This article shows how to restrict users to a certain email domain or Office 365 tenant when they try to log into Office 365. For example, once set up, a user could log in to name@myorganisation.com but not log in to name@outlook.com.
You can use this feature to ensure users (such as staff or students) can access their school Office 365 account, but not their personal accounts while using your network. For more support, see Microsoft's article: Use Tenant Restrictions to manage access to SaaS cloud applications
This restriction will only apply to non-mobile devices so cannot be used to restrict access for mobile apps.
Step 1: Set up HTTPS Inspection
Create a HTTPS Inspection Policy.
Step 2: Create a Custom Category
- Assign a descriptive and unique name, such as Microsoft Live.
- In the Domain/URL filtering section, add this subdomain: login.live.com.
Step 3: Create Content Modifications
Create two custom Content Modifications with these settings:
- Content Modification 1: Give it a descriptive name, such as Office 365 Tenant Restriction. In the Request headers to override field, put Restrict-Access-To-Tenants: <domain> where <domain> is replaced with your domain or directory ID.
- Content Modification 2: Give it a descriptive name, such as Microsoft Personal Account Restriction. In the Request headers to override field, put sec-Restrict-Tenant-Access-Policy: restrict-msa
Step 4: Use the Content Modifications in your policies
Create two Content Modification policies and Apply your new Content Modifications as the Action.
- For your Office 365 Tenant Restriction Content Modification, set the What field to Microsoft Office 365.
- For your Microsoft Personal Account Restriction Content Modification, set the What field to Microsoft Live.