You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/external-identities/tenant-restrictions-v2.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -46,7 +46,7 @@ While [tenant restrictions v1](../manage-apps/tenant-restrictions.md) provide au
46
46
47
47
In your organization's [cross-tenant access settings](cross-tenant-access-overview.md), you can configure a tenant restrictions v2 policy. After you create the policy, there are three ways to apply the policy in your organization.
48
48
49
-
-**Universal tenant restrictions v2**. This option provides both authentication plane and data plane protection without a corporate proxy. [Universal tenant restrictions](https://learn.microsoft.com/en-us/azure/global-secure-access/how-to-universal-tenant-restrictions) use Global Secure Access (preview) to tag all traffic no matter the operating system, browser, or device form factor. It allows support for both client and remote network connectivity.
49
+
-**Universal tenant restrictions v2**. This option provides both authentication plane and data plane protection without a corporate proxy. [Universal tenant restrictions](https://learn.microsoft.com/azure/global-secure-access/how-to-universal-tenant-restrictions) use Global Secure Access (preview) to tag all traffic no matter the operating system, browser, or device form factor. It allows support for both client and remote network connectivity.
50
50
-**Authentication plane tenant restrictions v2**. You can deploy a corporate proxy in your organization and [configure the proxy to set tenant restrictions v2 signals](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy) on all traffic to Microsoft Entra and Microsoft Accounts (MSA).
51
51
-**Windows tenant restrictions v2**. For your corporate-owned Windows devices, you can enforce both authentication plane and data plane protection by enforcing tenant restrictions directly on devices. Tenant restrictions are enforced upon resource access, providing data path coverage and protection against token infiltration. A corporate proxy isn't required for policy enforcement. Devices can be Azure AD managed or domain-joined devices that are managed via Group Policy.
52
52
@@ -328,13 +328,13 @@ Suppose you use tenant restrictions to block access by default, but you want to
328
328
329
329
There are three options for enforcing tenant restrictions v2 for clients:
330
330
331
-
-[Option 1](#option-3-universal-tenant-restrictions-v2-as-part-of-microsoft-entra-global-secure-access-preview): Universal tenant restrictions v2 as part of Microsoft Entra Global Secure Access (preview)
331
+
-[Option 1](#option-1-universal-tenant-restrictions-v2-as-part-of-microsoft-entra-global-secure-access-preview): Universal tenant restrictions v2 as part of Microsoft Entra Global Secure Access (preview)
332
332
-[Option 2](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy): Set up tenant restrictions v2 on your corporate proxy
333
-
-[Option 3](#option-1-enable-tenant-restrictions-on-windows-managed-devices-preview): Enable tenant restrictions on Windows managed devices (preview)
333
+
-[Option 3](#option-3-enable-tenant-restrictions-on-windows-managed-devices-preview): Enable tenant restrictions on Windows managed devices (preview)
334
334
335
335
### Option 1: Universal tenant restrictions v2 as part of Microsoft Entra Global Secure Access (preview)
336
336
337
-
Universal tenant restrictions v2 as part of [Microsoft Entra Global Secure Access](https://learn.microsoft.com/en-us/azure/global-secure-access/overview-what-is-global-secure-access) is recommended because it because it provides authentication and data plane protection for all devices and platforms. This option provides additional protection against against sophisticated attempts to bypasses authentication. For example, attackers might try to allow anonymous access to a malicious tenant’s apps, such as anonymous meeting join in Teams. Or, attackers might attempt to import to your organizational device an access token lifted from a device in the malicious tenant. Universal tenant restrictions v2 prevents these attacks by sending tenant restrictions v2 signals on the authentication plane (Microsoft Entra and Microsoft Account) and data plane (Microsoft cloud applications).
337
+
Universal tenant restrictions v2 as part of [Microsoft Entra Global Secure Access](https://learn.microsoft.com/azure/global-secure-access/overview-what-is-global-secure-access) is recommended because it because it provides authentication and data plane protection for all devices and platforms. This option provides additional protection against against sophisticated attempts to bypasses authentication. For example, attackers might try to allow anonymous access to a malicious tenant’s apps, such as anonymous meeting join in Teams. Or, attackers might attempt to import to your organizational device an access token lifted from a device in the malicious tenant. Universal tenant restrictions v2 prevents these attacks by sending tenant restrictions v2 signals on the authentication plane (Microsoft Entra and Microsoft Account) and data plane (Microsoft cloud applications).
338
338
339
339
### Option 2: Set up tenant restrictions v2 on your corporate proxy
0 commit comments