- article
notes
TenTenant restrictionsThe settings included in the cross-tenant access settings are a preview feature of Azure Active Directory. For more information on preview, seeMicrosoft Azure Preview Additional Terms of Use.
For added security, you can restrict access for users who log in from your network or device with an external account. together withTenant restrictionsIncluded settingsAccess to cross-tenant settings, you can control which external apps Windows device users can access when using an external account.
For example, suppose a user in your organization creates a separate account in an unknown tenant, or an external organization provides users with an account that allows them to sign in to their organization. You can use tenant restrictions to prevent users from using some or all external apps when they sign in with an external account on your network or device.
| 1 | Contoso setupTenant restrictionsBlock all external accounts and external apps in the cross-tenant access settings. Contoso enforces the policy on every Windows device by updating the local computer configuration with the Contoso tenant ID and tenant restriction policy ID. |
| 2 | A user on a Windows device managed by Contoso tries to sign in to an external app with an account from an unknown tenant. Windows devices add HTTP headers to authentication requests. The header contains Contoso's Tenant ID and Tenant Restriction Policy ID. |
| 3 | Certified aircraft protection:Azure AD uses the headers in the authentication request to look up Azure AD cloud tenant restriction policies. Because Contoso's policy prevents external accounts from accessing external tenants, the request is blocked at the authentication level. |
| 4 | Data Plane Protection:A user tries to access an external application by copying the authentication response token obtained outside the Contoso network and pasting it into a Windows device. However, Azure AD compares the claims in the token with the HTTP headers added by the Windows device. Because they don't match, Azure AD blocks the session, so the user can't access the application. |
This article describes how to configure v2 tenant limits using the Azure portal. You can also useMicrosoft Graph cross-tenant access APICreate the same tenant restriction policy.
Overview of tenant limits v2
Azure AD provides two versions of tenant restriction policies:
- Tenant Restriction V1, hoursSet V1 tenant restrictions for B2B collaboration, which allows you to restrict access to external tenants by configuring allowed tenant lists on the corporate proxy server.
- The v2 tenant restrictions described in this article allow policies to be applied directly to users' Windows devices instead of through an enterprise proxy, reducing overhead and providing more flexible granular control.
Support scene
V2 tenant restrictions can be restricted to specific users, groups, organizations, or external applications. Applications built on the networking stack of the Windows operating system are protected, including:
- All Office apps (all versions/distribution channels).
- Universal Windows Platform (UWP) .NET apps.
- Microsoft Edge and all websites in Microsoft Edge.
- Provides authentication plane protection for all applications that use Azure AD for authentication, including all Microsoft-owned applications and any third-party applications that use Azure AD for authentication.
- Data plane protection for SharePoint Online and Exchange Online.
- Anonymous access protection for SharePoint Online, OneDrive for Business and Teams (federated control setup).
- Data plane authentication and protection for Microsoft tenant or consumer accounts.
unsupported scene
- Chrome, Firefox, and .NET apps like PowerShell.
- Anonymously block consumer OneDrive accounts. Customers can troubleshoot at the proxy level by blockinghttps://onedrive.live.com/.
- When a user accesses a third-party application such as Slack using an anonymous link or account outside of Azure AD.
- When a user copies an Azure AD-issued token from their home computer to their work computer and uses it to access a third-party app like Slack.
Comparison of V1 and V2 tenant limits
The table below compares the features in each edition.
| Tenant Limits V1 | Tenant limits V2 | |
|---|---|---|
| Policy implementation | The corporate proxy enforces tenant restriction policies in the Azure AD control plane. | Windows devices are configured to route Microsoft traffic to tenant restriction policies, and the policies are enforced in the cloud. Lease restrictions are enforced on resource access, ensuring data path coverage and preventing token exfiltration. For non-Windows devices, the corporate proxy enforces the policy. |
| tenant's malicious request | Azure AD blocks malicious tenant authentication requests to protect the authentication plane. | Azure AD blocks malicious tenant authentication requests to protect the authentication plane. |
| granularity | limited. | Tenant, user, group and application granularity. |
| anonymous access | Allow anonymous access to Teams meetings and file sharing. | Block anonymous access to Teams meetings. Access to anonymously shared resources ("any with a link") is prohibited. |
| Microsoft Account (MSA) | Use the Restrict-MSA header to restrict access to customer accounts. | Allows control of Microsoft account authentication (MSA and Live ID) at the identity and data level. For example, if you enforce tenant restrictions by default, you can create a Microsoft account-specific policy that allows users to use their Microsoft account to access specific apps, such as: Microsoft Learn (App ID 18fbca16-2224-45f6-85b0-f7bf2b39b3f3), LubMicrosoft Enterprise Skills (Application ID 195e7f27-02f9-4045-9a91-cd2fa1c2af2f). |
| Agent management | Manage corporate proxies by whitelisting tenants to Azure AD traffic. | not applicable |
| platform support | All platforms are supported. Only available with certified home security. | Supported on Windows OS and Microsoft Edge by adding the Tenant Restrictions v2 header using Windows Group Policy. This configuration provides authentication and data plane protection. On other platforms, such as macOS, Chrome browser, and .NET applications, v2 tenant restriction is supported when the v2 tenant restriction header is added by an enterprise proxy server. This configuration only protects the authentication plane. |
| Portal support | There is no UI for configuring policies in the Azure portal. | UI available in the Azure portal for setting cloud policies. |
| unsupported application | not applicable | Block unsupported apps from running on Microsoft endpoints using Windows Defender Application Control (WDAC) or Windows Firewall (for example, Chrome, Firefox, etc.). LookBlocks Chrome, Firefox and .NET applications such as PowerShell. |
Migrate tenant restriction policies from V1 to V2
In addition to using Tenant Restrictions v2 to manage access for users of Windows devices, we also recommend configuring the Enterprise Agent to enforce Lease Restrictions v2 to manage other devices and applications on the corporate network. Configuring tenant restrictions on your corporate proxy server does not provide data plane protection, but does provide authentication plane protection. For more information, seeStep 4: Configure v2 tenant restriction on your corporate proxy.
Tenant restrictions and inbound and outbound traffic settings
While tenant restrictions are configured together with the inter-tenant access settings, they operate independently of the inbound and outbound access settings. Cross-tenant access settings let you control when users sign in with your organization's account. On the other hand, tenant restrictions allow you to control when users use external accounts. Inbound and outbound settings for B2B Collaboration and B2B Direct Connect are not affected (and are not affected) by tenant restriction settings.
Think of different access settings between tenants like this:
- Incoming settings controlExternalaccount to accessInternalapp.
- Control of outgoing traffic settingsInternalaccount accessExternalapp.
- Tenant limit controlExternalaccount accessExternalapp.
Tenant restrictions and B2B cooperation
When your users need access to external organizations and applications, we recommend enabling tenant restrictions to block external accounts and using B2B collaboration instead. B2B cooperation enables:
- Use Conditional Access and enforce multi-factor authentication for B2B collaboration users.
- Manage incoming and outgoing access.
- Terminate sessions and credentials for B2B collaboration users when their employment status changes or their credentials are compromised.
- Use the login log to view B2B collaboration user details.
Tenant restrictions and Microsoft Teams
For more control over access to Teams meetings, you can usejoint controlAllow or block specific tenants in Teams and Tenant Restrictions v2 to prevent anonymous access to Teams meetings. Tenant restrictions prevent users from joining Teams meetings using external identities.
For example, let's say Contoso uses team federation control to lock down the Fabrikam tenant. If someone with a Contoso device joins a Contoso Teams meeting using a Fabrikam account, they can join the meeting as an anonymous user. Now, if Contoso also enables v2 tenant restrictions, teams will block anonymous access and users will not be able to join meetings.
To implement tenant restrictions in Teams, you must configure v2 tenant restrictions in the Azure AD inter-tenant access settings. You also need to set up federated control in the Teams admin portal and restart Teams. Lease restrictions imposed on enterprise proxies do not prevent anonymous access to Teams meetings, SharePoint files, and other resources that do not require authentication.
SharePoint Online supports v2 tenant restrictions on both the authentication and data planes.
authenticated session
Unauthorized access is blocked during authentication when tenant restriction v2 is enabled on the tenant. Users are prompted to sign in if they access a SharePoint Online resource directly without an authenticated session. If the v2 tenant restriction policy allows access, the user can access the resource; otherwise access is blocked.
anonymous access
If a user tries to access an anonymous file using their tenant/home business identity, they will be able to access the file. However, if a user tries to access an anonymous file using any externally issued identity, access will be blocked.
