Skip to main content

Restrict access to specific Office 365 Tenants

Updated

This article shows how to restrict users to a specific email domain or Office 365 tenant when they try to sign in to Office 365. For example, once set up, a user could sign in to name@myorganisation.com but not sign in to name@outlook.com.

You can use this feature to ensure users (such as staff or students) can access their school Office 365 account, but not their personal accounts, while using your network. For more support, see Microsoft's article: Use Tenant Restrictions to manage access to SaaS cloud applications.

  • This restriction applies only to non-mobile devices, so it can’t be used to restrict access for mobile apps.
  • As Custom Content Modifications can’t be set up in Cloud Filter and are not supported by our Agents and Extensions, these instructions can only be used for filtering applied by the Smoothwall On-Premise Appliance.

1: Add a Custom Category

Add a Custom Category.

  • Assign a descriptive and unique name, such as ‘Microsoft Live’.
  • In the Domain/URL filtering section, add this subdomain: login.live.com

2: Set up HTTPS Inspection

Follow our recommended default HTTPS Inspection Policies to Decrypt and inspect everything.

In scenarios where this is not possible, add a HTTPS Inspection Policy to Decrypt and inspect the Microsoft Office 365 category and your Custom Category.

3: Add Content Modifications

Add two custom Content Modifications with these settings:

  • Content Modification 1: Give it a descriptive name, such as ‘Office 365 Tenant Restriction’. In the Request headers to override field, enter Restrict-Access-To-Tenants: <domain> where <domain> is replaced with your domain or directory ID.
  • Content Modification 2: Give it a descriptive name, such as ‘Microsoft Personal Account Restriction’. In the Request headers to override field, enter sec-Restrict-Tenant-Access-Policy: restrict-msa

4: Use the Content Modifications in your policies

Add two Content Modification policies and select Apply as the Action.

  • For your Office 365 Tenant Restriction Content Modification, set the What field to Microsoft Office 365.
  • For your Microsoft Personal Account Restriction Content Modification, set the What field to your Custom Category.