Universal tenant restrictions

Universal tenant restrictions enhance the functionality of tenant restriction v2 using Global Secure Access (preview) to tag all traffic no matter the operating system, browser, or device form factor. It allows support for both client and remote network connectivity. Administrators no longer have to manage proxy server configurations or complex network configurations.

Universal Tenant Restrictions does this enforcement using Global Secure Access based policy signaling for both the authentication and data plane. Tenant restrictions v2 enables enterprises to prevent data exfiltration by users using external tenant identities for Microsoft Entra integrated applications like Microsoft Graph, SharePoint Online, and Exchange Online. These technologies work together to prevent data exfiltration universally across all devices and networks.

The following table explains the steps taken at each point in the previous diagram.

Step	Description
1	Contoso configures a tenant restrictions v2 policy in their cross-tenant access settings to block all external accounts and external apps. Contoso enforces the policy using Global Secure Access universal tenant restrictions.
2	A user with a Contoso-managed device tries to access a Microsoft Entra integrated app with an unsanctioned external identity.
3	Authentication plane protection: Using Microsoft Entra ID, Contoso's policy blocks unsanctioned external accounts from accessing external tenants.
4	Data plane protection: If the user again tries to access an external unsanctioned application by copying an authentication response token they obtained outside of Contoso's network and pasting it into the device, they're blocked. The token mismatch triggers reauthentication and blocks access. For SharePoint Online, any attempt at anonymously accessing resources, and for Microsoft Teams, any attempt at anonymously joining calls, will be blocked.

Universal tenant restrictions help to prevent data exfiltration across browsers, devices, and networks in the following ways:

• It enables Microsoft Entra ID, Microsoft Accounts, and Microsoft 365 applications to look up and enforce the associated tenant restrictions v2 policy. This lookup enables consistent policy application.
• Works with all Microsoft Entra integrated third-party apps at the auth plane during sign in.
• Works with Exchange, SharePoint, and Microsoft Graph for data plane protection.

Prerequisites

• Administrators who interact with Global Secure Access preview features must have one or more of the following role assignments depending on the tasks they're performing.
  • The Global Secure Access Administrator role role to manage the Global Secure Access preview features.
  • The Conditional Access Administrator to create and interact with Conditional Access policies.
• The preview requires a Microsoft Entra ID P1 license. If needed, you can purchase licenses or get trial licenses.

Known limitations

• If you have enabled universal tenant restrictions and you are accessing the Microsoft Entra admin center for one of the allow listed tenants, you may see an "Access denied" error. Add the following feature flag to the Microsoft Entra admin center:
  • ?feature.msaljs=true&exp.msaljsexp=true
  • For example, you work for Contoso and you have allow listed Fabrikam as a partner tenant. You may see the error message for the Fabrikam tenant's Microsoft Entra admin center.
    • If you received the "access denied" error message for this URL: https://entra.microsoft.com/ then add the feature flag as follows: https://entra.microsoft.com/?feature.msaljs%253Dtrue%2526exp.msaljsexp%253Dtrue#home

Outlook uses the QUIC protocol for some communications. We don't currently support the QUIC protocol. Organizations can use a firewall policy to block QUIC and fallback to non-QUIC protocol. The following PowerShell command creates a firewall rule to block this protocol.

@New-NetFirewallRule -DisplayName "Block QUIC for Exchange Online" -Direction Outbound -Action Block -Protocol UDP -RemoteAddress 13.107.6.152/31,13.107.18.10/31,13.107.128.0/22,23.103.160.0/20,40.96.0.0/13,40.104.0.0/15,52.96.0.0/14,131.253.33.215/32,132.245.0.0/16,150.171.32.0/22,204.79.197.215/32,6.6.0.0/16 -RemotePort 443 

Configure tenant restrictions v2 policy

Before an organization can use universal tenant restrictions, they must configure both the default tenant restrictions and tenant restrictions for any specific partners.

For more information to configure these policies, see the article Set up tenant restrictions V2 (Preview).

Enable tagging for tenant restrictions v2

Once you have created the tenant restriction v2 policies, you can utilize Global Secure Access to apply tagging for tenant restrictions v2. An administrator with both the Global Secure Access Administrator and Security Administrator roles must take the following steps to enable enforcement with Global Secure Access.

1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
2. Browse to Global Secure Access > Global Settings > Session Management > Tenant Restrictions.
3. Select the toggle to Enable tagging to enforce tenant restrictions on your network.
4. Select Save.

Try Universal tenant restrictions with SharePoint Online.

This capability works the same for Exchange Online and Microsoft Graph in the following examples we explain how to see it in action in your own environment.

Try the authentication path:

1. With universal tenant restrictions turned off in Global Secure Access global settings.
2. Go to SharePoint Online, https://yourcompanyname.sharepoint.com/, with an external identity that isn't allow-listed in a tenant restrictions v2 policy.
   1. For example, a Fabrikam user in the Fabrikam tenant.
   2. The Fabrikam user should be able to access SharePoint Online.
3. Turn on universal tenant restrictions.
4. As an end-user, with the Global Secure Access Client running, go to SharePoint Online with an external identity that hasn't been explicitly allow-listed.
   1. For example, a Fabrikam user in the Fabrikam tenant.
   2. The Fabrikam user should be blocked from accessing SharePoint Online with an error message saying:
      1. Access is blocked, The Contoso IT department has restricted which organizations can be accessed. Contact the Contoso IT department to gain access.

Try the data path

1. With universal tenant restrictions turned off in Global Secure Access global settings.
2. Go to SharePoint Online, https://yourcompanyname.sharepoint.com/, with an external identity that isn't allow-listed in a tenant restrictions v2 policy.
   1. For example, a Fabrikam user in the Fabrikam tenant.
   2. The Fabrikam user should be able to access SharePoint Online.
3. In the same browser with SharePoint Online open, go to Developer Tools, or press F12 on the keyboard. Start capturing the network logs. You should see Status 200, when everything is working as expected.
4. Ensure the Preserve log option is checked before continuing.
5. Keep the browser window open with the logs.
6. Turn on universal tenant restrictions.
7. As the Fabrikam user, in the browser with SharePoint Online open, within a few minutes, new logs appear. Also, the browser may refresh itself based on the request and responses happening in the back-end. If the browser doesn't automatically refresh after a couple of minutes, hit refresh on the browser with SharePoint Online open.
   1. The Fabrikam user sees that their access is now blocked saying:
      1. Access is blocked, The Contoso IT department has restricted which organizations can be accessed. Contact the Contoso IT department to gain access.
8. In the logs, look for a Status of 302. This row shows universal tenant restrictions being applied to the traffic.
   1. In the same response, check the headers for the following information identifying that universal tenant restrictions were applied:
      1. Restrict-Access-Confirm: 1
      2. x-ms-diagnostics: 2000020;reason="xms_trpid claim was not present but sec-tenant-restriction-access-policy header was in requres";error_category="insufficiant_claims"

Terms of Use

Your use of the Microsoft Entra Private Access and Microsoft Entra Internet Access preview experiences and features is governed by the preview online service terms and conditions of the agreement(s) under which you obtained the services. Previews may be subject to reduced or different security, compliance, and privacy commitments, as further explained in the Universal License Terms for Online Services and the Microsoft Products and Services Data Protection Addendum (“DPA”), and any other notices provided with the Preview.

Next steps

The next step for getting started with Microsoft Entra Internet Access is to Enable enhanced Global Secure Access signaling.

For more information on Conditional Access policies for Global Secure Access (preview), see the following articles:

• Set up tenant restrictions V2 (Preview)
• Source IP restoration
• Enable compliant network check with Conditional Access