on 01-Jun-2020 12:50
This use case allows you to access Company Office 365 resources while blocking access to personal/non-company Office 365 resources.
In this scenario, SSL Orchestrator injects Microsoft "Tenant-Restriction" HTTP headers into outbound HTTP flows. The concept of Tenant Restrictions provides a mechanism to allow or deny access to Office 365 resources based on organizational requirements. For example, you may wish to allow access to Company Office 365 Outlook mail but deny access to the same resource when using a personal account.
Detailed information from Microsoft on Tenant Restrictions is available here[1]. In order to configure Tenant Restrictions, you need your company's ‘Restrict-Access-To-Tenants’ and ‘Restrict-Access-Context’ values. You can obtain these from the Microsoft Azure portal by signing in as the Administrator here[2].
After logging in select View under Azure Active Directory.
Your Tenant Domain and Tenant ID will be shown like in the image below.
Restrict-Access-To-Tenants – a value of permitted tenant lists, which is a comma-separated list of tenant domains that users are allowed to access. Any domain that is registered with a tenant can be used to identify the tenant in this list. For example, to permit access to both Contoso and Fabrikam tenants, the name/value pair would look like this:
Restrict-Access-To-Tenants: contoso.onmicrosoft.com,fabrikam.onmicrosoft.com
Restrict-Access-Context - a value of a single directory ID, declaring which tenant is setting the
Tenant Restrictions. For example, to declare Contoso as the tenant that sets the Tenant Restrictions policy, the name/value pair would look like this:
Restrict-Access-Context: 456ff232-35l2-5h23-b3b3-3236w0826f3d.
This article assumes you have a working SSL Orchestrator Deployment configured and wish to add Office 365 Outlook Tenant Restrictions.
Steps
1. Create a Custom URL category – this will hold the Microsoft login URLs that require the Tenant Restrictions headers.
2. Create the ICAP service - the ICAP service is a flexible, transactional service type. We’ll use this as the framework for injecting Tenant Restrictions headers.
3. Create a security policy - the SSL Orchestrator security policy is the engine that maps traffic flows to actions (allow/block, decrypt/bypass, service chain). We’ll create a Security Policy that looks for the Microsoft login URLs (from the custom category) and assigns this traffic to the modified ICAP service.
4. Create an iRule - this iRule actually does the work of injecting the HTTP headers and will be applied to the modified ICAP service.
5. Test the Tenant Restrictions
From the SSL Orchestrator Configuration screen select Policies > URL Categories
Click Create
Give it a Name, Office365 in this example
Uncheck the box for Global Pattern Match. Add all of the following:
https://login.microsoftonline.com/ https://login.microsoftonline.com https://login.microsoft.com/ https://login.microsoft.com https://login.windows.net/ https://login.windows.net
Click Finished when done
From the SSL Orchestrator Configuration screen select Services then click Add
Scroll to the bottom, select Generic ICAP Service and click Add
Give the ICAP Service a name, Office365_Tenant in this example. For ICAP Devices click Add.
Enter an IP Address, 198.19.97.1 in this example and click Done.
IP addresses 198.19.97.0 to 198.19.97.255 are owned by network benchmark tests and located in private networks.
Scroll to the bottom and click Save & Next.
On the next screen click Add to create a new Service Chain
Give it a name, O365_Service_Chain in this example. Select your existing Services and click the right arrow to move them to Selected. Add the ICAP Service last.
It should look like the following. Click Save.
Click Save & Next
Click Deploy
You should receive a Success message.
From the SSL Orchestrator Configuration screen select Security Policies then click on the name of the Policy to edit, ssloP_Secure_Outbound this example.
Click the Add button to add a new rule
Name the Rule, O365_Tenant_Restrict in this example. Under Conditions click Select and choose Category Lookup (All).
Choose the Custom Category created previously, Office365 in this example. Type the name into the field and it will filter the results.
Set the Action to Allow. For SSL Forward Proxy Action select Intercept. Set the Service Chain to the one created previously, O365_Service_Chain in this example.
Scroll down and click Deploy at the bottom
The changes should be successfully deployed
From Local Traffic select iRules > iRule list
Click Create on the Right
Give the new iRule a name, TenantRestrictions in this example
Enter the following for the Definition:
when HTTP_REQUEST { HTTP::header replace Restrict-Access-To-Tenants "f5labs.com" HTTP::header replace Restrict-Access-Context "ee3dfd2f-6a3b-40d1-9be0-bf8327d81d90" }
The Restriction-Access-Context header must contain the Tenant ID as shown in the Azure Portal.
Click Finished
From the SSL Orchestrator Configuration screen select Services. Click the padlock to Unprotect Configuration.
Click OK to Unprotect the Configuration
From Local Traffic select Pools > Pool List
Select the Office365_Tenant Pool
Under Active Health Monitors select tcp and click >> to move it to Available
Click Update
From Local Traffic select Virtual Servers > Virtual Server List
Locate the Office 365 ICAP service that ends in “-t-4” virtual server and select it
Set the Request Adapt Profile and Response Adapt Profile to None to disable the default ICAP Profiles
Click Update at the bottom
Click the Resources tab
Click the Resources tab > Manage
Select the iRule created previously, TenantRestrictions in this example and move it to the left under Enabled
Click Finished
Attempt to login to https://outlook.office.com with your Tenant Restrictions domain.
[1] Detailed information from Microsoft on Tenant Restrictions
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions
[2] Microsoft Azure portal
Nice! Is there a similar option for Dropbox being restricted if it is private or company dropbox?
I think it's possible but don't have the details just yet. I will ask around and report back.
Late to the party, but yes, doing the same for Dropbox would be pretty straight forward.
For all *.dropbox.com HTTP requests, insert the following header:
X-Dropbox-allowed-Team-Ids = (dropbox team ID)
Note of course for tenant restrictions to work, you must decrypt this HTTPS request, as that'd be the only way to insert an HTTP header.