Using HTTP Header Insertion For Sanctioned Access To Office365 Enterprise

Using HTTP Header Insertion For Sanctioned Access To Office365 Enterprise

22823
Created On 02/28/23 23:46 PM - Last Modified 03/25/24 19:46 PM


Objective


Previously allowing sanctioned instances of Office365 enterprise accounts and blocking unsanctioned enterprise and consumer accounts was done by creating a custom application based on the sanctioned domain. This is no longer an option because changes done by Microsoft now cause any traffic matching the custom application to be identified as Palo Alto’s predefined application office-365-base. Below is the KB article for the old configuration:

MICROSOFT OFFICE 365 ACCESS CONTROL FIELD SUPPORT GUIDE
 

The HTTP Header Insertion feature solves this problem. The feature modifies the HTTP GET request header by adding a list of tenants for Office365 that users on your organization's network are permitted to access. When the HTTP GET request is received by Microsoft, Microsoft will determine if the Office365 account that the user is logging into is part of the permitted tenants list. If the account is not part of a permitted tenant, Microsoft will block it.

Learn more about Office365 Tenant Restrictions in the below Microsoft articles:

  1. Restrict access to a tenant
  2. Office 365 URLs and IP address ranges 
  3. Set up tenant restrictions V2 (Preview) - Microsoft released Tenant Restrictions V2 in June 2023.

This article will help you configure HTTP Header Insertion on your Palo Alto firewall for Office365 based on Microsoft’s Tenant Restrictions V1.

If additional assistance is needed with locating tenant IDs, directory IDs, or Microsoft’s Tenant Restrictions V2 configuration, please contact Microsoft support.

 

Environment


  • Palo Alto firewall running PAN-OS 8.1 or later.

  • HTTP Header Insertion feature.

Procedure


 The 3 basic configuration requirements for HTTP Header Insertion to work with Office365 are:

  1. Traffic to the Office365 login domains must be decrypted.

  2.  A URL Filtering Profile with an HTTP Header Insertion entry.

  3. A Security Policy that allows access to the Office365 login domains with the URL Filtering Profile from #2 applied.

 Configurations:

1) (Optional, but best practice) Create a custom URL Category for the Microsoft login domains you want to allow access to.
(Not needed if you have a Security Policy that allows traffic to the Microsoft login domains AND a Decryption Policy that is decrypting traffic to the Microsoft login domains.)
 
1a) Microsoft login domains to allow in order to block outside enterprise accounts:

  • login.microsoftonline.com

  • login.windows.net

  • login.microsoft.com

1b) Microsoft login domains to allow in order to block consumer accounts:

  • login.live.com 

 

Example Custom URL Category  

 

2) Create a URL Filtering Profile. If you created a custom URL Category, verify under the Categories tab of the URL Filtering Profile that the Site Access and User Credential Submission fields are set to Allow.

Example URL Filtering Profile


 

3) In the HTTP Header Insertion tab of the URL Filtering Profile, create a new entry. You will need to make separate entries for blocking outside enterprise accounts and blocking consumer accounts:

 
Example of HTTP Header Insertion entries



3a) To block access for outside enterprise accounts use the following values:

  • Name: <Create a custom name for the entry>

  • Type: Microsoft Office365 Tenant Restrictions

  • Domain (will be filled automatically):

    • login.microsoftonline.com

    • login.windows.net

    • login.microsoft.com

  • Headers:

    • Restrict-Access-To-Tenants: A comma-separated list of tenants you want to allow users to access.

    • Restrict-Access-Context: A single directory ID used to declare which tenant is setting the tenant restrictions.

    • (Optional) You can select the Log checkbox to enable logging of this header insertion entry.

Note: If additional assistance is needed with locating tenant IDs or directory IDs, please contact Microsoft support.

 


3b) To block access for consumer accounts use the following values:

  • Name: <Create a custom name for the entry>

  • Type: Custom

  • Domain: login.live.com

  • Headers:

    • sec-Restrict-Tenant-Access-Policy: restrict-msa

    • (Optional) You can select the Log checkbox to enable logging of this header insertion entry.

 

4) Create a Decryption Policy that is set to "Decrypt" and has the Type set to "SSL Forward Proxy" under the Options tab. If you created a custom URL Category, you can add it under the Service/URL Category tab to narrow the scope of the policy.

 
Example Decryption Policy


 

5) Create a Security Policy that allows traffic from your users to the Microsoft login domains and has the URL Filtering Profile from step 2 applied to it. If you created a custom URL Category, you can add it under the Service/URL Category tab to narrow the scope of the policy.

 
Example Security Policy


 

6) Verify HTTP Header Insertion is working.

You should see the following response page from Microsoft when a user attempts to access an outside enterprise account and/or consumer account while on your network:

  

Additional Information


Palo Alto Admin Guide Articles for HTTP Header Insertion:

  1. HTTP Header Insertion
  2. Create HTTP Header Insertion Entries using Predefined Types
  3. Create Custom HTTP Header Insertion Entries

Other Helpful Palo Alto Admin Guide Articles:

  1. Create a Custom URL Category
  2. Configure URL Filtering
  3. Configure SSL Forward Proxy
  4. Create a Security Policy Rule

Other Related Articles:

  1. HTTP HEADER INSERTION WORKAROUND FOR HTTP/2.0 SAAS APPLICATIONS
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sayjCAA&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language