Question

How to BLOCK non-tenant M365

  • 7 February 2024
  • 3 replies
  • 184 views

Hi

 

User can only access corporate M365 tenant. To prevent data leakage,  we will like to block M365 non-tenant access such onedrive, sharepoint, email, etc?  

How can I do config it?

 

thank

Munster


3 replies

Userlevel 2
Badge +1

There are 3 options you can use.

  1. Constraint Profile: You can restrict only company email domain to the company M365 instance. 
    https://docs.netskope.com/en/netskope-help/data-security/real-time-protection/profiles/constraint-pr...
     
  2. Instance profile: Netskope detects instance IDs from M365. You can define the instance names to allow the corporate tenant.
    https://docs.netskope.com/en/netskope-help/data-security/real-time-protection/profiles/app-instance-...
     
  3. Header Insertion: You can also define key-values for M365 tenant.
    https://docs.netskope.com/en/netskope-help/admin-console/administration/header-insertion/

Hi Ejang

 

Thank.

In our current legacy proxy, we have configured based on Microsoft recommendation to use Header insertion

Use tenant restrictions to manage access to SaaS apps - Microsoft Entra ID | Microsoft Learn

 

We have below configured in our legacy proxy.

=======================================================

If the request matches any host, it will first remove all "Restrict-Access-To-Tenants and  Restrict-Access-Context" headers.  Then add our tenant header only.

Host :
login.microsoftonline.com
login.microsoft.com
login.windows.net
login.live.com
office.com

 

Header Remove All header name :
> Restrict-Access-To-Tenants
> Restrict-Access-Context

 

Header Add :
> Restrict-Access-To-Tenants = <my tenant name>
> Restrict-Access-Context = < my tenanbt id>

=====================================

This is to restrict consumer login.  If matches login.live.com, add the header "sec-Restrict-Tenant-Access-Policy = restrict-msa"

 

Host : login.live.com

 

Header Add:
> sec-Restrict-Tenant-Access-Policy = restrict-msa

 

===================================

 

May you show if the above possible to configure?

 

thank

Munster

Userlevel 2
Badge +1

You should create another header insertion policy for Microsoft Live Accounts as login.live.com belongs to Microsoft Live Accounts app.
 

 

 

Please also refer to: Enforcing Microsoft Tenant

I recommend the constraint or app instance profile because it's easy to configure.

Reply