Tenant Restrictions

Tenant Restrictions allow administrators to control which Microsoft Office 365, Google Workspace tenants users can access. It helps prevent unauthorized access to personal or unapproved corporate tenants, ensuring users only connect to organization approved environments. This reduces the risk of data leaks and unauthorized third-party collaborations.

To view the Tenant Restrictions page, access the SASE Administrator Portal and click Internet Access > Tenant Restrictions.

Column	Description
Cloud Service	Displays the cloud service for which the restriction is applied: Microsoft Office 365 Google Workspace This column is auto-populated and cannot be edited.
Source	Defines the groups or members the restriction applies to: Any (default)- Applies to all users. Groups or Members - Applies to selected groups or users from your identity provider.
Allowed Values	Specifies the identifiers that users in the selected source groups or users are allowed to access. The accepted identifier type depends on the cloud service. See Allowed Values by Cloud Service below.

Avoid setting the Allowed Identifiers value to Any, as this configuration has no effect on domain restrictions and does not limit access. Specify one or more domains explicitly to ensure the restriction is applied as intended.

Allowed Identifiers by Cloud Service

This table is the authoritative reference for identifier types, validation, and limits.

Vendor	Modal title	Identifier — format, example, notes	Max entries
Microsoft Office 365	Manage Tenant IDs & Domains	Domain or Tenant ID (UUID). Formats accepted: Standard domain: contoso.com Microsoft domain: fabrikam.onmicrosoft.com Tenant GUID: aaaabbbb-0000-cccc-1111-dddd2222eeee	Multiple
Google Workspace	Manage Domains	Domain only. Tenant ID GUIDs are not accepted. Example: contoso.com	Multiple

Configuration Requirements for Tenant Restrictions

To enable tenant restrictions enforcement:

• Ensure that traffic to Microsoft Office 365 and Google Workspace is inspected. The following domains must be inspected and not bypassed:

  • Microsoft 365:

    • login.microsoftonline.com

    • login.microsoft.com

    • login.windows.net

    • login.live.com

    For more information, see Microsoft 365 documentation.

  • Google Workspace: *.google.com

    For more information, see Google Workspace documentation.

• Do not bypass these applications in the Bypass policy. For more information, see Certificate Pinning.

• Do not block these applications in the Access policy.

This configuration allows SASE to apply tenant restriction rules and validate user access to authorized tenants.

Supported Applications

Tenant Restrictions supports these applications:

• Microsoft Office 365

• Google Workspace

Creating a Tenant Restriction

1. Access the SASE Administrator Portal and click Internet Access.

2. Go to Tenant Restrictions.

3. For the cloud service you want to add a restriction, do these:

   1. In the Source field, add groups or users list to which you want to apply the rule. Default is Any.

   2. Click Any > Add Source > Groups or Members.

      The Manage Groups or Members window appears.

      

   3. Select group(s) or member(s) from the list.

   4. Click Apply.

   5. In the Allowed Domains field, select the domain(s) or tenant ID(s) that you want to allow or restrict for access.

   6. Click None > Add Allowed Domain > Domains or Tenant IDs.

      The Manage Domains window appears.

      

   7. Select the domain(s) or tenant ID(s).

   8. Click Apply.

   9. To activate the rule, turn on the Status toggle button.

   10. Click Apply in the bottom of the page.

       

   11. Click Apply.

       

   Notes: Each application supports a single configuration. Rules are not prioritized or matched in order. All changes to the Tenant Restrictions configuration (for example, domain updates, enabling or disabling rules) are recorded in the administrator audit log. Restriction enforcement occurs on the end user side within the SaaS application. For more information, see Microsoft 365 documentation. Changes are applied as part of the Internet Access policy and are enforced by the Internet Access engine once you click Apply.

End User Behavior

When Tenant Restrictions are enabled, users experience these behaviors based on their actions:

Scenario	User Experience
User accesses an allowed tenant	Access proceeds normally.
User accesses a disallowed tenant	A block page is displayed by the SaaS application (for example, Microsoft Office 365 and Google Workspace), indicating that access is not permitted.
User accesses another SaaS application	No restriction is enforced, and access is allowed (for example, Salesforce and Atlassian).
User accesses a GitHub enterprise not in the allowed Enterprise IDs list	GitHub displays:“Your network administrator has blocked access to GitHub except for the [enterprise name].” Access is denied across all supported channels.

Tenant Restriction Logs

When a user attempts to sign in to a SaaS application using an account that does not belong to an allowed tenant, Check Point SASE blocks the login and generates a log entry. These logs help you identify unauthorized access attempts and policy gaps.

Logs are generated automatically. No additional configuration is required.

Prerequisite

Check Point SASE Agent version 12.7 or later.

What gets logged

• Log for Microsoft Office 365
  

• Log for Google Services
  

• A single log entry is created for each blocked login attempt. Each entry includes:

  • User - The identity that attempted to sign in

  • Application - The SaaS application where the login was attempted

  • Restricted Domain - The domain the user tried to access

  • Category - The URL category of the login endpoint

  • Policy Rule - The tenant restriction rule that blocked the attempt

  • Action - Blocked

Limitations

• Logs are generated only for failed login attempts.

• Successful logins to allowed tenants are not logged.