Improved security with Tenant Restrictions now available in Azure AD

Posted on 7 April 2017

Whilst moving your on-premise infrastructure to SaaS apps such as Office 365 offers many cost and productivity benefits, organisations are naturally concerned about the security implications of the move. For example, if your users access Office 365 with their corporate identity, what’s to stop them accessing the same services with other identities they may have? The implications of this for data leaks are quite high and need to be considered.

Although this is a concern for every organization using SaaS apps, more regulated sectors such as finance, healthcare and pharmaceutical have much stricter access and compliance requirements. What’s more, the EU General Data Protection Regulation (GDPR) becomes effective in May 2018, giving you further responsibilities. So, to meet these needs, and benefit, every Azure AD user, Microsoft has recently enhanced control over access to SaaS apps.

How Azure AD Tenant Restrictions work

This works by allowing organisations to restrict employees using their corporate network to only being able to use Azure AD identities in tenants they have previously approved.

An on-premises proxy server is configured to intercept authentication traffic going to Azure AD. The Proxy inserts a new header called “Restrict-Access-To-Tenants” that lists the tenants that users on the network are permitted to access.

Azure AD then reads the permitted tenant list from the header, and only issues security tokens if the user or resource is in a tenant on that list. Any user then trying to sign onto an instance of an unpermitted tenant will receive an on screen message telling them they can’t access it. For those of you who have to administer the system, you can access the Tenant Restrictions reports in the Azure portal from the Overview page (Other capabilities).

If you would like help configuring your systems to utilize Tenant Restrictions or have any questions about Identity management or security, please get in touch. Our consultants will be more than happy to help.


A few people we've already done it for