-03-27T18:28:02Z https://live.paloaltonetworks.com/t5/general-topics/prisma-access-and-microsoft-tenant-restrictions/m-p/1251155#M126210 <P><SPAN>You need to put Tenant ID value on "</SPAN><SPAN>restrict-access-context</SPAN><SPAN>". - did you use the tenant name or the value from entra ?</SPAN></P> <P><SPAN>I tried both with no result .</SPAN></P> <P><SPAN>Quic is blocked already so I don't think it is that .&nbsp;</SPAN></P> <P>&nbsp;</P> Mon, 30 Mar 2026 07:57:07 GMT https://live.paloaltonetworks.com/t5/general-topics/prisma-access-and-microsoft-tenant-restrictions/m-p/1251155#M126210 gcollins5 2026-03-30T07:57:07Z https://live.paloaltonetworks.com/t5/general-topics/prisma-access-and-microsoft-tenant-restrictions/m-p/1251158#M126211 <P>The value from Entra "Tenant ID".</P> Mon, 30 Mar 2026 08:13:15 GMT https://live.paloaltonetworks.com/t5/general-topics/prisma-access-and-microsoft-tenant-restrictions/m-p/1251158#M126211 acsebav 2026-03-30T08:13:15Z