Share via

Can Tenant Outbound Settings be used for enforcing tenant restrictions for internal accounts in unauthorized B2B tenants?

JeffJerousek 1 Reputation point
2023-12-20T23:30:24.72+00:00

We need to prevent internal users from joining or creating unauthorized B2B tenants that bypass internal security and compliance requirements. We are concerned about unauthorized usage of Microsoft 365 apps or Azure in such b2b tenants. We want to avoid supporting different secure client endpoints and creating remote networks as they are too complex for our needs. Is it possible to use Tenant Outbound Settings to enforce tenant restrictions instead of using global secure clients or remote networks?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,675 questions
Microsoft Entra Internet Access
Microsoft Entra Internet Access
A Microsoft Entra service that provides an identity-centric Secure Web Gateway that protects access to internet, software as a service (SaaS), and Microsoft 365 apps and resources.
13 questions
Microsoft Entra

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,476 Reputation points Microsoft Employee
    2023-12-21T00:26:40.73+00:00

    @JeffJerousek

    Thank you for your post!

    To hopefully help point you in the right direction, it's possible to use Tenant Outbound Settings to enforce tenant restrictions instead of using global secure clients or remote networks.

    • Note: If you're looking to use Universal tenant restrictions, this feature leverages Global Secure Access (preview). For more info.

    Tenant restrictions v2:

    • When it comes to configuring your outbound cross-tenant access settings, you should be able to leverage the Tenant restrictions (Preview) feature, to control whether your users can access external applications from your network, or devices using external accounts. This includes accounts issued to them by external organizations and accounts they've created in unknown tenants.

    There are three ways to apply the policy in your organization:

    • Universal tenant restrictions v2 - Using Global Secure Access (preview).
    • Authentication plane tenant restrictions v2 - Deploying a corporate proxy in your organization.
    • Windows tenant restrictions v2 - For your corporate-owned Windows devices.

    User's image

    Allow or block invitations to B2B users from specific organizations:

    User's image

    Please note that along with your cross-tenant access settings, you should consider implementing conditional access policies to ensure the correct MFA steps are taken, to prevent unauthorized usage of your applications.

    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments