Microsoft Entra ID Tenant Restrictions V2: Enhanced Security for External Access Control

Introduction

As organizations adopt Microsoft 365 and other cloud-based SaaS applications, securing user access to only approved resources becomes a critical challenge. Traditional methods, like blocking IPs or domain names, are ineffective in a cloud-first world where multiple tenants share public domains such as outlook.office.com and login.microsoftonline.com.

Microsoft Entra Tenant Restrictions V2 provides a powerful solution by allowing organizations to control access based on Entra tenants, ensuring users can only sign in to authorized environments. This feature enhances security by blocking unauthorized tenant access, preventing users from accessing external Microsoft 365 instances or consumer applications like OneDrive and Hotmail.

In this blog, we explore how Tenant Restrictions V2 strengthens security, supports compliance, and helps organizations enforce access policies across their cloud ecosystem.

Understanding Tenant Restrictions V2

Image Source: Microsoft

Tenant Restrictions V2 allows organizations to limit what users can access when using an external account to sign in from corporate networks or managed devices. By enforcing a TRv2 policy, administrators can prevent unauthorized access to external tenants and mitigate risks such as data exfiltration, credential compromise, and token infiltration.

How TRv2 Works

1. Policy Configuration: Organizations define tenant restrictions in cross-tenant access settings and enforce them using TRv2 headers.
2. Enforcement Mechanism: TRv2 policies can be enforced through Universal TRv2 (Global Secure Access), a corporate proxy, or directly on Windows devices.
3. Authentication Plane Protection: Ensures that external sign-ins from unknown tenants are blocked.
4. Data Plane Protection (Preview): Prevents anonymous access to SharePoint, Teams meetings, and unauthorized token-based access.

Key Security Features of TRv2

1. Authentication Plane Protection

TRv2 enforces policies at the authentication level to block users from signing into unauthorized external tenants. This is particularly useful for preventing:

• Malicious insiders from signing into untrusted tenants to exfiltrate data.
• Users from accessing external work accounts created outside organizational policies.

2. Data Plane Protection (Preview)

TRv2 extends security beyond authentication by preventing access attempts that bypass authentication, such as:

• Anonymous Teams meeting joins.
• SharePoint file access via anonymous links.
• Importing stolen access tokens into a trusted device.

3. Multiple Enforcement Options

TRv2 offers flexible deployment options:

Universal Tenant Restrictions V2: Uses Global Secure Access to enforce policies across all platforms without requiring a corporate proxy.

Authentication Plane TRv2: Configured via a corporate proxy to enforce authentication controls.

Windows TRv2: Enforced directly on corporate-owned Windows devices, providing enhanced data protection.

Supported Scenarios

Tenant Restrictions v2 can be scoped to specific users, groups, organizations, or external apps, protecting apps built on the Windows networking stack. Supported scenarios include:

• All Office apps (all versions/channels)
• UWP ( Universal Windows Platform).NET applications
• Authentication protection for all apps using Microsoft Entra ID (Microsoft & third-party)
• Data protection for SharePoint Online & Exchange Online
• Anonymous access protection for SharePoint, OneDrive & Teams (with Federation Controls)
• Authentication & data protection for Microsoft tenant/consumer accounts
• Universal tenant restrictions in Global Secure Access: all browsers & platforms
• Using Windows Group Policy: Microsoft Edge & all websites in Edge

Unsupported Scenarios

• Blocking anonymous access to consumer OneDrive (can be blocked via proxy: https://onedrive.live.com/).
• Accessing third-party apps (e.g., Slack) via anonymous links or non-Azure AD accounts.
• Copying Entra ID tokens from a home to a work machine for third-party app access.
• Per-user tenant restrictions for Microsoft Accounts.

Comparison: Tenant Restrictions V1 vs. V2

Feature	Tenant Restrictions V1	Tenant Restrictions V2
Policy Enforcement	The corporate proxy enforces the tenant restriction policy in the Microsoft Entra ID control plane.	Universal tenant restrictions in Global Secure Access, which uses policy signaling to tag all traffic, providing both authentication and data plane support on all platforms. Authentication plane-only protection, where the corporate proxy sets tenant restrictions v2 signals on all traffic. Windows device management, where devices are configured to point Microsoft traffic to the tenant restriction policy, and the policy is enforced in the cloud.
Policy Enforcement Limitation	Manage corporate proxies by adding tenants to the Microsoft Entra traffic allowlist. The character limit of the header value in Restrict-Access-To-Tenants: <allowed-tenant-list> limits the number of tenants that can be added.	Managed by a cloud policy in the cross-tenant access policy. Default policy at the tenant level, and a partner policy is created for each external tenant.
Malicious Tenant Requests	Microsoft Entra ID blocks malicious tenant authentication requests to provide authentication plane protection.	Microsoft Entra ID blocks malicious tenant authentication requests to provide authentication plane protection.
Granularity	Limited to tenant and all Microsoft Accounts.	Tenant, user, group, and application granularity. (User-level granularity isn't supported with Microsoft Accounts.)
Anonymous Access	Anonymous access to Teams meetings and file sharing is allowed.	Anonymous access to Teams meetings is blocked. Access to anonymously shared resources (“Anyone with the link”) is blocked.
Microsoft Accounts	Uses a Restrict-MSA header to block access to consumer accounts.	Allows control of Microsoft Accounts (MSA and Live ID) authentication on both the identity and data planes. For example, if you enforce tenant restrictions by default, you can create a Microsoft Accounts-specific policy that allows users to access specific apps with their Microsoft Accounts, such as: Microsoft Learn (app ID 18fbca16-2224-45f6-85b0-f7bf2b39b3f3) Microsoft Enterprise Skills Initiative (app ID 195e7f27-02f9-4045-9a91-cd2fa1c2af2f)
Proxy Management	Manage corporate proxies by adding tenants to the Microsoft Entra traffic allowlist.	For corporate proxy authentication plane protection, configure the proxy to set tenant restrictions v2 signals on all traffic.
Platform Support	Supported on all platforms. Provides only authentication plane protection.	Universal tenant restrictions in Global Secure Access support any operating system, browser, or device form factor. Corporate proxy authentication plane protection supports macOS, Chrome browser, and .NET applications. Windows device management supports Windows operating systems and Microsoft Edge.
Portal Support	No user interface in the Microsoft Entra admin center for configuring the policy.	User interface available in the Microsoft Entra admin center for setting up the cloud policy.
Unsupported Apps	N/A	Block unsupported app use with Microsoft endpoints by using Windows Defender Application Control (WDAC) or Windows Firewall (for example, for Chrome, Firefox, etc.).

Table Source: Microsoft

Tenant Restrictions vs. Inbound and Outbound Access Controls

Although tenant restrictions are configured along with cross-tenant access settings, they operate separately from inbound and outbound access settings. Cross-tenant access settings give you control when users sign in with an account from your organization, whereas tenant restrictions give you control when users use an external account. Your inbound and outbound settings for B2B collaboration and B2B direct connect don’t affect (and are unaffected by) your tenant restrictions settings.

Key Differences in Cross-Tenant Access Settings

Inbound settings: Control external account access to your internal apps.
Outbound settings: Control internal account access to external apps.

Tenant restrictions: Control external account access to external apps.

Tenant Restrictions vs. B2B Collaboration Controls

When your users need access to external organizations and apps, enabling tenant restrictions to block external accounts while using B2B collaboration is recommended. B2B collaboration offers the ability to:

Use Conditional Access and enforce multi-factor authentication (MFA) for B2B users.

Manage inbound and outbound access effectively.

Terminate sessions and credentials when a B2B user’s employment status changes or their credentials are compromised.

Use sign-in logs to view details about B2B collaboration users.

Prerequisites for Configuring Tenant Restrictions

To configure tenant restrictions, you need:

1. Microsoft Entra ID P1 or P2 license
2. An account with a Security Administrator role or higher
3. Windows devices running Windows 10 or Windows 11 with the latest updates

Set Up Cloud Policy for Server-Side Tenant Restrictions v2

Step 1: Define Default Tenant Restrictions

Tenant restrictions v2 settings are managed in the Microsoft Entra admin center under Cross-tenant access settings. Start by configuring the default restrictions that apply to all users, groups, apps, and organizations. If specific partner configurations are needed, you can add partner organizations and customize settings accordingly.

To configure default tenant restrictions: Sign in to the Microsoft Entra admin center with Security Administrator privileges(Least privilege).

Navigate to Identity > External Identities > Cross-tenant access settings, then select Cross-tenant access settings.
Open the Default settings tab and configure your restrictions.

Navigate to the Tenant Restrictions section and click Edit Tenant Restrictions Defaults

If no default policy exists in the tenant, a Create Policy link appears next to the Policy ID. Click this link.

After creating the policy or if a default policy already exists, the Tenant Restrictions page displays your Tenant ID and Tenant Restrictions Policy ID. Use the copy icons to save these values for future Windows client configuration.

Select External Users and Groups tab. Under Access Status you can Choose

Allow Access: Permits all users with external accounts to access external apps (as specified on the External Applications tab).

Block Access: Denies all external users access to external apps.

Note: Default settings apply to all users and groups in the tenant. If blocking access for all users, ensure that external applications are also blocked under the External Applications tab.

Select the External applications tab. Under Access status, choose one of the following:

Allow Access: Grants external users access to specific apps listed in the Applies to section.
Block Access: Restricts external users from accessing specified apps listed in the Applies to section.

Under Applies to we can select:

All External Applications: Applies the selected Access Status action to all external applications. If blocking all external applications, you must also block access for all users and groups under the Users and Groups tab.

Select External Applications: Choose specific external applications for the Access Status action.

Click Add Microsoft Applications or Add Other Applications.
Search by application name or application ID (client or resource app ID).
Select the application and use Add to include more if needed(Applications List).
Click Submit to save changes.

Step 2: Configure Tenant Restrictions v2 for Specific Partners

If tenant restrictions block access by default, you can allow users to access specific apps with external accounts. For example, to enable Exchange Online Access with  Another Demo Microsoft 365 Tenant Account, follow these steps:

Example: Allow Demo M365 Tenant Account

Sign in to Microsoft Entra admin center as a Security Administrator or Conditional Access Administrator.
Navigate to Identity > External Identities > Cross-tenant access settings.
Select Organizational settings.

If the organization is already listed, skip adding it and modify its settings.

Click Add organization and enter the full domain name or tenant ID.

In the Add Organization pane, enter the organization's full domain name or tenant ID.

Modifying Tenant Restrictions Settings

Locate the Organization

In the Organizational settings list, find the organization. Scroll to the Tenant Restrictions column.

Edit Restrictions: 

By default, settings are inherited from the default policy.

To modify, click Inherited from default under the Tenant Restrictions column.

Tenant Restrictions Page

Copy the Tenant ID and Policy ID for later use in Windows client configuration.

Customize Settings:

Click Customize settings and go to the External Users and Groups tab.

Under Access Status, 

choose: Allow Access: Grants specified users/groups access to external apps (listed under External Applications).
Block Access: Restricts specified users/groups from accessing external apps.

For testing, we selected Allow Access applied to All Tenant Users and Groups.

Go to the External Applications tab and set Access Status to either:

Allow Access: Grants users access to specified external applications when using external accounts.

Block Access: Restricts users from accessing specified external applications with external accounts.

Under Applies to, choose:
All External Applications: Applies the selected action to all external apps. Select External Applications: Applies the action only to specific external apps.

In our example we choose Allow Access to Office 365 Exchange Online Application only.

User granularity isn't supported for Microsoft Accounts, so Select <organization> users and groups isn't available. For other organizations, you can: Click Add external users and groups , then add  their object ID. then click Submit.

The applications you selected are listed on the External applications tab. Select Save.

Note: Blocking the MSA Tenant Does Not Prevent 

• User-less device traffic, including Autopilot, Windows Update, and organizational telemetry.
• B2B authentication for consumer accounts.
• Passthrough authentication, used by Azure apps and Office.com to sign in consumer users via Microsoft Entra ID

Conclusion

As organizations move to Microsoft 365, securing access to approved resources is crucial. Traditional IP or domain-based restrictions fail in a cloud-first world where SaaS apps share public domains.
Microsoft Entra Tenant Restrictions V2 ensures users can only access approved tenants, blocking unauthorized Microsoft 365 instances, external SaaS apps, and Microsoft consumer applications like OneDrive and Hotmail. By enforcing identity-based controls, organizations strengthen security, prevent unauthorized external tenant access, and protect corporate data across all Entra-authenticated apps.

For more details on configuring Tenant Restrictions V2 on client devices, stay tuned for my upcoming blogs covering:

• Configuring client-side tenant restrictions V2 with Universal TRv2 as part of Microsoft Entra Global Secure Access.
• Enabling tenant restrictions on Windows managed devices (preview).