Cross-tenant inbound and outbound restrictions (preview)

[This article is pre-release documentation and is subject to change.]

Microsoft Power Platform has a rich ecosystem of connectors based on Azure Active Directory (Azure AD) that allow authorized Azure AD users to build compelling apps and flows establishing connections to the business data available through these data stores. Tenant isolation makes it easy for administrators to ensure that these connectors can be harnessed in a safe and secure way within the tenant while minimizing the risk of data exfiltration outside the tenant. Tenant isolation allows admins to effectively govern the movement of tenant data from Azure AD authorized data sources to and from their tenant.

Important

  • This is a preview feature.
  • Preview features aren’t meant for production use and may have restricted functionality. These features are available before an official release so that customers can get early access and provide feedback.
  • This feature is being gradually rolled out across regions and might not be available yet in your region.

Note that Power Platform tenant isolation is different from Azure AD-wide tenant restriction. It doesn't impact Azure AD-based access outside of Power Platform. Power Platform tenant isolation only works for connectors using Azure AD-based authentication such as Office 365 Outlook or SharePoint.

The default configuration in Power Platform with tenant isolation Off is to allow cross-tenant connections to be established seamlessly, if the user from tenant A establishing the connection to tenant B presents appropriate Azure AD credentials. If admins want to allow only a select set of tenants to establish connections to or from their tenant, they can turn tenant isolation On.

With tenant isolation On, all tenants are restricted. Inbound (connections to the tenant from external tenants) and outbound (connections from the tenant to external tenants) cross-tenant connections are blocked by Power Platform even if the user presents valid credentials to the Azure AD-secured data source. You can use rules to add exceptions.

Admins can specify an explicit allowlist of tenants that they want to enable inbound, outbound, or both, which will bypass tenant isolation controls when configured. Admins can use a special pattern “*” to allow all tenants in a specific direction when tenant isolation is turned on. All other cross-tenant connections except the ones in the allowlist are rejected by Power Platform.

Tenant isolation can be configured in the Power Platform admin center. It affects Power Platform canvas apps and Power Automate flows. To set up tenant isolation, you need to be a tenant admin.

Power Platform tenant isolation ability is available with two options: one-way or two-way restriction.

Two-way tenant isolation (inbound and outbound connection restriction)

Two-way tenant isolation will block connection establishment attempts to your tenant from other tenants. Additionally, two-way tenant isolation will also block connection establishment attempts from your tenant to other tenants.

In this scenario, the tenant admin has enabled two-way tenant isolation on the Contoso tenant while the external Fabrikam tenant hasn't been added to the allowlist.

Users signed in to Power Platform in the Contoso tenant can’t establish outbound Azure AD-based connections to data sources in the Fabrikam tenant despite presenting appropriate Azure AD credentials to establish the connection. This is outbound tenant isolation for the Contoso tenant.

Similarly, users signed in to Power Platform in the Fabrikam tenant can’t establish inbound Azure AD-based connections to data sources in the Contoso tenant despite presenting appropriate Azure AD credentials to establish the connection. This is inbound tenant isolation for the Contoso tenant.

Connection creator tenant Connection sign-in tenant Access allowed?
Contoso Contoso Yes
Contoso (tenant isolation On) Fabrikam No (outbound)
Fabrikam Contoso (tenant isolation On) No (inbound)
Fabrikam Fabrikam Yes

Restrict outbound and inbound cross-tenant access.

Tenant isolation with allowlists

One-way tenant isolation or inbound isolation will block connection establishment attempts to your tenant from other tenants.

Scenario: Outbound allowlist – Fabrikam is added to the outbound allowlist of the Contoso tenant

In this scenario, the admin adds the Fabrikam tenant in the outbound allowlist while tenant isolation is On.

Users signed in to Power Platform in the Contoso tenant can establish outbound Azure AD-based connections to data sources in the Fabrikam tenant if they present appropriate Azure AD credentials to establish the connection. Outbound connection establishment to the Fabrikam tenant is permitted by virtue of the configured allowlist entry.

