Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
KevinGallaugher
F5 Employee
F5 Employee

Introduction

This use case allows you to access Company Office 365 resources while blocking access to personal/non-company Office 365 resources.

In this scenario, SSL Orchestrator injects Microsoft "Tenant-Restriction" HTTP headers into outbound HTTP flows. The concept of Tenant Restrictions provides a mechanism to allow or deny access to Office 365 resources based on organizational requirements. For example, you may wish to allow access to Company Office 365 Outlook mail but deny access to the same resource when using a personal account.

Detailed information from Microsoft on Tenant Restrictions is available here[1]. In order to configure Tenant Restrictions, you need your company's ‘Restrict-Access-To-Tenants’ and ‘Restrict-Access-Context’ values. You can obtain these from the Microsoft Azure portal by signing in as the Administrator here[2]

After logging in select View under Azure Active Directory.

0151T000002dkVlQAI.pngYour Tenant Domain and Tenant ID will be shown like in the image below.

0151T000002dkVvQAI.png

Restrict-Access-To-Tenants – a value of permitted tenant lists, which is a comma-separated list of tenant domains that users are allowed to access. Any domain that is registered with a tenant can be used to identify the tenant in this list. For example, to permit access to both Contoso and Fabrikam tenants, the name/value pair would look like this:

Restrict-Access-To-Tenants: contoso.onmicrosoft.com,fabrikam.onmicrosoft.com

Restrict-Access-Context - a value of a single directory ID, declaring which tenant is setting the

Tenant Restrictions. For example, to declare Contoso as the tenant that sets the Tenant Restrictions policy, the name/value pair would look like this:

Restrict-Access-Context: 456ff232-35l2-5h23-b3b3-3236w0826f3d.

This article assumes you have a working SSL Orchestrator Deployment configured and wish to add Office 365 Outlook Tenant Restrictions.

Steps

1.    Create a Custom URL category – this will hold the Microsoft login URLs that require the Tenant Restrictions headers.

2.    Create the ICAP service - the ICAP service is a flexible, transactional service type. We’ll use this as the framework for injecting Tenant Restrictions headers.

3.    Create a security policy - the SSL Orchestrator security policy is the engine that maps traffic flows to actions (allow/block, decrypt/bypass, service chain). We’ll create a Security Policy that looks for the Microsoft login URLs (from the custom category) and assigns this traffic to the modified ICAP service.

4.    Create an iRule - this iRule actually does the work of injecting the HTTP headers and will be applied to the modified ICAP service.

5.    Test the Tenant Restrictions

Step #1 Create a custom URL category

From the SSL Orchestrator Configuration screen select Policies > URL Categories

0151T000002dkW5QAI.png

Click Create

0151T000002dkWAQAY.png

Give it a Name, Office365 in this example

0151T000002dkWBQAY.png

Uncheck the box for Global Pattern Match. Add all of the following:

https://login.microsoftonline.com/
https://login.microsoftonline.com
https://login.microsoft.com/
https://login.microsoft.com
https://login.windows.net/
https://login.windows.net

Click Finished when done

0151T000002dkWCQAY.png

Step #2 Create an ICAP Service in existing Topology

From the SSL Orchestrator Configuration screen select Services then click Add

0151T000002dkWDQAY.png

Note: if you do not have a Topology created you can still use this guide and create the ICAP Service at the time the Topology is created. The order of events will be slightly different.

Scroll to the bottom, select Generic ICAP Service and click Add

0151T000002dkWKQAY.png

Give the ICAP Service a name, Office365_Tenant in this example. For ICAP Devices click Add.

0151T000002dkWPQAY.png

Enter an IP Address, 198.19.97.1 in this example and click Done.

0151T000002dkVmQAI.png

Note: the IP address you use does not have to be the one above. It’s just a local, non-routable address used as a placeholder in the service definition. This IP address will not be used.

IP addresses 198.19.97.0 to 198.19.97.255 are owned by network benchmark tests and located in private networks. 

Scroll to the bottom and click Save & Next.

0151T000002dkWLQAY.png

On the next screen click Add to create a new Service Chain

0151T000002dkWUQAY.png

Give it a name, O365_Service_Chain in this example. Select your existing Services and click the right arrow to move them to Selected. Add the ICAP Service last.

0151T000002dkWMQAY.png

Note: It’s important to know why you’re creating a new Service Chain. The custom category will be applied to a Security Policy rule to match on requests for specific Office 365 login URLs. If that condition matches, the traffic must be intercepted (decrypted), and sent to a Service Chain with the Office 365 Service. Multiple Services can be in this Service Chain. However, if you put the Office 365 Service in any other service chain, the tenant restrictions headers will be sent to other sites incorrectly.

It should look like the following. Click Save.

