4.14. Implementing Office 365 Tenant Restrictions

4.14.1. What it is

SSL Orchestrator 10.1 introduces an Office 365 Tenant Restrictions feature as a service in the service chain. This feature enhances an organization’s outbound traffic security posture by blocking potential data exfiltration through Microsoft Office 365. For example, within the organization, users can access organizational Office 365 assets like Office applications, OneDrive, etc., but non-organizational Office 365 assets will be blocked. This could include personal and other external Office 365 resources.


../../_images/image1031.png

Figure 103: Office 365 Tenant Restrictions


The feature works by inserting a set of Tenant Restrictions headers into decrypted HTTP traffic destined for any of the following Microsoft URLs:

  • login.microsoftonline.com

  • login.microsoft.com

  • login.windows.net

When one of these URLs is detected, the Tenant Restrictions service will embed the following HTTP headers into the request:

  • Restrict-Access-To-Tenants: this will contain the allowed tenants by name (ex. contoso.com), or by ID (ex. 72f988bf-86f1-41af-91ab-2d7cd011db47), and multiple tenants can be added separated by a comma.


  • Restrict-Access-Context: this will contain the tenant directory ID, declaring which tenant is setting the Tenant Restrictions. You can find your direct ID in the Azure Active Directory Portal. Sign in as an administrator, select Azure Active Directory, then select Properties.

For additional details on Tenant Restrictions, please visit the following Microsoft resource: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions


4.14.2. How to build it

In the SSL Orchestrator, under the Services tab (F5), click on the Office 365 Tenant Restrictions tile to configure the service.

Office 365 Tenant Restrictions

User Input

Name

Enter a unique name.

Header

Restrict Access To Tenant

Specifies a value of permitted tenant lists, a comma-separated list of tenant domains that users can access. Any domain registered with a tenant can be used to identify the tenant in this list (for example, f5labs.com). To permit access to more than one domain, separate the domain names with a comma. For example, to allow access to both Contoso and Fabrikam tenants, the name/value pair would look like this:

Restrict-Access-To-Tenants: contoso.onmicrosoft.com,fabrikam.onmicrosoft.com

Header

Restrict Access Context

Specifies a value of a single directory ID (Tenant ID), declaring which tenant is setting the Tenant Restrictions. For example, to declare Contoso as the tenant that sets the Tenant Restrictions policy, the name/value pair would look like this:

Restrict-Access-Context: 456ff232-35l2-5h23-b3b3-3236w0826f3d

Once defined, insert this new service into a service chain and create a security policy rule that decrypts the traffic and assigns the service chain.