Skip to main content
Question

How to BLOCK non-tenant M365

  • February 7, 2024
  • 3 replies
  • 1701 views
munster

Hi

 

User can only access corporate M365 tenant. To prevent data leakage,  we will like to block M365 non-tenant access such onedrive, sharepoint, email, etc?  

How can I do config it?

 

thank

Munster

Munster
This topic has been closed for replies.

3 replies

ejang
Netskope Employee
Forum|alt.badge.img+5
  • ejang
  • Netskope Employee
  • 69 replies
  • February 7, 2024

There are 3 options you can use.

  1. Constraint Profile: You can restrict only company email domain to the company M365 instance. 
    https://docs.netskope.com/en/netskope-help/data-security/real-time-protection/profiles/constraint-pr...
     
  2. Instance profile: Netskope detects instance IDs from M365. You can define the instance names to allow the corporate tenant.
    https://docs.netskope.com/en/netskope-help/data-security/real-time-protection/profiles/app-instance-...
     
  3. Header Insertion: You can also define key-values for M365 tenant.
    https://docs.netskope.com/en/netskope-help/admin-console/administration/header-insertion/
"Security and Networking Reimagined."
munster
  • munster
  • Author
  • 26 replies
  • February 7, 2024

Hi Ejang

 

Thank.

In our current legacy proxy, we have configured based on Microsoft recommendation to use Header insertion

Use tenant restrictions to manage access to SaaS apps - Microsoft Entra ID | Microsoft Learn

 

We have below configured in our legacy proxy.

=======================================================

If the request matches any host, it will first remove all "Restrict-Access-To-Tenants and  Restrict-Access-Context" headers.  Then add our tenant header only.

Host :
login.microsoftonline.com
login.microsoft.com
login.windows.net
login.live.com
office.com

 

Header Remove All header name :
> Restrict-Access-To-Tenants
> Restrict-Access-Context

 

Header Add :
> Restrict-Access-To-Tenants = <my tenant name>
> Restrict-Access-Context = < my tenanbt id>

=====================================

This is to restrict consumer login.  If matches login.live.com, add the header "sec-Restrict-Tenant-Access-Policy = restrict-msa"

 

Host : login.live.com

 

Header Add:
> sec-Restrict-Tenant-Access-Policy = restrict-msa

 

===================================

 

May you show if the above possible to configure?

 

thank

Munster

Munster
ejang
Netskope Employee
Forum|alt.badge.img+5
  • ejang
  • Netskope Employee
  • 69 replies
  • February 7, 2024

You should create another header insertion policy for Microsoft Live Accounts as login.live.com belongs to Microsoft Live Accounts app.
 

 

 

Please also refer to: Enforcing Microsoft Tenant

I recommend the constraint or app instance profile because it's easy to configure.

"Security and Networking Reimagined."

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settingsAccessibility statement