I’m pleased to announce the public preview of tenant restrictions version 2 (TRv2) across our commercial clouds!
With TRv2, you can enable safe and productive cross-company collaboration while containing data exfiltration risk. Tenant restriction settings enable you to control what external tenants your users can access from your devices or network using externally issued identities and provide granular access control on a per org, user, group, and application basis.
Tenant restriction is a much-awaited expansion of the previously released cross-tenant access settings for external collaboration. Together these provide the most granular control over your cross-company security and collaboration policies.
To tell you more about the support for TRv2, I’ve invited Vimala Ranganathan, Product Manager on Microsoft Entra, to walk you through the details.
Robin Goldstein (Twitter: @RobinGo_MS)
Partner Director of Product Management
Microsoft Identity Division
I’m Vimala from the Identity PM team, and I’m excited to walk you through Tenant Restrictions V2 (TRv2).
We’ve been hearing that data exfiltration is a big concern for our customers moving to M365 cloud services, especially those with a need to collaborate across organizational boundaries. TRv2 addresses those concerns by preventing information leaks due to token infiltration, anonymous access of external SharePoint online data, or anonymous join of external Teams meetings, and enables secure external collaboration.
Trv2 improves on current Tenant Restrictions which uses an on-premises proxy server with enforcement happening only during cloud authentication with Azure Active Directory (Azure AD). Tenant restrictions V2 let an organization admin control whether your users can access external applications from your network or devices using externally issued identities, including accounts issued by external organizations and accounts created in unknown tenants.
TRv2 uses a cloud policy and offers both authentication and data plane protection. It enforces policies during user authentication, and on data plane access with Exchange Online, SharePoint Online, Teams, and MSGraph.
Tenant Restrictions V2 (TRv2)
Unlike TRv1, TRv2 allows tenant admins to control which external tenants their users can access on org-owned devices and while on the organization’s network using externally issued identities.
For example, Alice is an employee of Contoso and does consulting work with Fabrikam. Fabrikam issues a user account to Alice to access Fabrikam resources. Alice needs to access Fabrikam resources while using the Contoso-issued device on Contoso’s network. Contoso admin Cathy wants to contain data exfiltration risk by blocking access for all other external identities from her organization devices except for enabling access to Alice’s Fabrikam account. The TRv2 capabilities allow Alice to work across org boundaries while giving Contoso full control.
Benefits of Tenant Restrictions V2 (TRv2)
TRv2 provides the following capabilities:
- Default policy configuration that applies to all the external tenants.
- Create partner-specific collaboration policies for external tenants.
- Control how externally issued user identities access other organizations.
- Limit access to only allow specific users and groups from specific organizations.
- Specify all apps or specific apps in external organizations you want your users to be able to access using identities issued by the external organizations.
- Disallowed tenant authentication requests are blocked by AAD – Auth plane protection.
- MS cloud services enforce TR policy on resource access – Data plane protection to protect against token infiltration.
- Blocks anonymous access to Teams meetings and blocks access to anonymously shared resources (“Anyone with the link”).
- Blocks access to external tenants, even if they allow Exchange Online basic auth.
- No overhead of managing corpnet proxies to add tenants to allow list Azure Active Directory (AAD) traffic.
- Portal UX support to set up cloud policy.
Setting up Tenant Restriction Policy
1. Set default TRv2 policy:
Let’s say Contoso wants to restrict how its users work with partners while using Contoso’s network and devices. Contoso admin Cathy first sets up a default policy that will be applied for all partner tenants. In the default policy, the admin blocks access to all partner tenants and all external users and groups.
2. Set up tenant-specific TRv2 policy:
Contoso admin Cathy will set up a specific partner policy for Fabrikam and allow only Alice to access certain applications like Office365 using Fabrikam identity.
3. Setting client-side TRv2 enablement on devices:
Cathy, the tenant Admin can set the Tenant ID and Policy ID of the TRv2 cloud policy in the Windows GPO policy details, and OS will then inject a reference to the TRv2 policy into outgoing requests to Microsoft from all of Contoso devices.
With the above setup, Contoso admin has blocked all access to external tenants using external identity from Contoso devices or network, and with Fabrikam partner-specific policy has allowed access only to Alice to Office365 apps on Fabrikam using Alice’s Fabrikam identity.
Know who is accessing external organizations’ resources from your device/network
Through the sign-in logs, Cathy the Contoso admin can see which external tenant the Contoso org users are using to access external organizations and getting blocked.
Please read the documentation to learn more about tenant restrictions v2 under cross-tenant access settings.
Learn more about Microsoft identity: