|
| 1 | +--- |
| 2 | +title: Block access from other tenants |
| 3 | +description: Block connections shared by other tenants in Azure Logic Apps. |
| 4 | +services: logic-apps |
| 5 | +ms.suite: integration |
| 6 | +ms.reviewer: estfan, azla |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 08/01/2022 |
| 9 | +# Customer intent: As a developer, I want to prevent shared connections with other Azure Active Directory tenants. |
| 10 | +--- |
| 11 | + |
| 12 | +# Block connections shared from other tenants in Azure Logic Apps (Preview) |
| 13 | + |
| 14 | +> [!NOTE] |
| 15 | +> This capability is in preview and is subject to the |
| 16 | +> [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). |
| 17 | +
|
| 18 | +Azure Logic Apps includes many connectors for you to build integration apps and workflows and to access various data, apps, services, systems, and other resources. These connectors authorize your access to these resources by using Azure Active Directory (Azure AD) to authenticate your credentials. |
| 19 | + |
| 20 | +When you create a connection from your workflow to access a resource, you can share that connection with others in the same Azure AD tenant or different tenant by sending a consent link. This shared connection provides access to same resource but creates a security vulnerability. |
| 21 | + |
| 22 | +As a security measure to prevent this scenario, you can block access to and from your own Azure AD tenant through such shared connections. You can also permit but restrict connections only to specific tenants. By setting up a tenant isolation policy, you can better control data movement between your tenant and resources that require Azure AD authorized access. |
| 23 | + |
| 24 | +## Prerequisites |
| 25 | + |
| 26 | +- An Azure subscription and account with owner permissions to set up a new policy or make changes to existing tenant policies. |
| 27 | + |
| 28 | + > [!NOTE] |
| 29 | + > |
| 30 | + > You can apply policies that affect only your own tenant, not other tenants. |
| 31 | +
|
| 32 | +- Collect the following information: |
| 33 | + |
| 34 | + - The tenant ID for your Azure AD tenant. |
| 35 | + |
| 36 | + - The choice whether to enforce two-way tenant isolation for connections that don't have a client tenant ID. |
| 37 | + |
| 38 | + For example, some legacy connections might not have an associated tenant ID. So, you have to choose whether to block or allow such connections. |
| 39 | + |
| 40 | + - The choice whether to enable or disable the isolation policy. |
| 41 | + |
| 42 | + - The tenant IDs for any tenants where you want to allow connections to or from your tenant. |
| 43 | + |
| 44 | + If you choose to allow such connections, include the following information: |
| 45 | + |
| 46 | + - The choice whether to allow inbound connections to your tenant from each allowed tenant. |
| 47 | + |
| 48 | + - The choice whether to allow inbound connections from your tenant to each allowed tenant. |
| 49 | + |
| 50 | +- To test the tenant isolation policy, you need a second Azure AD tenant. From this tenant, you'll try connecting to and from the isolated tenant after the isolation policy takes effect. |
| 51 | + |
| 52 | +## Request an isolation policy for your tenant |
| 53 | + |
| 54 | +To start this process, you'll request a new isolation policy or update your existing isolation policy for your tenant. Only Azure subscription owners can request new policies or changes to existing policies. |
| 55 | + |
| 56 | +1. Open a Customer Support ticket to request a new isolation policy or update your existing isolation policy for your tenant. |
| 57 | + |
| 58 | +1. Wait for the request to finish verification and processing by the person who handles the support ticket. |
| 59 | + |
| 60 | + > [!NOTE] |
| 61 | + > |
| 62 | + > Policies take effect immediately in the West Central US region. However, these changes |
| 63 | + > might take up to four hours to replicate in all other regions. |
| 64 | +
|
| 65 | +## Test the isolation policy |
| 66 | + |
| 67 | +After the policy takes effect in a region, test the policy. You can try immediately in the West Central US region. |
| 68 | + |
| 69 | +### Test inbound connections to your tenant |
| 70 | + |
| 71 | +1. Sign in to your "other" Azure AD tenant. |
| 72 | + |
| 73 | +1. Create logic app workflow with a connection, such as Office 365 Outlook. |
| 74 | + |
| 75 | +1. Try to sign in to your isolated tenant. |
| 76 | + |
| 77 | + You get a message that the connection to the isolated tenant has failed authorization due to a tenant isolation configuration. |
| 78 | + |
| 79 | +### Test outbound connections from your tenant |
| 80 | + |
| 81 | +1. Sign in to your isolated tenant. |
| 82 | + |
| 83 | +1. Create a logic app workflow with a connection, such as Office 365 Outlook. |
| 84 | + |
| 85 | +1. Try to sign in to your other tenant. |
| 86 | + |
| 87 | + You get a message that the connection to your other tenant has failed authorization due to a tenant isolation configuration. |
| 88 | + |
| 89 | +## Next steps |
| 90 | + |
| 91 | +[Block connector usage in Azure Logic Apps](block-connections-connectors.md) |
0 commit comments