Introduction
Tenant Restriction v2 (TRv2) is a feature within Microsoft Entra ID, which is part of the broader suite of Microsoft security and identity management solutions. This feature enhances the ability to control and manage which external tenants and applications users can access, adding a robust layer of security and governance.
In this article, I’ll show you how to configure and enforce this policy in your organization. Let’s get started.
What is Tenant Restriction v2?
Tenant Restriction v2 (TRv2) is a new feature from Microsoft Entra ID that enhances security and management for companies working together. Here are the main benefits:
TRv2 helps protect sensitive information by limiting how outside users can access applications and resources.
It prevents unauthorized external users from logging in, which helps keep your organization safe from potential threats.
Even if someone tries to misuse access tokens, TRv2 stops them from reaching important resources like SharePoint files and Teams meetings.
Administrators can create specific rules that manage who can access information, tailored to individual users, groups, or even specific applications.
Key Features
Here are the key features of Tenant Restriction v2 (TRv2).
- Block sign-ins using external identities to access your organization’s data.
- Enforce policies to manage access on a per-user, per-group, or per-application basis.
- Protects the authentication plane by ensuring only trusted users can sign in.
- Guards the data plane by preventing unauthorized access to resources such as SharePoint files and Teams meetings.
- Set policies to allow or block access based on the organization, specific users, groups, or applications.
- Customizable rules to meet your organization’s security and collaboration needs.
Helps to prevent data exfiltration by restricting access to external applications using externally issued identities.
- Offers real-time monitoring of access attempts.
- Provides alerts for any unusual or unauthorized access attempts, allowing for prompt response and mitigation.
How it Works?
Tenant Restrictions v2 in Microsoft Entra ID enables organizations to control user access to external Microsoft 365 tenants by enforcing policies that allow or block specific tenants.
- When a user attempts to access an external tenant from a corporate network, the request is evaluated against the defined policy.
- The system identifies the target tenant from the login credentials or URL and checks whether the user’s request originates from a managed network, using the IP address or X-Forwarded-For (XFF) headers.
- If the target tenant is in the allowed list, access is granted; otherwise, it is denied. Optional integration with Conditional Access policies adds additional checks, such as user group membership, device compliance, or location.
- These controls apply only when users are on the corporate network, ensuring flexibility for remote users. All access attempts—successful or blocked—are logged for auditing and monitoring.
- This mechanism helps organizations enforce collaboration boundaries, mitigate unauthorized access, and enhance data security.
Prerequisites
To configure tenant restrictions, you need the following:
- Microsoft Entra ID P1 or P2
- An account with at least the Security Administrator role
- Windows devices running Windows 10 or Windows 11 with the latest updates
Implementation Steps
To implement this policy, the administrator must complete two key steps. First, they need to set up the tenant restriction policy within the Entra system. Next, they must ensure this policy applies to all client devices.
Step 1: Create a Default TRv2 policy
Example: Configure a tenant restriction to prevent users from accessing external tenant applications on myforest4 organization’s devices and networks.
- To get started, sign in to the Entra Admin Portal with the Global or Security Admin role.
- Navigate to Identity ->External Identities -> Cross-tenant access settings -> Default Settings ->Scroll to Tenant restrictions->Click Edit Tenant restrictions defaults->Click Create Policy. After creating the policy, you can see the Policy ID displayed under Tenant ID.
- Please take note of these policy IDs now, as you will need them later to enforce tenant restrictions on Windows Client devices.
- Check the tabs “External Users and Groups” and “External Applications.” You will notice that everything is currently set to “All Blocked.
Note:
- When you create a Tenant Restriction (TRv2) policy in Entra ID, it automatically blocks access to all external tenants unless you explicitly permit specific ones.
- Tenant Restrictions will not be enforced until you complete further setup to enable TRv2 client-side tagging through Global Secure Access, Windows Group Policy Objects (GPO), or on your managed devices and network.
Step 2: Create a TRv2 Policy for Partners
Example: Create a policy that allows users to access myforest5 (partner) tenant applications from the myforest4 organization’s devices and networks.
