This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Restrict Microsoft365 tenant

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restrict Microsoft365 tenant

Teddyleung
L0 Member

‎02-06-2024 07:41 PM - edited ‎02-06-2024 07:50 PM

Hi,

 

To restrict access to specified Microsoft 365 tenant (allow company M365 tenant only), I have tired to follow below link for configuration.

Using HTTP Header Insertion For Sanctioned Access To Office365 ... - Knowledge Base - Palo Alto Netw...

 

But it's didn't work. Users still available to logon with personal M365 account.

 

Since URL including below only, is it the root cause ?

  • login.microsoftonline.com

  • login.windows.net

  • login.microsoft.com

  • login.live.com

I also tried to use External Dynamic Lists "https://saasedl.paloaltonetworks.com/feeds/m365/worldwide/any/all/url", but user then couldn't be access / browsing all Microsoft webpage.

 

External Dynamic List is provided by PaloAlto EDL Hosting Service (paloaltonetworks.com)

 

Secondly, refer to Decryption log, I found error Received fatal alert CertificateUnknown from client. CA Issuer URL (truncated):http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%2

 

Furthermore, URL filtering license expired is showed in URL filtering, is it impact to configuration?

 

 

May I know what's the best practice to achieve it ?

Thanks

1 person had this problem.
2 REPLIES 2

OtakarKlier
Cyber Elite

‎02-08-2024 01:18 PM

Hello,

I'm facing a similar issue and havent had a chance to look into it. I'll post when I find something.

Regards,

gcollins5
L2 Linker

‎03-26-2026 09:21 AM

Hello All . Been wrestling with this for a week . 

My starting point is  to only allow connections to the entra joined domain  for e,g,  fred.onmicrosoft.com   .

The rational is DLP - if I go to my browser and attempt to logon to another enterprise - dave.onmicrosoft.com it is blocked. 

This is not consumer BTW - home tenants are blocked with  the tenant restrictions I am about to describe... 

For background , Entra  has V1 & V2 implementations. 

The palo method is : 

  • Create a URL filter with the correct microsoft login domain . 
  • Decrypt them 
  • For V1 use header insertion - 
    • restrict-access-context : tenant value  (login.microsoftoneline.com/login.microsoft.com/login windows.net ) 
    • restrict-access-to-tenant : tenantvalue (same as above
    • sec-restrict-tenant-access: restrict msa 
  • V2 is just 
    • sec-restrict-tenant-access-policy : tenant value  (same microsoft logins as above)

Then create a rule with a security profile with header & URl filter - restrict it to a test user !

Basically you  decrypt microsoft logins an insert a header.... 

Test the logins from login.microsoftonline.com 

 

You need to setup tenant restrictions on Entra with block inwards and outwards . 

The idea is you pass the header to Entra and it decides whether you connect . 

Problem is it doesnt work !

 

I can login to eberything... 

The only way I have managed to get this to psuedo work is to use SaaS endpoint for M365   on a rule  with no header insertion . 

Only problem is - it stops the entra joined user greg@fred.onmicrosoft.com   logging into dave@onmicrosoft.com 

I doesnt stop dave@onmicrosoft.com from logging into dave@onmicrosoft.com which sort of deefats the object.

Did anyone get it working ????

I am also going to start a new thread for this 

 

0 Likes Likes
  • 3822 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks