azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Missing information to setup tenantrestrictions policies

Open sanderdewit opened this issue 2 years ago • 3 comments

The tenantrestrictions.admx that is delivered as part of Windows mentions the following; "This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.

When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant.

Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details.

https://go.microsoft.com/fwlink/?linkid=2148762 "

The information on how to setup a home tenant policy is not provided.

Configuring these settings, basically injects a header in the request such as; Sec-Restrict-Tenant-Access-Policy: <tenantid>:<policyid>

I would like to know how to configure this further. The WDAC application ID policy has been setup correctly. (otherwise the injected header wouldn't be visible)

Document details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

sanderdewit avatar Sep 05 '22 18:09 sanderdewit

@sanderdewit Thanks for your feedback! We will investigate and update as appropriate.

YashikaTyagii avatar Sep 06 '22 04:09 YashikaTyagii

It did found this link, but it's still access denied; https://aka.ms/tenant-restrictions-enforcement Also the page seems to be available under https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/~/CrossTenantAccessSettings and the tenant restrictions (preview) category.

sanderdewit avatar Sep 06 '22 13:09 sanderdewit

The UX was enabled in preparation for public preview but unfortunately, we had to stall public preview due to blocking bugs. We have disabled the UX and it will be hidden once deployment is complete. We will enable the UX and docs as soon as the bugs are fixed.

vimrang avatar Oct 17 '22 15:10 vimrang

#please-close

omondiatieno avatar Oct 28 '22 08:10 omondiatieno

@sanderdewit the tenant restrictions API is still available, so I wrote a quick guide here: https://tplant.com.au/blog/tenant-restrictions-v2/part-1/. I'll post more details on the optional WDAC component soon

pl4nty avatar Jan 25 '23 00:01 pl4nty

@vimrang TRv2 appears to have entered public preview, will the docs be available soon? That aka.ms link is shown in the UI, but it currently redirects to the internal docs preview environment

pl4nty avatar May 19 '23 03:05 pl4nty