Share via

Tenant restriction for SaaS services (App+Browser) in AVD

Shubham Prajapati 40 Reputation points
2026-02-02T14:48:59.51+00:00

Hi,

I'm looking for a way to restrict the public domain inside the AVD. only organization domain should be allowed to access the Saas services. this restriction should be applied to only AVD not to other environment (VM).

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jerald Felix 10,625 Reputation points
    2026-02-03T02:16:12.03+00:00

    Hello Shubham Prajapati,

    Thanks for raising it in the Q&A forum!

    Tenant restrictions is a Microsoft Entra ID feature that allows organizations to control access to SaaS cloud applications based on the Microsoft Entra tenant used for single sign-on. This prevents users on your network from accessing other organizations' instances of applications like Microsoft 365, even when using approved apps.

    How It Works with Browsers and Apps

    The feature operates by intercepting authentication traffic through a proxy infrastructure that inserts HTTP headers into requests to Microsoft login endpoints. For each outgoing request to login.microsoftonline.com, login.microsoft.com, and login.windows.net, two HTTP headers are required: Restrict-Access-To-Tenants and Restrict-Access-Context.

    Browser-based applications like the Office Portal, Yammer, SharePoint sites, and Outlook on the Web currently support tenant restrictions. Thick clients such as Outlook, Skype for Business, Word, Excel, and PowerPoint can enforce tenant restrictions when using modern authentication (OAuth 2.0)

    Tenant Restrictions V2

    Microsoft introduced Tenant Restrictions v2 (TRv2), which began rolling out in mid-November to late December 2024. This enhanced version provides data plane protection for the Microsoft 365 admin center and uses cross-tenant access settings to control which external accounts can access your resources.

    With TRv2, you can:

    Allow access exclusively to verified M365 tenants

    Restrict unauthorized instances of Microsoft 365

    • Block user access to consumer Microsoft applications including OneDrive and Hotmail

    Configuration

    To implement tenant restrictions effectively, client software must request tokens directly from Microsoft Entra ID so proxy infrastructure can intercept traffic. The Restrict-Access-To-Tenants header uses a comma-separated list of permitted tenants, identified by registered domains or directory IDs. For blocking consumer apps, a separate sec-Restrict-Tenant-Access-Policy header set to "restrict-msa" is sent to login.live.com.

    If this helps, kindly accept the answer.

    Best Regards,

    Jerald Felix

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.