For example, suppose a user is on a managed device configured with tenant restriction v2 for tenant A. If they select the anonymous access link generated for the resource Tenant A, they should be able to anonymously access that resource. However, if they select the anonymous access link generated for Tenant B SharePoint Online, they will be prompted to sign in. Anonymous access to resources using external identities is always blocked.
Tenant version 2 and OneDrive limitations
Like SharePoint, OneDrive for Business supports v2 tenant restrictions on both the authentication and data planes. There is also support to block anonymous access to OneDrive for Business. For example, Tenant Restriction Policy V2 enforcement applies to the OneDrive for Business endpoint (microsoft-my.sharepoint.com).
However, OneDrive (via onedrive.live.com) for consumer accounts does not support v2 tenant restrictions. Some URLs, such as onedrive.live.com, do not converge and use our legacy stack. Policies are not enforced when users access their OneDrive consumer tenant via these URLs. As a workaround, you can preventhttps://onedrive.live.com/at the proxy level.
Platform Version 2 and Non-Windows Lease Limitations
For platforms other than Windows, you can abort and inspect the traffic going through the proxy server to add the Tenant Restriction v2 parameter to the header. However, some platforms do not support Break and Inspect so v2 tenant restriction will not work. For these platforms, the following Azure AD features can provide protection:
- Conditional Access: Only managed/compatible devices allowed
- Conditional Access: Manage access for external guests/users
- B2B Collaboration: Restrict egress rules by inter-tenant access to the same tenant listed in the "Restrict access to tenants" parameter
- B2B Collaboration: Restrict invites for B2B users to the same domains listed in the "Restrict access to tenants" parameter
- App Management: Restrict how users consent to apps
- Intune: Apply app policy via Intune to restrict managed app usage to only the UPN of the device enrollment account(podAllow only organizational accounts configured in the app)
While these alternatives provide protection, some scenarios may be limited by tenant restrictions, such as using a browser to access Microsoft 365 services via the web instead of a dedicated app.
preconditions
To set up tenant restrictions, you need:
- Azure AD Premium P1 lub P2
- An account with the Global Administrator or Security Administrator role
- Windows 10, Windows 11, or Windows Server 2022 devices with the latest updates
Step 1: Configure the default tenant restriction in version 2
The v2 tenant restriction settings are in the Azure portalAccess to cross-tenant settings.First, configure default tenant restrictions to apply to all users, groups, applications, and organizations. Then, if you need a partner-specific configuration, you can add a partner organization and customize any settings that differ from the default settings.
Set up default tenant limits
Log inAzure PortalUse a Global Administrator, Security Administrator, or Conditional Access Administrator account. then openAzure Active Directoryserve.
to chooseexternal identity
to chooseAccess to cross-tenant settingsand choosedefault settingsLabel.
scroll toTenant limits (preview)Hi.
to chooseEdit tenant limit defaultsrelated.
If the default policy doesn't already exist in the tenant, then inpolicy numberyou will see acreate a strategyrelated. Choose this link.
TenTenant restrictionsThe page also displays yourstenant numberand your tenant limitpolicy number.Copy both values with the copy icon. You'll use them when configuring Windows clients to enable tenant restrictions.
to chooseExternal users and groupsLabel. underaccess status, select one of the following options:
- allow access: Allows all users logged in with an external account to access the external application (vexternal applicationLabel).
- block access: Blocks access to external applications for all users logged in with external accounts (inclexternal applicationLabel).
notes
Default settings cannot be limited to one account or group, soapply toalways equalAll
users and groups .Remember that if you block access for all users and groups, you must also block access for all external applications (includingexternal applicationLabel).to chooseexternal applicationLabel. underaccess status, select one of the following options:
- allow access: Allow all users logged in with external accounts to accessapply toHi.
- block access: Block all logged-in users from accessing external accountsapply toHi.
podapply to, select one of the following options:
- all external applications: apply the action selected belowaccess statusfor all external applications. If you block access to all external apps, you must also block access to all users and groups (vusers and groupsLabel).
- Select an external application: Allows you to select an external application in which to perform the actionaccess statusapply to. To select an application, selectadd Microsoft appsLubAdd other apps. then tap the app name or app ID (Client application IDLubresource application ID) and select an app. (View a list of frequently used Microsoft app IDs.), if you want to add more apps, useAdd tobutton. Select when donefold.
to chooserescue.
Step 2: Set up v2 tenant restrictions for specific partners
Suppose you use tenant restrictions to block access by default, but you want to allow users to access certain apps using their own external accounts. For example, let's say you want users to access Microsoft Learn using their own Microsoft Account (MSA). The instructions in this section describe how to add organization-specific settings that override the default settings.
Example: Setting up tenant restrictions v2 to allow Microsoft accounts
Log inAzure PortalUse a Global Administrator, Security Administrator, or Conditional Access Administrator account. then openAzure Active Directoryserve.
to chooseexternal identityand chooseAccess to cross-tenant settings.
to chooseorganization settings(If the institution you want to add has already been added to the list, you can skip adding and modify the settings directly.)
to chooseadd organization.
existadd organizationIn the box, enter the full domain name (or Tenant ID) of your organization.
example: Search for the following Microsoft account tenant IDs:
9188040d-6c67-4c5b-b112-36a304b66tataSelect an organization in the search results, then selectAdd to.
The organization is inorganization settingslist. scroll right to viewTenant restrictionsPillar. At this point, all tenant restriction settings for this organization are inherited from the default settings. To change the settings for this organization, selectinherit from the defaultlink podTenant restrictionsPillar.
TenTenant limits (preview)The organization page will appear. copy the valuetenant numberIpolicy numberYou'll use them when setting up your Windows client to enable tenant restrictions.
to chooseCustom settingsand chooseExternal users and groupsLabel. underaccess status, Choose an option:
- allow access: Allow users and groups specified inapply toUsers who log in with external accounts to access external applications (e.gexternal applicationLabel).
- block access: Block users and groups specified inapply toWho logs in with an external account to access external apps (vexternal applicationLabel).
notes
For our example, we select Microsoft accountsallow access.
podapply to, to chooseAll
users and groups Lubto chooseusers and groups .if you chooseto chooseusers and groups do the following for each user or group you want to add:- to chooseAdd external users and groups.
- insideto choosein the box, type the name of the user or group in the search box.
- Select a user or group in the search results.
- To add more, selectAdd toand repeat these steps. After selecting the users and groups to add, selectfold.
notes
For our example, we select Microsoft accountsAll Contoso users and groups.
to chooseexternal applicationLabel. underaccess status, choose whether to allow or block access to external applications.
- allow access: Allow external apps specified belowapply toSo that your users have access when using external accounts.
- block access: Block external apps specified inapply toNot available to users when using external accounts.
notes
For our example, we select Microsoft accountsallow access.
podapply to, select one of the following options:
- all external applications: apply the action selected belowaccess statusfor all external applications.
- Select an external application: apply the action selected belowaccess statusfor all external applications.
notes
- For our example, we select Microsoft accountsSelect an external application.
- If you block access to all external apps, you must also block access to all users and groups (vusers and groupsLabel).
if you chooseSelect an external application, for each app you want to add:
- to chooseadd Microsoft appsLubAdd other appsIn our Microsoft Learn example, we selectAdd other apps.
- In the search box, type the app name or app ID (Client application IDLubresource application ID). (View a list of frequently used Microsoft app IDs.) for our Microsoft Learn example, we enter the Application ID
18fbca16-2224-45f6-85b0-f7bf2b39b3f3. - Select an app in the search results, then selectAdd to.
- Repeat this for each app you want to add.
- After selecting the application, selectfold.
The selected application is listed inexternal applicationLabel. to chooserescue.
Step 3: Enable tenant restrictions on managed Windows devices
After you create a tenant-restricted V2 policy, you can add the tenant ID and policy ID to the deviceTenant restrictionsconfiguration. When tenant restrictions are enabled on Windows devices, no enterprise proxy is required for policy enforcement. Devices don't need to be managed by Azure AD to enforce v2 tenant restrictions; Domain-joined devices managed by Group Policy are also supported.
Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2) and Group Policy Settings
You can use Group Policy to deploy tenant-restricted configurations to Windows devices. Check out these resources:
- Administrative Templates for Windows 10
- Group Policy Settings Reference Spreadsheet for Windows 10
Test policy on device
To test the Tenant Restriction V2 policy on a device, follow these steps.
notes
- Devices must be running Windows 10, Windows 11, or Windows Server 2022 with the latest updates.
On a Windows PC, press the Windows key, typegpeditand chooseEdit Group Policy (Control Panel).
To gocomputer configuration>Administrative Templates>widget>Tenant restrictions.
right clickCloud policy detailsin the right pane, then selectedit.
to regaintenant numberIpolicy numberthe one you recorded earlier (in step 7Set up default tenant limits) and enter them in the following fields (leave all other fields blank):
- Azure AD directory ID: entrytenant numberyou have recorded before, you can also useAzure Portalnavigating toAzure Active Directory>Characteristicand copytenant number.
- Policy GUIDs: Cross-tenant access policy ID. This ispolicy numberYou registered before You can also find this ID using the Graph Explorer commandhttps://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/default.
to chooseOK.
Step 4: Configure v2 tenant restriction on your corporate proxy
Tenant Restriction Policies V2 cannot be directly enforced on devices other than Windows 10, Windows 11, or Windows Server 2022, such as Macs, mobile devices, unsupported Windows apps, and Chrome browsers. To ensure that login is restricted on all devices and applications in the corporate network, configure the enterprise agent to enforce v2 tenant restrictions. Configuring tenant restrictions on the corporate proxy server does not provide data plane protection, but does provide authentication plane protection.
important
If you have previously set lease limits, you must stop sendinglimit-msaGo to login.live.com. Otherwise, the new settings will conflict with existing MSA login instructions.
Configure the Tenant Restriction V2 header as follows:
header name header value sec-Restrict-Tenant-Access-Polity: Directory IDis your Azure AD tenant ID. Find this value by logging into the Azure portal as an administrator, selectAzure Active Directoryand chooseCharacteristic.Policy GUIDis the inter-tenant access policy object ID. Find this value by calling/crosstenantaccesspolicy/defaultAnd use the "id" field returned.
On the corporate proxy server, send the Tenant Restriction V2 header to the following Microsoft login domain:
- login.live.com
- login.microsoft.com
- Sign in.microsoftonline.com
- login.windows.net
This header enforces the v2 tenant restriction policy for all sign-ins on your network. This header doesn't prevent anonymous access to Teams meetings, SharePoint files, or other resources that don't require authentication.
Blocks Chrome, Firefox and .NET applications such as PowerShell
You can use the Windows Firewall feature to prevent unprotected applications from accessing Microsoft resources through Chrome, Firefox, and .NET applications such as PowerShell. Apps that will be blocked/allowed by the Tenant Restrictions V2 policy.
For example, if a customer added PowerShell to their Tenant Restricted V2 CIP policy and had graph.microsoft.com in the Tenant Restricted V2 policy endpoints list, PowerShell should be able to access it with the firewall enabled.
On a Windows PC, press the Windows key, typegpeditand chooseEdit Group Policy (Control Panel).
To gocomputer configuration>Administrative Templates>widget>Tenant restrictions.
right clickCloud policy detailsin the right pane, then selectedit.
to chooseEnable firewall protection for Microsoft endpointscheckbox, then selectOK.
Once your firewall settings are enabled, try logging in using Chrome. Login should fail with the following message:
View v2 tenant restrictions
View tenant restriction events in Event Viewer.
- Open in Event ViewerApplication and service logs.
- navigationMicrosoft>Windows>Tenant restrictions>workand search for events.
Audit Log
Azure AD audit logs contain a record of system and user activities, including activities initiated by guest users. To access the audit logs, select Audit Logs under Monitoring in Azure Active Directory. To access the audit log for a specific user, select Azure Active Directory > Users > select user > Audit log.
You can get more detailed information about each event listed in the audit log. For example, let's look at the user update details.
You can also export these logs from Azure AD and use the reporting tool of your choice for custom reports.
Microsoft Charts
Get policy information with Microsoft Graph:
ask
get the default policy
Download https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/defaultReset to system defaults
Post https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/default/resetToSystemDefaultGet partner setup
Download https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partnersGet a specific partner configuration
Download https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners/9188040d-6c67-4c5b-b112-36a304b66dadupdate a specific partner
Fix https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners/9188040d-6c67-4c5b-b112-36a304b66dad
request body
"tenantRestrictions": { "usersAndGroups": { "accessType": "allowed", "targets": [ { "target": "AllUsers", "targetType": "user" } ] }, "applications": { "accessType ":"Zezwól", "Target": [ { "Target": "AllApplications", "targetType": "Aplikacja" }] }}next step
LookConfigure external collaboration settingsFor B2B collaboration with non-Azure AD identities, social identities, and external accounts that are not managed by IT.