Skip to content

Latest commit

 

History

History
126 lines (92 loc) · 8.6 KB

File metadata and controls

126 lines (92 loc) · 8.6 KB

Sanders-EntraID-Tenant-Restrictions

Chrome version: Google Chrome Webstore

This is a browser extension that leverage Microsoft EntraID Tenant Restrictions V2 It uses the declarativeNetRequest API which is more privacy friendly than the webrequest API.

The extension got updated to leverage tenant restrictions v2

What does this extension do?

It injects a header into the following URLs, just like a break-inspect proxy would do, only it does this via a browser extension.

  • login.microsoftonline.com, login.microsoft.com, login.windows.net, login.live.com
    • sec-Restrict-Tenant-Access-Policy: [tenant-id]:[policy-guid]

This header controls to which tenants users are allowed to authenticate. Cross-Tenant Access Settings offers 3 type of configurations:

  • inbound access, users incoming to your tenant (guest users in your tenant)

  • outbound access, users using the corporate identity going towards other tenants (guest users in the other tenants)

  • tenant restrictions, users signing in with non-corporate credentials to other tenants. This extension targets this option, as the other settings are already controlled natively via EntraID.

    More information regarding azuread tenant restriction v2

    Please note, this only resolves the issue for the Edge/Chrome browser. To control this for applications (without a proxy), please use the relevant GPO/Policies settings available for Teams, OneDrive, Outlook etc. This extension is not enabled by default for InPrivate/Incognito session. Block InPrivate/InCognito if you want to enforce this.

ChangeLog

V0.27

  • Fixed a bug that if no options were set, it would inject the header with undefined:undefined.
  • added the options screen when clicking on the extension for easier access.
  • updated the ADMX to support both Edge & Chrome
  • added plist files to enforce policies for MacOS

Instructions

Setting up EntraID

To set-up Tenant Restrictions V2:

  • Go to entraID (https://entra.microsoft.com), select External Identities, Cross-tenant access settings. Default settings and select Tenant restrictions (preview). Edit tenant restrictions preview) – tenant restrictions settings or use this direct link. image Take a note of the tenantID and policyGUID displayed as we need them to set-up the policy

Setting up Intune

Windows

Go to into intune.microsoft.com and to devices. There select configuration under managed devices and select import admx. image

Import windows.admx (with windows.adml) if you don’t have it available, download it here:

It’s installs in C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)\PolicyDefinitions image

As this is a prerequisite for SandersEntraID.admx The upload will take a while. image image image After this, do the same for SandersEntraID.admx & adml. image image image

Now create a now policy under Configuration, Policies, Create profile, Win10 and later, Templates, Imported Administrative templates (preview) image image

Go to user configuration image image

Set policyGUID and tenantID policies image

Assign it to users; image

And it will be configured and enforced image

MacOS

Go to Intune, MacOS, Templates, Preference file. image

Download the edge.plist & chrome.plist and modify it; image

Modify the entries under string to reflect the tenantID & policyGUID. Save the file and upload it. image

The preference domain name for edge is: com.microsoft.Edge.extensions.gccmeeiieginkomhjdjaecdfnheadigo (case sensitive) And for Chrome is: com.microsoft.Chrome.extensions.pdhbkciflmjaidfjlanomanbimnbpimj (case sensitive) After the upload, please assign it to users.

FAQ.

  1. Does this work in Inprivate? No it does not due to the way Chromium handles extensions. So make sure to disable inPrivate and incognito for the browsers if you want it to be enforced.

  2. Will it work outside the browser? As it’s a browser extension, it will only work from within the browser. Policies can be set to aut install and enforce this extension. To have similar protection outside of the browser, please refer to Tenant Restrictions proxy TLS break-inspect methods which opens the EntraID authentication traffic and inject the header there. The Windows based injection option is currently possible, but will be discontinued as it causes issues with .NET applications.

  3. Will this work on MacOS? Yes it does work on MacOS, please follow the instructions for Plist files, so that the browser can enforce these.

  4. Do you collect any data? I’m not collecting any data from this add-on, the source code is openly available on Github.

  5. I don’t want to block my users, will this still add value? Yes, once you enabled this extension, your EntraID audit logs will also show other m365 tenant for sign-ins. image

It will be available in the EntraID workbooks and specifically the Tenant restriction insights, as you can see in the screenshot above.

  1. I’m using this extension, however my users can still logon with their corporate accounts to external tenants. This is expected behaviour, as this is configured in the outbound access settings under the cross-tenant settings. This extensions addresses authentication towards M365 environments with other than your own corporate credentials.

  2. Why not just use the Windows integration that is native to tenant restrictions v2? Microsoft has discontinued this and it does not work on other operating systems.

Setting up GPO

just upload the ADMX & ADML in the policydefinitions folder and configure accordingly.