- Sign in to the Entra Admin Portal with the Global or Security Admin role.
- Add your partner organization to grant access.
- To do that, select Add organization -> Enter your Partner Tenant ID or domain name.
- Once added, you can see that your partner organization is listed in the Organization Settings.
- After that, select the “Inherited from default” link under the “Tenant restrictions” to stop the inherited policy from being applied to the “myforest5” organization. Then, configure the settings to allow access to all myforest5 users and applications, as shown in the figure below.
Step 3: Enable Universal Tenant Restrictions
We must enable this feature to enforce tenant restrictions policies for all Global Secure Access clients, such as devices, networks, and browsers. To enable this feature:
- Sign in to the Entra Admin Portal using Global Admin or Security Admin, then Browse to Global Secure Access->Settings->Session Management->Turn on Enable Tenant Restrictions for Entra ID (covering all cloud apps).
Step 4: Enable Global Secure Access signalling for Conditional Access
Our next step is to enable Global Secure Access signaling for Conditional Access, which will capture the original user source IP address and store it in Entra Sign-in logs. This will be useful for organizations that use cloud-based network proxies where resources don’t see the user’s real IP address.
This will make it easier for administrators to track user activity and investigate issues or security incidents. For example, you can see where a user is really located when they access a resource instead of just seeing the proxy’s IP.
To enable this feature, Sign in to the Entra Admin Portal using Global Admin or Security Admin, then Browse to Global Secure Access->Settings->Session Management->Select Adaptive access-> turn on “Enable CA Signaling for Entra ID (covering all cloud apps)”.
Step 5: Assign Microsoft Traffic Forwarding Profile to Users
To enforce TRv2 policies, we need to assign Microsoft traffic forwarding profiles to users running the Global Secure Access client. To do that, Turn on “Microsoft Traffic Profile” and add the users you wish to enforce for the client devices.
In this demo, I assign this policy to users running the global secure access clients on Windows 11 devices, not remote networks.
Step 6 : Deploy Global Secure Access Client Software
To make this policy effective, we must install Global Secure Access client software on the Windows 10/11 machines. You can install it manually or through Intune. In this demo, I created an Intune app policy for the deployment. Please see the policy details in the video.
Step 7: Conditional Access Policy for GSA Clients
You can create a conditional access policy allowing Global Secure Access for users from only complaint devices. In this demo, I just allowed Windows 11 devices. Please watch the video for the Intune complaint policy and CA policy details.
Step 8 : End User Experience
Before you can test the policy on Windows devices, please log in to Windows 11 devices and make sure:
- the user is using a corporate-managed device.
- the user has the Microsoft Traffic Profile enabled.
- the user is included in the CA-compliant policy.
- Global Secure Access Connectivity is established.
- Verify you have access to your Microsoft 365 resources.
Test 1: Accessing Partner Resources
Please verify that your users can sign in with your partner account to access their resources from your corporate devices.
I will access myforest5 Tenant resources from a Myforest4 device in this exercise. Watch the user experience in the video below.
Test 2: Accessing Unapproved Tenant Resources
Please verify that users are prevented from using some or all external apps while signing in with the external account on your network or devices.
In this exercise, I will try to access msetlab (unapproved) tenant resources from Myforest4 devices. Just so you know, access requests will be denied according to our TRv2 policy.
Test 3: Try accessing outlook.com resources from your devices
Users cannot use their personal Outlook accounts to access Microsoft services. If they try, they will see an error message like the one below.
Step 9: Monitoring and Audit
Final step is see the sign-in logs in Entra Admin portal. The following example shows a successful sign-in:
If sign-in fails, the Activity Details give information about the reason for failure:
Wrap Up
Tenant Restriction V2 is an important step forward in keeping cloud environments safe and secure. It allows organizations to set stricter rules on who can access their data, which helps prevent unauthorized access and protects sensitive information. This not only helps companies follow industry guidelines but also enhances their overall security.
Thank you for reading my post! If you enjoyed it, stay tuned for more great content. Don’t forget to like and subscribe to get updates on future posts!
Recent Comments