Jump to content
  • Implement Microsoft Tenant Restriction with SSL Forward Proxy

    Subhojit Goswami
    • Validation Status: Validated
      Has Video?: No


    Author: Shruti Vijay Dhamale


    A lot of organization’s implement restrictions on the internet access-based security policies configured to check the destination IP addresses or domain names. As the organizations are moving to cloud services like Microsoft 365, These traditional access lists are failing as the services are hosted in public cloud and utilize shared domain names such as outlook.office.com and login.microsoftonline.com. So, users can use their personal resources using same domain names. To restrict the user access, blocking these addresses would keep users from accessing Outlook on the web entirely, instead of merely restricting them to approved identities and resources. 


    To address this issue, Microsoft introduced an HTTP custom headers based feature called tenant restrictions to help administrators control access to Microsoft tenant.  

    • Restrict-Access-To-Tenants, use a value of <permitted tenant list>, which is a comma-separated list of tenants. Any domain that is registered with a tenant can be used to identify the tenant in this list, as well as the directory ID itself.
    • Restrict-Access-Context, use a value of a single directory ID, declaring which tenant is setting the tenant restrictions.

    NetScaler SSL Forward Proxy allows administrators to implement SSL inspection at granular level to implement security policies efficiently. NetScaler’s SSL interception feature combined with Rewrite feature allows administrators to implement Microsoft tenant restriction in just a few steps described as below.


    Let’s get started.

    So, assuming you have implemented SSL forward proxy setup in your environment. You have confirmed that the SSL interception, connectivity to internet works as expected. 

    Ensure that the users can resolve and connect to various Office365 URLs and IP addresses defined by Microsoft.

    We then begin with the configuration specific for tenant restrictions-

    1. Create a pattern set (patset) listing Azure AD urls used for authentication.

    add policy patset PATSET_MS_Tenant_Restriction

    bind policy patset PATSET_MS_Tenant_Restriction login.windows.net -index 1

    bind policy patset PATSET_MS_Tenant_Restriction login.microsoft.com -index 2

    bind policy patset PATSET_MS_Tenant_Restriction login.microsoftonline.com -index 3

    1. Configure SSL Policy to allow interception for this patset. 

    add ssl policy SSLPOLICY_MS_Tenant_Restrction -rule "CLIENT.SSL.CLIENT_HELLO.SNI.EQUALS_ANY(\"PATSET_MS_Tenant_Restriction\")" -action INTERCEPT

    1. Configure two Rewrite Policies to insert HTTP headers Restrict-Access-Tenants and Restrict-   Access-Context

    add rewrite action RWACTION_MS_Tenant_Restriction_1 insert_http_header Restrict-Access-To-Tenants "\"domain.com,domain.onmicrosoft.com,xxx-xxx-xxx\""

    add rewrite action RWACTION_MS_Tenant_Restriction_2 insert_http_header Restrict-Access-Context "\"456ff232-35l2-5h23-b3b3-3236w0826f3d\""

    add rewrite policy RWPOLICY_MS_Tenant_Restrction_1 "HTTP.REQ.HOSTNAME.EQUALS_ANY(\"PATSET_MS_Tenant_Restriction\")" RWACTION_MS_Tenant_Restriction_1

    add rewrite policy RWPOLICY_MS_Tenant_Restrction_2 "HTTP.REQ.HOSTNAME.EQUALS_ANY(\"PATSET_MS_Tenant_Restriction\")" RWACTION_MS_Tenant_Restriction_2

    1. Bind the policies to SSL Proxy vServer. Ensure the policies do not conflict with the existing policies. 

    bind ssl vserver PROXYVSRV_Explicit_Citrixdemo -policyName SSLPOLICY_MS_Tenant_Restrction_ssli -priority 100 -type INTERCEPT_REQ

    bind cs vserver PROXYVSRV_Explicit_Citrixdemo -policyName RWPOLICY_MS_Tenant_Restrction_1 -priority 100 -gotoPriorityExpression NEXT -type REQUEST

    bind cs vserver PROXYVSRV_Explicit_Citrixdemo -policyName RWPOLICY_MS_Tenant_Restrction_2 -priority 110 -gotoPriorityExpression END -type REQUEST


    The Microsoft Tenant Restriction must be active now. If the configuration is in place correctly now, in the packet trace you would see that headers are inserted when the request is sent from NetScaler SNIP to Microsoft servers.

    • Observe the below request sent by the client to Proxy vServer, which does not contain any information about the tenants it needs to access


    • When this same request is sent from SNIP on NetScaler to the Microsoft servers, we see the rewrite policies taking effect and headers being inserted as below.



    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...