This article applies to:
Question:
- How do I configure WebMarshal to apply Azure AD (Entra) tenant restrictions?
Background:
Microsoft tenant restrictions allow you to determine which tenancies of cloud applications can be accessed from within an organization (where the web access is forced through a gateway like WebMarshal). This feature can be used to control access to all apps that send the user to Azure AD for single sign-on.
Procedure:
- Add URL category Microsoft Auth Services
- Add the following URLs to this category (both HTTP and HTTPS):
- login.microsoft.com
- login.microsoftonline.com
- login.windows.net
- Ensure that WebMarshal HTTPS inspection is enabled globally and HTTPS rules specify inspection for the category Microsoft Auth Services
- Create a standard rule
Where the URL is a member of Microsoft Auth Services
Rewrite Headers - Add a header to client requests Restrict-Access-To-Tenants with a comma separated list of tenant domains, for example: mycompany.onmicrosoft.com,contoso.com
- Add a header to client requests Restrict-Access-Context with value of the Tenant ID of your domain (get this from Entra/Azure AD settings at https://entra.microsoft.com/ as described in the Microsoft article Restrict access to a tenant)
- It is also possible to choose the users that this rule will apply to.
- Continue to name the rule for example Add MS Headers, and save the rule.
- Commit WebMarshal configuration.
Requests to the Microsoft services will have the headers added as specified.
Notes:
For more details of the tenant restriction feature, see the Microsoft article linked.