Enforcing Tenant Restrictions v2 on Windows Devices – Strengthening Microsoft Entra Security

Introduction

In a previous blog( Microsoft Entra ID Tenant Restrictions V2: Enhanced Security for External Access Control, Securing External Access with Universal Tenant Restrictions & Global Secure Access in Microsoft Entra ID ) I demonstrated how to configure Universal Tenant Restrictions v2 as part of Microsoft Entra Global Secure Access. In this blog, I will showcase how to enforce Tenant Restrictions v2 policies on Windows-managed devices. While this solution offers several advantages, there are some limitations compared to Universal Tenant Restrictions v2.

Once a Tenant Restrictions v2 policy is created, it can be enforced on Windows 10 and Windows 11 devices by adding the Tenant ID and Policy ID to the device's Tenant Restrictions configuration. Unlike traditional methods, corporate proxies are not required for policy enforcement. Additionally, devices do not need to be Microsoft Entra ID-managed; domain-joined devices managed via Group Policy\Intune are also supported.

Key Considerations

Partial Protection: Tenant Restrictions v2 on Windows provides authentication and data plane protection for some scenarios. However, it does not cover .NET stack applications, Chrome, or Firefox.

Temporary Solution: This feature serves as a stopgap until you move to Universal Tenant Restrictions in Microsoft Entra Global Secure Access.

Group Policy Support: Deployment of the Tenant Restrictions configuration can be achieved using Group Policy.

Required Templates: Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2) and relevant Group Policy settings are needed.

Testing Tenant Restrictions v2 on Windows

Ensure the device runs Windows 10 or Windows 11 with the latest updates.

Open the Group Policy Editor: Press the Windows key, type gpedit, and select Edit group policy.

Navigate to Computer Configuration > Administrative Templates > Windows Components > Tenant Restrictions.

In the right pane, right-click Cloud Policy Details and select Edit.

Enter the Microsoft Entra Directory ID and Policy GUID:

Tenant ID: Found in the Microsoft Entra admin center under Identity > Overview.

Policy GUID: The cross-tenant access policy ID.

Click OK to save the configuration.

The same policy can be deployed using either your Domain GPO or Intune MDM.
Below is the Intune MDM policy configuration.

End User Experience

If you attempt to access credentials from another tenant on this device, the following error screen will appear.

As you can see, Global Secure is not connected (currently in a disabled state), so the system is applying our Group Policy.

Blocking Chrome, Firefox, and .NET Applications (e.g., PowerShell)

The above policy will not block external tenant logins on Firefox, Chrome, and .NET applications. In such cases, firewall protection must be used in conjunction with Tenant Restrictions prevent unauthorized applications from accessing Microsoft resources:

Open the Group Policy Editor (gpedit.msc). Navigate to Computer Configuration > Administrative Templates > Windows Components > Tenant Restrictions.

Right-click Cloud Policy Details and select Edit. Enable Firewall Protection for Microsoft Endpoints. Click OK.

After enabling this setting, attempting to sign in using Chrome or other unprotected applications should fail with an Internet Access Blocked message.

Note: Before enabling firewall protection, ensure that an App Control for Business policy is applied to the target devices with the correct application tagging. Without this policy, enabling firewall protection will block all applications from accessing Microsoft endpoints. Additionally, this firewall setting is not supported on all Windows versions—refer to the following link for more details. For guidance on configuring WDAC with tenant restrictions, visit: Microsoft Documentation.

Viewing Tenant Restrictions v2 Events

To monitor enforcement events:

Open Event Viewer. Navigate to Applications and Services Logs > Microsoft > Windows > Tenant Restrictions > Operational.
Review the logs for relevant events.

Implementing Tenant Restrictions v2 via Corporate Proxy

Organizations can configure Tenant Restrictions v2 on corporate proxies to enforce sign-in restrictions across all devices and apps within the network. While this method does not provide data plane protection, it ensures authentication control.

Configuration Steps

If previous Tenant Restrictions are configured, stop sending restrict-msa to login.live.com to avoid conflicts.

Configure the following header in the proxy:

• Header Name: sec-Restrict-Tenant-Access-Policy
• Header Value Format: <TenantId>:<PolicyGuid>
• Example: aaaabbbb-0000-cccc-1111-dddd2222eeee:1aaaaaa1-2bb2-3cc3-4dd4-5eeeeeeeeee5

Ensure the proxy forwards this header to:

• login.live.com
• login.microsoft.com
• login.microsoftonline.com
• login.windows.net

Important: Decrypting traffic to Microsoft authentication URLs (e.g., login.microsoftonline.com) is required for inserting the Tenant Restrictions header.

Tenant Restrictions v2 and Microsoft Teams (Preview)

By default, Microsoft Teams has open federation, meaning anyone can join an externally hosted meeting. Tenant Restrictions v2 helps enforce access control by preventing anonymous sign-ins and restricting externally issued identities.

Steps to Enforce Restrictions in Teams

• Configure Tenant Restrictions v2 in Microsoft Entra cross-tenant access settings.
• Set up Federation Controls in the Teams Admin portal.
• Restart the Teams application to apply the changes.

Note: Tenant Restrictions v2 on a corporate proxy will not block anonymous access to Teams meetings, SharePoint files, or other unauthenticated resources.

Tenant Restrictions v2 and SharePoint Online (Preview)

Tenant Restrictions v2 applies protection on both authentication and data planes for SharePoint Online.

Authenticated Sessions: Unauthorized users are blocked at sign-in.

Anonymous Access: Users can access anonymous links if permitted under their tenant policy; otherwise, they are prompted for authentication.

Example: A user on a managed device with Tenant Restrictions v2 enabled for Tenant A can access anonymous links generated by Tenant A, but access to links from Tenant B will require authentication.

Tenant Restrictions v2 and OneDrive (Preview)Similar to SharePoint Online, OneDrive enforces Tenant Restrictions v2 on both authentication and data planes.

Authenticated Sessions: Unauthorized access is blocked at sign-in.

Anonymous Access: Users with corporate identities can access shared files, while externally issued identities are blocked.

Not Supported

• OneDrive for consumer accounts (onedrive.live.com) does not support Tenant Restrictions v2.
• Legacy URLs (onedrive.live.com) may bypass policy enforcement.
• As a workaround, block https://onedrive.live.com/ at the proxy level.

Conclusion

Tenant Restrictions v2 offers a robust method for controlling access to Microsoft services on Windows-managed devices. While it does not fully replace Universal Tenant Restrictions v2, it provides a temporary solution for organizations seeking immediate enforcement. By using Group Policy or a corporate proxy, administrators can configure access control based on their security requirements.