This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Prisma Access and Microsoft Tenant Restrictions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Prisma Access and Microsoft Tenant Restrictions

gcollins5
L2 Linker

‎03-26-2026 09:22 AM

Hello All . Been wrestling with this for a week . 

My starting point is  to only allow connections to the entra joined domain  for e,g,  fred.onmicrosoft.com   .

The rational is DLP - if I go to my browser and attempt to logon to another enterprise - dave.onmicrosoft.com it is blocked. 

This is not consumer BTW - home tenants are blocked with  the tenant restrictions I am about to describe... 

For background , Entra  has V1 & V2 implementations. 

The palo method is : 

  • Create a URL filter with the correct microsoft login domain . 
  • Decrypt them 
  • For V1 use header insertion - 
    • restrict-access-context : tenant value  (login.microsoftoneline.com/login.microsoft.com/login windows.net ) 
    • restrict-access-to-tenant : tenantvalue (same as above
    • sec-restrict-tenant-access: restrict msa 
  • V2 is just 
    • sec-restrict-tenant-access-policy : tenant value  (same microsoft logins as above)

Then create a rule with a security profile with header & URl filter - restrict it to a test user !

Basically you  decrypt microsoft logins an insert a header.... 

Test the logins from login.microsoftonline.com 

 

You need to setup tenant restrictions on Entra with block inwards and outwards . 

The idea is you pass the header to Entra and it decides whether you connect . 

Problem is it doesnt work !

 

I can login to eberything... 

The only way I have managed to get this to psuedo work is to use SaaS endpoint for M365   on a rule  with no header insertion . 

Only problem is - it stops the entra joined user greg@fred.onmicrosoft.com   logging into dave@onmicrosoft.com 

I doesnt stop dave@onmicrosoft.com from logging into dave@onmicrosoft.com which sort of deefats the object.

Did anyone get it working ????

0 Likes Likes
3 REPLIES 3

acsebav
L0 Member

‎03-27-2026 11:28 AM

You need to put Tenant ID value on "restrict-access-context".

P.S. Ensure you block QUIC.

0 Likes Likes

gcollins5
L2 Linker
In response to acsebav

‎03-30-2026 12:57 AM

You need to put Tenant ID value on "restrict-access-context". - did you use the tenant name or the value from entra ?

I tried both with no result .

Quic is blocked already so I don't think it is that . 

 

0 Likes Likes

acsebav
L0 Member
In response to gcollins5

‎03-30-2026 01:13 AM

The value from Entra "Tenant ID".

0 Likes Likes
  • 747 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks