0 Replies Latest reply on Aug 22, 2017 9:00 AM by jebeling

    Implementing Tenant Restrictions for Microsoft Office 365

    jebeling

      SSL connections to Azure AD can be decrypted by McAfee Web Gateway and headers can be inserted and replaced providing full support for Tenant Restrictions as defined here: Manage access to cloud apps by restricting tenants - Azure | Microsoft Docs

       

      Reading the entire Microsoft article is recommended but here are the highlights as it pertains to implementing on MWG:

       

      In order to implement what is described in the Microsoft article. You need to have an Azure AD account (comes with Office 365) and you need a proxy like McAfee Web Gateway or McAfee Web Gateway cloud service that performs SSL decryption and can modify headers when accessing the following hosts.

       

      login.microsoftonline.com

      login.microsoft.com

      login.windows.net

       

      The Certificate Authority used by the web gateway or cloud service must be trusted by the application or browser being used to access cloud services.

       

      Note: At the time of this writing you would need to use a McAfee Web Gateway to manage policy on McAfee Web Gateway Cloud Service in order to implement this feature when filtering through the McAfee cloud (For example if you wanted to enforce tenant restrictions when using the cloud service through an IPSec tunnel or when using the cloud service via explicit proxy using IP Authentication).

       

      The two headers that must be added or replaced are:

       

      Restrict-Access-To-Tenants

      Restrict-Access-Context

       

      You will need to know your Azure AD Tenant ID and obviously the domains that you want to restrict access to. An MWG ruleset from 7.7.2 is attached, all features and properties used in the ruleset are available on all supported versions of McAfee Web Gateway. To use the ruleset you will need to import it and modify the parameters to include your domains and Azure AD ID.

       

      Rule Sets
      Azure AD Tenant Restrictions
      [✔] Enabled [✘] Disabled in Cloud
      Applies to: [✔] Requests [✔] Responses [✔] Embedded Objects
      1: URL.Host is in list Azure AD
      EnabledRuleActionEventsComments
      [✔] EnabledDelete Restrict Access To Tenants Header
      1: Header.Exists("Restrict-Access-To Tenants") equals true
      ContinueHeader.RemoveAll("Restrict-Access-To-Tenants")
      [✔] EnabledWrite Restrict Access to Tenants Header
      Always
      ContinueHeader.Add("Restrict-Access-To-Tenants","Add domain names here")
      [✔] EnabledDelete Restrict Access Context Header
      1: Header.Exists("Restrict-Access-Context") equals true
      ContinueHeader.RemoveAll("Restrict-Access-Context")
      [✔] EnabledWrite Restrict Access to Tenants Header
      Always
      ContinueHeader.Add("Restrict-Access-Context","Add Azure AD ID here")

       

      Lists
      String
      #Azure AD
      StringComment
      1login.microsoftonline.com
      2login.microsoft.com
      3login.windows.net

       

      Note, if you are going to use this in conjunction with the Bypass Office365 Services ruleset, then you would need to add a criteria/condition to that RuleSet to exclude these three Microsoft Login URLs as they are embedded in the following lists and thus hit the Stop Cycle action.

       

      Lync Online URLs

      Office 365 URLs

      Office for iPad URLs

      Office Mobile URLs

      SharePoint Online URLs

       

       

      Rule Sets
      Bypass Microsoft (Office 365) Services

      [This rule set contains rules to bypass Office 365 and/or other Microsoft services.]

      [✔] Enabled [✔] Enabled in Cloud
      Applies to: [✔] Requests [✔] Responses [✘] Embedded Objects
      1: URL.Host is not in list Azure AD