However, users signed in to Power Platform in the Fabrikam tenant still can't establish inbound Azure AD-based connections to data sources in the Contoso tenant despite presenting appropriate Azure AD credentials to establish the connection. Inbound connection establishment from the Fabrikam tenant is still disallowed even as the allowlist entry is configured and permits outbound connections.

Connection creator tenant Connection sign-in tenant Access allowed?
Contoso Contoso Yes
Contoso (tenant isolation On)
Fabrikam added to outbound allowlist
Fabrikam Yes
Fabrikam Contoso (tenant isolation On)
Fabrikam added to outbound allowlist
No (inbound)
Fabrikam Fabrikam Yes

Restrict inbound connection.

Scenario: Bidirectional allowlist – Fabrikam is added to the inbound and outbound allowlists of the Contoso tenant

In this scenario, the admin adds the Fabrikam tenant to both the inbound and outbound allowlists while tenant isolation is On.

Connection creator tenant Connection sign-in tenant Access allowed?
Contoso Contoso Yes
Contoso (tenant isolation On)
Fabrikam added to both allowlists
Fabrikam Yes
Fabrikam Contoso (tenant isolation On)
Fabrikam added to both allowlists
Yes
Fabrikam Fabrikam Yes

Bidirectional allow lists.

Enable tenant isolation and configure allowlist

In the Power Platform admin center, tenant isolation is set with Policies > Tenant isolation.

Enable tenant isolation.

The tenant isolation allowlist can be configured by using New tenant rule on the Tenant Isolation page. If tenant isolation is Off, you can add or edit the rules in the list. However, these rules won't be enforced until you turn tenant isolation On.

New tenant rule to add rule to the allow list.

From the New tenant rule Direction dropdown list, choose the direction of the allowlist entry.

Select the direction for the new tenant rule.

You can also enter the value of the allowed tenant as either tenant domain or tenant ID. Once saved, the entry gets added to the rule list along with other allowed tenants. If you use the tenant domain to add the allowlist entry, the Power Platform admin center automatically calculates the tenant ID.

Select tenant domain or tenant ID for the new tenant rule.

Once the entry appears in the list, Tenant ID and Azure AD tenant name fields are displayed. Note that in Azure AD, tenant name is different from the tenant domain. The tenant name is unique for the tenant, but a tenant may have more than one domain name.

New tenant rule appears in allowlist.

You can use "*" as a special character to signify all tenants are allowed in the designated direction when tenant isolation is turned On.

All tenants are allowed in the designated direction when tenant isolation is turned on.

You can edit the direction of the tenant allowlist entry based on business requirements. Note that the Tenant Domain or ID field can't be edited in the Edit tenant rule page.

Edit a tenant rule.

You can perform all the allowlist operations like add, edit, and delete while tenant isolation is turned On or Off. Allowlist entries do have an effect on the connection behavior when tenant isolation is turned Off since all cross-tenant connections are allowed.

Design time impact on apps and flows

Users who create or edit a resource affected by the tenant isolation policy will see a related error message. For example, Power Apps makers will see the following error when they use cross-tenant connections in an app that is blocked by tenant isolation policies. The app won't add the connection.

Error: The data didn't load correctly. Please try again.

Similarly, Power Automate makers will see the following error when they try to save a flow that uses connections in a flow that is blocked by tenant isolation policies. The flow itself will be saved, but it will be marked as "Suspended" and won't be executed unless the maker resolves the data loss prevention policy (DLP) violation.

Error: Couldn't retrieve values. The dynamic invocation request failed with error - error text.

Runtime impact on apps and flows

As an admin, you can decide to modify the tenant isolation policies for your tenant at any point. If apps and flows were created and executed in compliance with earlier tenant isolation policies, some of them might be negatively affected by any policy changes you make. Apps or flows that are in violation of the tenant isolation policy won't run successfully. For example, run history within Power Automate indicates that the flow run failed. Further, selecting the failed run will show details of the error.

For existing flows that don’t run successfully because of the latest tenant isolation policy, run history within Power Automate indicates that the flow run failed.

Flow run history list.

Selecting the failed run will show details of the failed flow run.

Flow run failure details.

Note

It takes about an hour for the latest tenant isolation policy changes to be assessed against active apps and flows. This change isn't instantaneous.