Securing External Access with Universal Tenant Restrictions & Global Secure Access in Microsoft Entra ID

In my previous blog, Microsoft Entra ID Tenant Restrictions V2: Enhanced Security for External Access Control, I covered the fundamentals of Tenant Restrictions V2 (TRv2) and its role in securing external access.

This follow-up dives deeper into Universal Tenant Restrictions, focusing on client-side configurations and their impact on real-world scenarios.

Understanding Universal Tenant Restrictions

Universal Tenant Restrictions extend Tenant Restrictions V2 by using Microsoft Entra Global Secure Access to apply consistent security controls across all network traffic, regardless of:

• The operating system (Windows, macOS, Linux, etc.)
• The browser (Edge, Chrome, Firefox, etc.)
• The device type (PCs, mobile devices, tablets)

This enhancement allows organizations to enforce tenant restrictions across both client and remote network connections without requiring complex proxy server configurations.

Key Benefits

• Simplifies Policy Enforcement: Eliminates the need for manual proxy settings and network reconfigurations.
• Extends Security Across Platforms: Works across any device and operating system with Global Secure Access client or Remote Networks.
• Prevents Unauthorized Access: Ensures users can only authenticate to approved external tenants, reducing the risk of data exfiltration.

How Universal Tenant Restrictions Work

When enabled, Global Secure Access adds Tenant Restrictions V2 policy metadata to authentication-related network traffic, including:

• Microsoft Entra ID authentication traffic
• Microsoft Graph API requests

This ensures that only authorized external tenants can be accessed from within the organization, preventing unauthorized data access across all applications integrated with Microsoft Entra ID SSO.

Enforcement Scenarios

Universal Tenant Restrictions enforce security policies across browsers, devices, and networks through:

1. Microsoft Entra ID & Microsoft Account Authentication

• Ensures authentication requests comply with Tenant Restrictions V2 policies.
• Works across all Microsoft Entra-integrated third-party apps.

2. Microsoft Graph API Protection

• Prevents unauthorized data access via imported authentication artifacts (e.g., stolen access tokens).
• Ensures attackers cannot replay authentication tokens from another device to bypass security policies.

Enforcement Points: Authentication and Data Plane Protection

Universal Tenant Restrictions apply policy enforcement at two levels:

1. Authentication Plane (Microsoft Entra ID & Microsoft Accounts)

At the authentication plane, enforcement occurs when a user attempts to sign in with Microsoft Entra ID or a Microsoft Account:

If the user is connecting through Global Secure Access (client or remote network), Tenant Restrictions V2 policies determine whether authentication should proceed.

Scenario-based enforcement:

• Allowed: The user signs in to their organization’s tenant (no restrictions applied).
• Blocked: The user attempts to sign in to an unauthorized external tenant (policy enforcement applied).

Applies to all applications integrated with Microsoft Entra ID or Microsoft Accounts.

2. Data Plane (Microsoft Graph Protection)

At the data plane, Universal Tenant Restrictions protect Microsoft Graph API traffic:

• Prevents unauthorized access tokens from being replayed across different devices.
• Blocks unauthorized data exfiltration, ensuring security policies apply beyond authentication.
• Applies across all devices and browsers, preventing cross-device security bypass attempts.

Prerequisites for Enabling Universal Tenant Restrictions

Before enabling Universal Tenant Restrictions, ensure that the following prerequisites are met:

1. Role & Licensing Requirements

• Global Secure Access Administrator role is required to manage Global Secure Access features.
• Global Secure Access License must be available in your tenant.

2. Network & Policy Configurations

• Microsoft Traffic Profile must be enabled.
• FQDNs/IP addresses of services requiring Universal Tenant Restrictions must be set to ‘Tunnel’ mode.
• Global Secure Access clients must be deployed, or Remote Network connectivity must be configured.
• Tenant Restrictions V2 policies must be configured, including:
• Default tenant restrictions
• Partner-specific restrictions (as covered in my previous blog)

Enabling Global Secure Access Signaling for Tenant Restrictions

Once Tenant Restrictions V2 policies are configured, administrators must enable Global Secure Access enforcement to activate Universal Tenant Restrictions.

Step-by-Step Configuration

Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
Navigate to Global Secure Access > Settings > Session Management > Universal Tenant Restrictions.
Toggle Enable Tenant Restrictions for Entra ID (applies to all cloud applications).

Setting Up Cloud Policy for Server-Side Tenant Restrictions V2

For a detailed guide on configuring Cloud Policy for Server-Side Tenant Restrictions V2, you can refer to my previous blog:
🔗 Microsoft Entra ID Tenant Restrictions V2: Enhanced Security for External Access Control.

As part of our testing phase, we have configured Tenant Restrictions V2 to block all external tenant logins from corporate-managed devices(With Global Secure access). This setup ensures that only authorized Microsoft Entra tenants can be accessed, effectively preventing unauthorized external authentication and reducing the risk of data exfiltration

Tenant Restrictions V2 policies are not enforced when a user (including a guest user) accesses resources within the same tenant where the policies are configured. These policies are only evaluated when an identity from a different tenant attempts to sign in or access resources.

For example, if a Tenant Restrictions V2 policy is configured in the contoso.com tenant to block all organizations except fabrikam.com, the policy enforcement will follow these rules:

User	Type	Tenant	TRv2 Policy Processed?	Authenticated Access Allowed?	Anonymous Access Allowed?
alice@contoso.com	Member	contoso.com	No (Same Tenant)	Yes	No
alice@fabrikam.com	Member	fabrikam.com	Yes	Yes (Tenant Allowed by Policy)	No
bob@northwinds.com	Member	northwinds.com	Yes	No (Tenant Not Allowed by Policy)	No
alice@contoso.com	Member	contoso.com	No (Same Tenant)	Yes	No
bob_northwinds.com#EXT#@contoso.com	Guest	contoso.com	No (Guest User)	Yes	No

Validating User Access with Tenant Restrictions V2

My Demo Tenant has configured with Tenant Restrictions V2 policy within its cross-tenant access settings to block all external accounts and external applications. This policy is enforced through Global Secure Access Universal Tenant Restrictions, ensuring strict access control across all authentication and data interactions.

Scenario: Enforcing Universal Tenant Restrictions

1. User Access Attempt

A user on a My Demo-Tenant- with managed device attempts to access a Exchange Online application using an unauthorized external identity.

2. Authentication Plane Protection

Microsoft Entra ID blocks authentication attempts from unsanctioned external accounts, preventing unauthorized users from signing into external tenants.

If a Microsoft Graph access token is obtained on another device and later introduced into my Demo Tenant environment within its valid lifetime, it cannot be replayed on my Demo Tenant devices using Global Secure Access clients or Remote Networks.

3. Data Plane Protection

Even if an access token for Microsoft Graph is obtained from an external device, and try to use in My Demo Tenant my Tenant enforcement prevents token reuse within its network.

Global Secure Access ensures that unauthorized tokens cannot be replayed from My Demo Tenant devices or networks, mitigating potential security breaches.

By leveraging Universal Tenant Restrictions, on My Demo Tenant strengthens security across both authentication and data access layers, effectively preventing unauthorized external access and data exfiltration.

3.1 Testing Data Plane Protection in My Tenant

As part of my validation process, I am going to test Universal Tenant Restrictions (UTR) Data Plane Protection in my Microsoft Entra tenant. Below are the steps I will follow:

        Step 1: Disable Universal Tenant Restrictions Signaling

• Ensure that Universal Tenant Restrictions signaling is turned off in Global Secure Access settings.

        Step 2: Access Graph Explorer with an External Identity

• Open a browser and navigate to Graph Explorer.

• Sign in using an identity from a tenant that is different from my demo tenant, and ensure this tenant is not allow-listed in my Tenant Restrictions V2 policy.
• To avoid session conflicts, I may need to: Use a private/incognito window. or Log out of my primary Microsoft Entra account before signing in with the external identity.

    Step 3: Capture Network Logs in Developer Tools

• With Graph Explorer open, I will launch Developer Tools (Press F12 in the browser).

• Start capturing network logs while navigating SharePoint.
• Ensure that the "Preserve log" option is checked before continuing.
• If the setup is correct, I should see HTTP requests returning a status 200, indicating that access is functioning normally.

    Step 4: Enable Universal Tenant Restrictions

Go to Microsoft Entra admin center → Global Secure Access → Session Management → Universal Tenant Restrictions.
Enable Universal Tenant Restrictions to enforce access policies.

        Step 5: Observe the Effect of Policy Enforcement

• In the same browser window (where Graph Explorer is open), wait for a few minutes.
• The browser may automatically refresh as new policies are applied in the background.
• If the browser does not refresh within a couple of minutes, I will manually refresh the page or try to open SharePoint site.
• The External Tenant user should now see an access blocked message, indicating enforcement of Universal Tenant Restrictions

❌ Access is blocked

"The <Tenant name> IT department has restricted which organizations can be accessed. <Tenant name> the Contoso IT department to gain access".

In Developer Tools (F12) → Network tab, look for a response with status 302, indicating that Universal Tenant Restrictions have been applied.

Known Limitations of Universal Tenant Restrictions

If Universal Tenant Restrictions is enabled and you attempt to access the Microsoft Entra admin center for a tenant that is on the allow list, you may encounter an "Access Denied" error.

How to Resolve the Access Denied Error

To bypass this issue, add the following feature flag to the Microsoft Entra admin center URL:

?feature.msaljs=true&exp.msaljsexp=true

Example Scenario

• Suppose you work for Contoso, and Fabrikam (a partner tenant) is on the allowlist.
• When trying to access the Microsoft Entra admin center for Fabrikam, you may see the "Access Denied" message.
• If you encounter the error when accessing https://entra.microsoft.com/, modify the URL as follows:

https://entra.microsoft.com/?feature.msaljs%253Dtrue%2526exp.msaljsexp%253Dtrue#home

Additional Known Limitations

Universal Tenant Restrictions may have other known issues affecting specific scenarios. For the most up-to-date information on these limitations, refer to:
🔗 Known Limitations for Global Secure Access 

Conclusion

Universal Tenant Restrictions enhance Microsoft Entra ID Tenant Restrictions V2 by simplifying enforcement across all platforms, eliminating the need for complex proxy configurations, and ensuring security policies apply consistently across authentication and data access points.

By leveraging Global Secure Access, organizations can:

1. Prevent unauthorized external tenant access.
2. Protect against cross-device data exfiltration.
3. Enforce consistent authentication policies across any network, browser, or device.

For a deeper dive into configuring Tenant Restrictions V2, check out my previous blog:
🔗 Microsoft Entra ID Tenant Restrictions V2: Enhanced Security for External Access Control