How to block users from logging in to their Microsoft Personal Accounts using Header Insertion
17013
Created On 04/04/23 15:07 PM - Last Modified 01/23/24 22:23 PM
Objective
To block users from logging in to their MS personal accounts such as Outlook.com or OneDrive using use header insertion feature by applying the custom header to the "login.live.com" domain.
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- URL Filtering Profile
Procedure
- Under our URL Filtering profile , create a new header insertion entry:
- Name: Give a name of this new entry, in our test it would be "Block-MS-Personal-Accounts"
- Under type, choose "custom"
- Under Domains, add this wildcard domain "login.live.com"
- Under Headers, add the header "sec-Restrict-Tenant-Access-Policy" with the value "restrict-msa".
- Click Ok
- Attach the URL Filtering to the desired security policy.
- When the user will tries to authenticate, after providing his credential, the following error message is displayed.
Additional Information
- Sanctioned Access for Office365 using HTTP header Insertion
- The pre-defined "Microsoft Office365 Tenant Restrictions" under header insertion feature will only block users from authenticating using another corporate account. This will not be applied to Microsoft Personal accounts.