Edge version: Microsoft Edge Add-ons
Chrome version: Google Chrome Webstore
This is a browser extension that leverage Microsoft EntraID Tenant Restrictions V2 It uses the declarativeNetRequest API which is more privacy friendly than the webrequest API.
The extension got updated to leverage tenant restrictions v2
What does this extension do?
It injects a header into the following URLs, just like a break-inspect proxy would do, only it does this via a browser extension.
- login.microsoftonline.com, login.microsoft.com, login.windows.net, login.live.com
- sec-Restrict-Tenant-Access-Policy: [tenant-id]:[policy-guid]
This header controls to which tenants users are allowed to authenticate. Cross-Tenant Access Settings offers 3 type of configurations:
-
inbound access, users incoming to your tenant (guest users in your tenant)
-
outbound access, users using the corporate identity going towards other tenants (guest users in the other tenants)
-
tenant restrictions, users signing in with non-corporate credentials to other tenants. This extension targets this option, as the other settings are already controlled natively via EntraID.
More information regarding azuread tenant restriction v2
Please note, this only resolves the issue for the Edge/Chrome browser. To control this for applications (without a proxy), please use the relevant GPO/Policies settings available for Teams, OneDrive, Outlook etc. This extension is not enabled by default for InPrivate/Incognito session. Block InPrivate/InCognito if you want to enforce this.
V0.27
- Fixed a bug that if no options were set, it would inject the header with undefined:undefined.
- added the options screen when clicking on the extension for easier access.
- updated the ADMX to support both Edge & Chrome
- added plist files to enforce policies for MacOS
To set-up Tenant Restrictions V2:
- Go to entraID (https://entra.microsoft.com), select External Identities, Cross-tenant access settings. Default settings and select Tenant restrictions (preview). Edit tenant restrictions preview) – tenant restrictions settings or use this direct link.
Take a note of the tenantID and policyGUID displayed as we need them to set-up the policy
Go to into intune.microsoft.com and to devices.
There select configuration under managed devices and select import admx.
Import windows.admx (with windows.adml) if you don’t have it available, download it here:
It’s installs in C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)\PolicyDefinitions
As this is a prerequisite for SandersEntraID.admx
The upload will take a while.
After this, do the same for SandersEntraID.admx & adml.
Now create a now policy under Configuration, Policies, Create profile, Win10 and later, Templates, Imported Administrative templates (preview)
Go to user configuration
Set policyGUID and tenantID policies
Assign it to users;
And it will be configured and enforced
Go to Intune, MacOS, Templates, Preference file.
Download the edge.plist & chrome.plist and modify it;
Modify the entries under string to reflect the tenantID & policyGUID.
Save the file and upload it.
The preference domain name for edge is: com.microsoft.Edge.extensions.gccmeeiieginkomhjdjaecdfnheadigo (case sensitive) And for Chrome is: com.microsoft.Chrome.extensions.pdhbkciflmjaidfjlanomanbimnbpimj (case sensitive) After the upload, please assign it to users.
-
Does this work in Inprivate? No it does not due to the way Chromium handles extensions. So make sure to disable inPrivate and incognito for the browsers if you want it to be enforced.
-
Will it work outside the browser? As it’s a browser extension, it will only work from within the browser. Policies can be set to aut install and enforce this extension. To have similar protection outside of the browser, please refer to Tenant Restrictions proxy TLS break-inspect methods which opens the EntraID authentication traffic and inject the header there. The Windows based injection option is currently possible, but will be discontinued as it causes issues with .NET applications.
-
Will this work on MacOS? Yes it does work on MacOS, please follow the instructions for Plist files, so that the browser can enforce these.
-
Do you collect any data? I’m not collecting any data from this add-on, the source code is openly available on Github.
-
I don’t want to block my users, will this still add value? Yes, once you enabled this extension, your EntraID audit logs will also show other m365 tenant for sign-ins.
It will be available in the EntraID workbooks and specifically the Tenant restriction insights, as you can see in the screenshot above.
-
I’m using this extension, however my users can still logon with their corporate accounts to external tenants. This is expected behaviour, as this is configured in the outbound access settings under the cross-tenant settings. This extensions addresses authentication towards M365 environments with other than your own corporate credentials.
-
Why not just use the Windows integration that is native to tenant restrictions v2? Microsoft has discontinued this and it does not work on other operating systems.
just upload the ADMX & ADML in the policydefinitions folder and configure accordingly.