You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/logic-apps/block-connections-across-tenants.md
+7-5Lines changed: 7 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,9 +17,9 @@ ms.date: 08/01/2022
17
17
18
18
Azure Logic Apps includes many connectors for you to build integration apps and workflows and to access various data, apps, services, systems, and other resources. These connectors authorize your access to these resources by using Azure Active Directory (Azure AD) to authenticate your credentials.
19
19
20
-
When you create a connection from your workflow to access a resource, you can share that connection with others in the same Azure AD tenant or different tenant by sending a consent link. This shared connection provides access to same resource. However, this capability creates a security vulnerability. Anyone in other Azure AD tenants can create a logic app workflow with a connection. They can then share that connection's consent link with anyone else in a different tenant, for example, by sending a phishing email. If the receiver signs in using the shared connection, the sender can now access the resources in recipient's tenant.
20
+
When you create a connection from your workflow to access a resource, you can share that connection with others in the same Azure AD tenant or different tenant by sending a consent link. This shared connection provides access to same resource but creates a security vulnerability.
21
21
22
-
To prevent this scenario, you can block access to and from your own Azure AD tenant through shared connections. By setting up a tenant isolation policy, you can better control data movement between your tenant and resources that require Azure AD authorized access.
22
+
As a security measure to prevent this scenario, you can block access to and from your own Azure AD tenant through such shared connections. You can also permit but restrict connections only to specific tenants. By setting up a tenant isolation policy, you can better control data movement between your tenant and resources that require Azure AD authorized access.
23
23
24
24
## Prerequisites
25
25
@@ -37,13 +37,15 @@ To prevent this scenario, you can block access to and from your own Azure AD ten
37
37
38
38
For example, some legacy connections might not have an associated tenant ID. So, you have to choose whether to block or allow such connections.
39
39
40
-
- The choice whether to initially enable or disable the isolation policy.
40
+
- The choice whether to enable or disable the isolation policy.
41
41
42
42
- The tenant IDs for any tenants where you want to allow connections to or from your tenant.
43
43
44
-
- The choice whether to allow inbound connections to your tenant from each allowed tenant.
44
+
If you choose to allow such connections, include the following information:
45
+
46
+
- The choice whether to allow inbound connections to your tenant from each allowed tenant.
45
47
46
-
- The choice whether to allow inbound connections from your tenant to each allowed tenant.
48
+
- The choice whether to allow inbound connections from your tenant to each allowed tenant.
47
49
48
50
- To test the tenant isolation policy, you need a second Azure AD tenant. From this tenant, you'll try connecting to and from the isolated tenant after the isolation policy takes effect.
0 commit comments