Microsoft Azure Portal Account Shows Tenant Restrictions

The Microsoft Azure Portal Account Shows Tenant Restrictions section is a crucial part of understanding Azure security. Azure tenant restrictions are enforced to prevent unauthorized access to sensitive resources.

Tenant restrictions can be caused by a variety of factors, including a locked-down Azure subscription or a misconfigured Azure Active Directory (Azure AD).

To resolve tenant restrictions, you'll need to identify the root cause of the issue. This can be done by checking the Azure AD settings and verifying that the subscription is not locked down.

Azure AD settings can be accessed through the Azure portal, and checking the subscription status can be done by looking for a lock icon next to the subscription name.

If this caught your attention, see: Unlock Azure Ad Account

Tenant restrictions are not enforced when a user from the same tenant tries to access resources, but they are processed when an identity from a different tenant attempts to sign in and/or access resources.

Here's a breakdown of how tenant restrictions work:

Typically, organizations allow access to apps/resources in their own AAD tenants without any issues. However, when accessing resources in a different AAD tenant, users may receive an error unless an entry for that specific tenant is added to the Restrict-Access-To-Tenants HTTP header.

For another approach, see: Microsoft Azure from Zero to Hero - the Complete Guide

Typically, organizations allow access to apps/resources in the AAD tenants they own and manage.

This means users can access resources integrated with their own tenant without any issues.

Users will receive an error if they try to access resources in a different AAD tenant.

The error they receive is because no entry for that specific tenant is added to the Restrict-Access-To-Tenants HTTP header.

Here's an example of the error message they would see.

A unique perspective: Node Fetch Error Azure Storage Explorer

If you're trying to invite a guest user from another Azure AD tenant using the B2B service, you might encounter an error. This is likely because the guest user's organization is also using the tenant restrictions feature.

The issue arises when the guest user's organization doesn't have an entry for your Azure AD tenant in their Restrict-Access-To-Tenants HTTP header. This means they've configured their tenant restrictions to block access from your tenant.

To resolve this issue, you'll need to add an entry for your Azure AD tenant to the guest user's organization's Restrict-Access-To-Tenants HTTP header. Once this is done, the error should stop occurring and the guest user should be able to access the app or resource.

Suggestion: Azure Guest Account

The Azure AD sign-in logs can be a valuable resource when troubleshooting issues with tenant restrictions.

These logs capture detailed information about sign-in events, including error codes specific to Azure AD tenant restriction errors.

The correlation ID from the error page can be used to search for corresponding logs generated by that specific session.

Azure AD tenant restriction errors are recorded in the sign-in logs with a specific error code, 500021.

By examining the sign-in logs, you can gain a better understanding of what's happening during a restricted tenant sign-in attempt.

The logs show the resource information and the error code, allowing you to identify the root cause of the issue.

If this caught your attention, see: Error Code 70003 Azure

Let's go back to a common scenario. You've successfully deployed the tenant restrictions feature in your environment, which means all end users must go through a proxy server or use a PAC file to access Azure AD resources.

This setup ensures that any traffic sent to specific endpoints has the necessary HTTP headers added to the requests. The affected endpoints are:

As a result, users can only access resources (apps) within your AAD tenant. The proxy service configuration reflects this restriction.

The authentication plane is a critical component in controlling access to your Microsoft Azure portal account. Authentication plane enforcement happens at the time of Entra ID or Microsoft Account authentication.

If you're connected with the Global Secure Access client or via Remote Network connectivity, your Tenant Restrictions v2 policy is checked to determine if authentication should be allowed. This policy is not applied if you're signing in to the tenant of your organization.

However, if you're signing in to a different tenant, policy is enforced. This means you'll need to meet the requirements set by the tenant restrictions policy to gain access. Any application that is integrated with Entra ID or uses Microsoft Account for authentication supports Universal Tenant Restrictions at the authentication plane.

Recommended read: Azure Auth Json Website Azure Ad Authentication

Universal Tenant Restrictions are not enforced when a user or guest user tries to access resources in the tenant where the policies are configured.

This is because Tenant Restrictions v2 policies are processed only when an identity from a different tenant attempts to sign in and/or access resources. For example, if you configure a Tenant Restrictions v2 policy in the tenant contoso.com to block all organizations except fabrikam.com.

The policy will apply according to the table below:

In this example, the policy will allow access to users from fabrikam.com but not from northwinds.com. Guest users will also be allowed access.