Azure-docs: Not working for personal (Live) Microsoft accounts.

@BartJocque Thanks for your feedback! We will investigate and update as appropriate.

@BartJocque Please note that Tenant Restriction is an Azure Active Directory feature for SaaS applications for which the authentication request is coming to Azure AD URLs to authenticate: login.microsoftonline.com, login.microsoft.com, and login.windows.net. As stated in document, for each incoming request to login.microsoftonline.com, login.microsoft.com, and login.windows.net, insert two HTTP headers: Restrict-Access-To-Tenants and Restrict-Access-Context. Hence, if the request coming for any other tenant other than one part of Restrict-Access-To-Tenants, the login request will fail. So allowing access to co-operate tenant will help in that regard. If the request is coming for personal mailbox, where user account authentication attempt goes to some other tenant , then it will be blocked from login.

Further, you can look for option to restrict Office 365 to our corporate devices using Active Directory conditional access device policies for Office 365 services.

I fully understand that it has been designed like that, but the personal live logins are a real backdoor for Tenant Restrictions.
You can supersecure the Corporate Tenant, but users can bypass all of this just by using their private accounts.

Also , I don't understand how conditional access would be applied to personal accounts ? Would that not be the same limitation as above.

@BartJocque Sorry but can you please further elaborate on it. If personal login request through login.microsoft.com and login.microsoftonline.com goes to different tenant, which is restricted, then it will not be authenticated. So I still need to understand in which scenario personal account authentication can still pass even through tenant restriction is in place.

one scenario is where a user logs in from the powerpoint 2016 or word 2016 app , the tenant restrictions feature is defeated. ( -> user can access his personal one drive ).

@BartJocque When user login through powerpoint 2016 or word 2016 app, the login request will go through ogin.microsoftonline.com and HTTP headers: Restrict-Access-To-Tenants and Restrict-Access-Context will be inserted. This will take care that if login request is going to some other tenant it will fail. So if user is using personal login then authentication of it will fail as personal login account exists in another tenant which is not part of Restrict Tenant Access list.

Thanks for the feedback.
but that's not the behaviour what we are currently perceiving.
Will double check our setup and configurations and update you later.
tx.

I made a trace while reproducing the issue : logging to my personal O365 from within PowerPoint 2016.
First there was a connection to auth.gfx.com and then a redirect to login.live.com.
I think that the problem is that login.live.com does not enforce tenant restrictions ?

@BartJocque Thanks for added information. I see your point.

@barbkess Please let me know if you can provide more information related to above query. Even with Tenant restriction the user will be able to open office apps using their personal Microsoft Account as authentication request will go through login.live.com.

@BartJocque I am still trying to get more information from our service team in this regard. I will update you on this issue as soon as I have more information to share.

@BartJocque As per update from our Service Team below is the information we got -

The tenant restriction feature’s focus has been for Corporate accounts only, who intend to block consumer services typically use firewall policies to achieve the same. This is particularly important to block the user’s access to non-Microsoft consumer services. You can typically have these consumer services firewall policies in place and may need a comprehensive solution for corporate accounts – since a simple firewall policy doesn’t suffice there. For example all O365 services use login.microsoftonline.com for authentication – blocking this URL in the firewall would block access to all tenants.

Tenant restriction feature is intended to solve this specific problem – and not supplant firewall policies already in use to bock consumer services.

Hence, Please use ombination of Tenant Restriction and firewall policies in your scenerio.

Hi,

Thanks for you answer.

I do understand that firewall and proxy policies are the primary means to block access to consumer services.

However, we have opened 0365 access as per MS recommendation ( https://support.content.office.net/en-us/static/O365IPAddresses.xml ) , and there is no distinction in that list between corporate and consumer services.
How can we know what services are needed for consumers and what services are needed for corporate access ?
We would expect you to publish that information. (e.g. one xml for corporate access and one xml for consumer access)

Kind regards
Bart

@BartJocque Please confirm if you already have support case open on this issue. If yes, that will be best place to further discuss this issue. We can also involve relevant service team contact in the support case.

Also do check on this article which may be a help -
https://support.office.com/en-us/article/managing-office-365-endpoints-99cab9d4-ef59-4207-9f2b-3728eb46bf9a

Hi @MohitGargMSFT ,

Thanks for the link, useful article indeed , although not fully satisfying.

Of course we have a support case open for this ( but in the initial case I was referred to this feedback form since it was something for the product group they said )

@BartJocque Please continue to work with support case to further help you out on your scenario. This platform is to help customer ask queries as they use the Azure published documentation and provide there valuable inputs to improve it. We try our level best to help out, however, there are some feature limitations which could be surfaced through Product Feedback forums as well. Apart from creating document feedback , you can also use the "Give Product Feedback" button in our documents now which will take you directly to the appropriate product feedback page.

We will now move ahead and close this documentation feedback request.

@MohitGargMSFT @@barbkess
Solution is to block storage.live.com and d.docs.live.net

@BartJocque Great that you figured out the solution and many thanks for sharing with us. This will help us if another customer faces similar situation.