Posted by: kurtsh | February 1, 2020

INFO: Restricting access to SaaS apps through Azure Active Directory (instead of IP/Domain filtering)

Are you interested in moving to, say, Exchange Online, but have challenges due to your security organization wanting to “whitelist almost every IP Address” and causing problems with things like configuring ADConnect?

The primary concern is usually around data exfiltration risks. The addition of Tenant Restrictions feature should provide confidence in following our published IP/URL guidance:

imageLarge organizations that emphasize security want to move to cloud services like Office 365, but need to know that their users only can access approved resources. Traditionally, companies restrict domain names or IP addresses when they want to manage access. This approach fails in a world where software as a service (or SaaS) apps are hosted in a public cloud, running on shared domain names like and Blocking these addresses would keep users from accessing Outlook on the web entirely, instead of merely restricting them to approved identities and resources.

The Azure Active Directory (Azure AD) solution to this challenge is a feature called tenant restrictions. With tenant restrictions, organizations can control access to SaaS cloud applications, based on the Azure AD tenant the applications use for single sign-on. For example, you may want to allow access to your organization’s Office 365 applications, while preventing access to other organizations’ instances of these same applications. 

With tenant restrictions, organizations can specify the list of tenants that their users are permitted to access. Azure AD then only grants access to these permitted tenants.

This article focuses on tenant restrictions for Office 365, but the feature should work with any SaaS cloud app that uses modern authentication protocols with Azure AD for single sign-on.

Tenant Restrictions has the interesting side effect of uncovering shadow IT applications that have been operating.  It’s important to prepare to respond to unknown business applications potentially breaking because some applications might have been sanctioned but failed to go through the proper internal registration so Tenant Restrictions can create some noise – but it’s all about providing sunlight on potential exposures & protecting the company.

Read more about Tenant Restrictions here:


%d bloggers like this: