Microsoft Tightens Azure AD's Access Controls for SaaS Apps

The new Tenant Restrictions feature in Azure Active Directory helps highly-regulated businesses prevent data leaks when using cloud applications.

Azure Data Loss Prevention 2

The Tenant Restrictions feature in Azure Active Directory is now generally available, allowing organizations to exert more control over their users' interactions with software-as-a-service applications to prevent leaks of sensitive information.

Alex Simons, director of Program Management at Microsoft's Identity Division, explained that Tenant Restrictions "enables organizations to control access based on the Azure AD tenant the applications use for single sign-on," in a Jan. 31 blog.

In addition to serving as the cloud-based version of the software giant's user identity management platform, Azure AD also can be used to provide single sign-on and access services for a variety of third-party SaaS apps, and, of course, Microsoft's own Office 365 business software suite.

Essentially, the feature can be used to help businesses ensure that their users are only permitted to log into their SaaS subscriptions. "For example, you can use Tenant Restrictions to allow access to your organization's Office 365 applications, while preventing access to other organizations' instances of these same applications," continued Simons.

In the past, administrators blocked IP addresses or domains to restrict access to web applications, added Yossi Banai, a Microsoft Azure Active Directory program manager. However, the increased adoption of the public cloud and SaaS applications in enterprise environments, where all of a SaaS provider's customers are pointed to the same shared domain name, has made this tactic impractical.

The potential for data leakage exists when users enjoy unfettered access to cloud applications, said Banai. "If users can access Office 365 with their corporate identity, they can also access these same services with other identities."

Microsoft's solution is to restrict access based on the Azure AD tenant that an organization uses to provide single sign-on services to its users and restrict access to unpermitted tenants. The solution requires an on-premises proxy server with Secure Sockets Layer inspection capabilities to insert a new header with a list of approved tenants. Setup instructions are available in this online support document.

The company also has rolled out several new features to its Azure AD's business-to-business (B2B) collaboration toolkit.

As its name suggests, Azure AD B2B encompasses a set of technologies and management capabilities that enables enterprises and their partner organizations to collaborate securely. "The goal of Azure AD B2B is to enable organizations of all sizes and industries—even those with complex compliance and governance requirements—to work easily and securely with collaborators around the world," said Simons in a separate Feb. 1 announcement.

New features include self-service capabilities that allow workers to invite other B2B users to applications or groups they manage. Users also gain the ability to send invitations to any email address. A new custom branding feature lends a professional look to email invitations.

Other updates include multi-factor authentication on B2B guest accounts, new auditing and reporting options, along with PowerShell support. The full list is available in this support documentation.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...