0151T000002dkWNQAY.png

Note: the new Service Chain should look like your previous Service Chain with the addition of the Office365 ICAP Service at the end. It is important to do it this way to ensure Login activity to Office 365 is still inspected.

Click Save & Next

0151T000002dkW6QAI.png

Click Deploy

0151T000002dkWOQAY.png

You should receive a Success message.

0151T000002dkW7QAI.png

Step #3 Create a security policy

From the SSL Orchestrator Configuration screen select Security Policies then click on the name of the Policy to edit, ssloP_Secure_Outbound this example.

0151T000002dkWeQAI.png

Click the Add button to add a new rule

0151T000002dkWjQAI.png

Name the Rule, O365_Tenant_Restrict in this example. Under Conditions click Select and choose Category Lookup (All).

0151T000002dkWoQAI.png

Choose the Custom Category created previously, Office365 in this example. Type the name into the field and it will filter the results. 

0151T000002dkWtQAI.png

Set the Action to Allow. For SSL Forward Proxy Action select Intercept. Set the Service Chain to the one created previously, O365_Service_Chain in this example.

Note: it is critical that the Action be set to Intercept so SSL Orchestrator can decrypt the connection and insert the Tenant Restriction headers.

0151T000002dkWpQAI.png

Scroll down and click Deploy at the bottom

0151T000002dkWuQAI.png

The changes should be successfully deployed

Step #4 Create an iRule

From Local Traffic select iRules > iRule list

0151T000002dkWQQAY.png

Click Create on the Right

0151T000002dkWqQAI.png

Give the new iRule a name, TenantRestrictions in this example

Enter the following for the Definition:

when HTTP_REQUEST {
	HTTP::header replace Restrict-Access-To-Tenants "f5labs.com"
	HTTP::header replace Restrict-Access-Context "ee3dfd2f-6a3b-40d1-9be0-bf8327d81d90"
}

Note: The restrict-Access-To-Tenants header should contain your Tenant’s domain(s), comma-separated if more than one. Example: “contoso.onmicrosoft.com,fabrikam.onmicrosoft.com”

The Restriction-Access-Context header must contain the Tenant ID as shown in the Azure Portal.

Click Finished

0151T000002dkWgQAI.png

From the SSL Orchestrator Configuration screen select Services. Click the padlock to Unprotect Configuration.

0151T000002dkWrQAI.png

Note: Disabling Strictness on the ICAP Service is needed to modify it for Tenant Restrictions header insertion. Strictness must remain disabled on this service, and disabling strictness on the service has no effect on any other part of the SSL Orchestrator configuration.

Click OK to Unprotect the Configuration

0151T000002dkWyQAI.png

From Local Traffic select Pools > Pool List

0151T000002dkWzQAI.png

Select the Office365_Tenant Pool

0151T000002dkX8QAI.png

Under Active Health Monitors select tcp and click >> to move it to Available

Click Update

0151T000002dkX0QAI.png

Note: The Health Monitor needs to be removed because there is no actual ICAP service to monitor.

From Local Traffic select Virtual Servers > Virtual Server List

0151T000002dkWvQAI.png

Locate the Office 365 ICAP service that ends in “-t-4” virtual server and select it

0151T000002dkWwQAI.png

Set the Request Adapt Profile and Response Adapt Profile to None to disable the default ICAP Profiles

0151T000002dkX9QAI.png

Click Update at the bottom

Click the Resources tab

0151T000002dkWhQAI.png

Click the Resources tab > Manage

0151T000002dkX1QAI.png

Select the iRule created previously, TenantRestrictions in this example and move it to the left under Enabled

Click Finished

0151T000002dkWSQAY.png

Step #5 Test the Tenant Restrictions

Attempt to login to https://outlook.office.com with your Tenant Restrictions domain.

Note: you must attempt to login with an email address and password in order to see the following error page:

0151T000002dkWiQAI.png

Footnotes:

[1] Detailed information from Microsoft on Tenant Restrictions

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions

[2] Microsoft Azure portal

https://portal.azure.com/

Comments

Nice! Is there a similar option for Dropbox being restricted if it is private or company dropbox?

LiefZimmerman
Community Manager
Community Manager

 - can you answer  ?

KevinGallaugher
F5 Employee
F5 Employee

I think it's possible but don't have the details just yet. I will ask around and report back.

Kevin_Stewart
F5 Employee
F5 Employee

Late to the party, but yes, doing the same for Dropbox would be pretty straight forward.

For all *.dropbox.com HTTP requests, insert the following header:

X-Dropbox-allowed-Team-Ids = (dropbox team ID)

Note of course for tenant restrictions to work, you must decrypt this HTTPS request, as that'd be the only way to insert an HTTP header.

Version history
Last update:
‎01-Jun-2020 12:50
Updated by:
Contributors