cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 13

Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution

SSL connections to Azure AD can be decrypted by McAfee Web Gateway and headers can be inserted and replaced providing full support for Tenant Restrictions as defined here: Manage access to cloud apps by restricting tenants - Azure | Microsoft Docs

 

Reading the entire Microsoft article is recommended but here are the highlights as it pertains to implementing on MWG:

 

In order to implement what is described in the Microsoft article. You need to have an Azure AD account (comes with Office 365) and you need a proxy like McAfee Web Gateway or McAfee Web Gateway cloud service that performs SSL decryption and can modify headers when accessing the following hosts.

 

login.microsoftonline.com

login.microsoft.com

login.windows.net

 

The Certificate Authority used by the web gateway or cloud service must be trusted by the application or browser being used to access cloud services.

 

Note: At the time of this writing you would need to use a McAfee Web Gateway to manage policy on McAfee Web Gateway Cloud Service in order to implement this feature when filtering through the McAfee cloud (For example if you wanted to enforce tenant restrictions when using the cloud service through an IPSec tunnel or when using the cloud service via explicit proxy using MCP or IP Authentication).

 

The two headers that must be added or replaced are:

 

Restrict-Access-To-Tenants

Restrict-Access-Context

 

You will need to know your Azure AD Tenant ID and obviously the domains that you want to restrict access to. An MWG ruleset from 7.7.2 is attached, all features and properties used in the ruleset are available on all supported versions of McAfee Web Gateway. To use the ruleset you will need to import it and modify the parameters to include your domains and Azure AD ID.

 

Rule Sets
Azure AD Tenant Restrictions
[✔] Enabled [✘] Disabled in Cloud
Applies to: [✔] Requests [✔] Responses [✔] Embedded Objects
1: URL.Host is in list Azure AD
Enabled Rule Action Events Comments
[✔] Enabled Delete Restrict Access To Tenants Header
1: Header.Exists("Restrict-Access-To Tenants") equals true
Continue Header.RemoveAll("Restrict-Access-To-Tenants")  
[✔] Enabled Write Restrict Access to Tenants Header
Always
Continue Header.Add("Restrict-Access-To-Tenants","Add domain names here")  
[✔] Enabled Delete Restrict Access Context Header
1: Header.Exists("Restrict-Access-Context") equals true
Continue Header.RemoveAll("Restrict-Access-Context")  
[✔] Enabled Write Restrict Access to Tenants Header
Always
Continue Header.Add("Restrict-Access-Context","Add Azure AD ID here")  

 

Lists
String
# Azure AD  
  String Comment
1 login.microsoftonline.com  
2 login.microsoft.com  
3 login.windows.net  

 

Note, if you are going to use this in conjunction with the Bypass Office365 Services ruleset, then you would need to add a criteria/condition to that RuleSet to exclude these three Microsoft Login URLs as they are embedded in the following lists and thus hit the Stop Cycle action.

 

Lync Online URLs

Office 365 URLs

Office for iPad URLs

Office Mobile URLs

SharePoint Online URLs

 

 

Rule Sets
Bypass Microsoft (Office 365) Services

[This rule set contains rules to bypass Office 365 and/or other Microsoft services.]

[✔] Enabled [✔] Enabled in Cloud
Applies to: [✔] Requests [✔] Responses [✘] Embedded Objects
1: URL.Host is not in list Azure AD
1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 13 of 13

Re: Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution
12 Replies
Highlighted
Level 8
Report Inappropriate Content
Message 2 of 13

Re: Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution

When I enable tenant restrictions the login page will no longer load. Where in the request cycle should this be placed? It seems like any modification to the header causes a problem for the microsoft site.

Highlighted
Level 8
Report Inappropriate Content
Message 3 of 13

Re: Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution

I usechrome it appears I am getting an Error 400, 'Invalid Header' error. I'm using the importable rule.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 13

Re: Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution

Sorry I just saw these posts. Are you decrypting SSL for the login sites? Did you perform a rule trace?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 13

Re: Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution

Two additional notes:

  1. The added rules only need to apply to the request cycle even though the attached ruleset has it for all cycles.
  2. The ruleset should be placed after SSL Scanning. (SSL Scanning has to be enabled for at least the URLs specified.
Highlighted
Level 7
Report Inappropriate Content
Message 6 of 13

Re: Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution
Hi,

I have put in this rule but its not blocking the login for other tenants, can you help me out here
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 13

Re: Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution

Did you make sure you are not bypassing HTTPS inspection for the login hosts? Is the ruleset after HTTPS inspection? Did you enter your domains and your Azure ID. What does the rule trace show?

Highlighted
Level 7
Report Inappropriate Content
Message 8 of 13

Re: Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution

Hi,

thanks for your reply.

yes I have set the rule under our SSL inspection rule set.

also added our enterprise Domain and Azure ID.

I also set a rule to bypass the but its hits that rule and does not go to SSL inspection.

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 13

Re: Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution

The last sentence is your problem. Per the instructions at the end of the original post you need to put the login servers in a list that prevents entry into the bypass O365 ruleset. 

Highlighted

Re: Implementing Tenant Restrictions for Microsoft Office 365

Jump to solution

HI,

 

yes I have done that, I have a rule on top of the O365 rule with the 3 Login URL's with Stop cycle.

the trace shows its hitting that top rule but does not go below that.

attached is the rule I have setup.

thanks,

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community