You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/manage-apps/tenant-restrictions.md
+7-5Lines changed: 7 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ ms.service: active-directory
8
8
ms.subservice: app-mgmt
9
9
ms.workload: identity
10
10
ms.topic: conceptual
11
-
ms.date: 2/23/2021
11
+
ms.date: 4/6/2021
12
12
ms.author: kenwith
13
13
ms.reviewer: hpsin
14
14
ms.collection: M365-identity-device-management
@@ -92,6 +92,8 @@ This section describes the experience for both end users and admins.
92
92
93
93
An example user is on the Contoso network, but is trying to access the Fabrikam instance of a shared SaaS application like Outlook online. If Fabrikam is a non-permitted tenant for the Contoso instance, the user sees an access denial message, which says you're trying to access a resource that belongs to an organization unapproved by your IT department.
94
94
95
+
96
+
95
97
### Admin experience
96
98
97
99
While configuration of tenant restrictions is done on the corporate proxy infrastructure, admins can access the tenant restrictions reports in the Azure portal directly. To view the reports:
@@ -108,14 +110,14 @@ The report may contain limited information, such as target directory ID, when a
108
110
109
111
Like other reports in the Azure portal, you can use filters to specify the scope of your report. You can filter on a specific time interval, user, application, client, or status. If you select the **Columns** button, you can choose to display data with any combination of the following fields:
110
112
111
-
-**User** - this field can have personally identifiable information removed, where it will be set to `00000000-0000-0000-0000-000000000000`.
113
+
-**User** - this field can have personal data removed, where it will be set to `00000000-0000-0000-0000-000000000000`.
112
114
-**Application**
113
115
-**Status**
114
116
-**Date**
115
117
-**Date (UTC)** - where UTC is Coordinated Universal Time
116
118
-**IP Address**
117
119
-**Client**
118
-
-**Username** - this field can have personally identifiable information removed, where it will be set to `{PII Removed}@domain.com`
120
+
-**Username** - this field can have personal data removed, where it will be set to `{PII Removed}@domain.com`
119
121
-**Location**
120
122
-**Target tenant ID**
121
123
@@ -202,7 +204,7 @@ Some organizations attempt to fix this by blocking `login.live.com` in order to
202
204
203
205
### Configuration for consumer apps
204
206
205
-
While the `Restrict-Access-To-Tenants` header functions as an allow-list, the Microsoft account (MSA) block works as a deny signal, telling the Microsoft account platform to not allow users to sign in to consumer applications. To send this signal, the `sec-Restrict-Tenant-Access-Policy` header is injected to traffic visiting `login.live.com` using the same corporate proxy or firewall as [above](#proxy-configuration-and-requirements). The value of the header must be `restrict-msa`. When the header is present and a consumer app is attempting to sign in a user directly, that sign in will be blocked.
207
+
While the `Restrict-Access-To-Tenants` header functions as an allowlist, the Microsoft account (MSA) block works as a deny signal, telling the Microsoft account platform to not allow users to sign in to consumer applications. To send this signal, the `sec-Restrict-Tenant-Access-Policy` header is injected to traffic visiting `login.live.com` using the same corporate proxy or firewall as [above](#proxy-configuration-and-requirements). The value of the header must be `restrict-msa`. When the header is present and a consumer app is attempting to sign in a user directly, that sign in will be blocked.
206
208
207
209
At this time, authentication to consumer applications does not appear in the [admin logs](#admin-experience), as login.live.com is hosted separately from Azure AD.
208
210
@@ -219,4 +221,4 @@ The `restrict-msa` policy blocks the use of consumer applications, but allows th
219
221
## Next steps
220
222
221
223
- Read about [Updated Office 365 modern authentication](https://www.microsoft.com/microsoft-365/blog/2015/03/23/office-2013-modern-authentication-public-preview-announced/)
222
-
- Review the [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2)
224
+
- Review the [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2)
0 commit comments