The above snapshot summarizes what “Azure AD: Tenant Restrictions” does: It prevents external parties from using your corporate network to access their own Office 365 services (like Exchange Online’s URL outlook.office.com, which is used by everyone) to potentially leak data.
More specifically, tenant restrictions gives customers enhanced control over access to SaaS cloud applications. Admins can now restrict employees using their corporate network to only being able to use Azure AD identities in tenants they have approved.
Taken from the Enterprise Mobility and Security Blog:
Companies that want to move their employees to SaaS apps like Office 365 are sometimes worried about opening their networks to information leaks. If users can access Office 365 with their corporate identity, they can also access these same services with other identities.
Before cloud services, network admins could simply block access to unwanted apps or websites by blocking their URL or IP address. This is no longer an option with SaaS apps, where a single endpoint (like outlook.office.com) is used by all consumers of the SaaS app.
Our solution for this common IT challenge is Tenant Restrictions. This new feature enables organizations to control access based on the Azure AD tenant the applications use for single sign-on. For example, you can use Tenant Restrictions to allow access to your organization’s Office 365 applications, while preventing access to other organizations’ instances of these same applications.
Visit the Enterprise Mobility & Security blog for more details:
- BLOG: New enhanced access controls in Azure AD: Tenant Restrictions is now Generally Available!