Tenant Restrictions

Tenant Restrictions allow administrators to control which Microsoft Office 365 and Google Workspace tenants users can access. It helps prevent unauthorized access to personal or unapproved corporate tenants, ensuring users only connect to organization approved environments. This reduces the risk of data leaks and unauthorized third-party collaborations.

To view the Tenant Restrictions page, access the Harmony SASE Administrator Portal and click Internet Access > Tenant Restrictions.

Column	Description
Cloud Service	Displays the cloud service for which the restriction is applied: Microsoft Office 365 Google Workspace This column is auto-populated and cannot be edited.
Source	Defines the groups or members the restriction applies to: Any (default)- Applies to all users. Groups or Members - Applies to selected groups or users from your identity provider.
Allowed Domains	Specifies the domains that users in the selected source groups and users are allowed to access. You can add domains and tenant IDs in various formats: Standard domain, for example, `contso.com` Microsoft domain, for example, `fabrikam.onmicrosoft.com` Tenant identifier, for example, `aaaabbbb-0000-cccc-1111-dddd2222eeee`

Column

Description

Cloud Service

Displays the cloud service for which the restriction is applied:

Microsoft Office 365
Google Workspace

This column is auto-populated and cannot be edited.

Source

Defines the groups or members the restriction applies to:

Any (default)- Applies to all users.
Groups or Members - Applies to selected groups or users from your identity provider.

Allowed Domains

Specifies the domains that users in the selected source groups and users are allowed to access. You can add domains and tenant IDs in various formats:

Standard domain, for example, contso.com
Microsoft domain, for example, fabrikam.onmicrosoft.com
Tenant identifier, for example, aaaabbbb-0000-cccc-1111-dddd2222eeee

Supported Applications

Tenant Restrictions supports these applications:

Microsoft Office 365
Google Workspace

Creating a Tenant Restriction

Access the Harmony SASE Administrator Portal and click Internet Access.
Go to Tenant Restrictions.

For the cloud service you want to add a restriction, do these:

In the Source field, add groups or users list to which you want to apply the rule. Default is Any.
Click Any > Add Source > Groups or Members.

The Manage Groups or Members window appears.
Select group(s) or member(s) from the list.
Click Apply.
In the Allowed Domains field, select the domain(s) or tenant ID(s) that you want to allow or restrict for access.
Click None > Add Allowed Domain > Domains or Tenant IDs.

The Manage Domains window appears.
Select the domain(s) or tenant ID(s).
Click Apply.
To activate the rule, turn on the Status toggle button.
Click Apply in the bottom of the page.
Click Apply.

Notes:

Each application support a single configuration. Rules are not prioritized or matched in order.
All changes to the Tenant Restrictions configuration (for example, domain updates, enabling or disabling rules) are recorded in the administrator audit log.
Restriction enforcement occurs on the end user side within the SaaS application. For more information, see Microsoft 365 documentation.
Changes are applied as part of the Internet Access policy and are enforced by the Internet Access engine once you click Apply.

End User Behavior

When Tenant Restrictions are enabled, users experience these behaviors based on their actions:

Scenario	User Experience
User accesses an allowed tenant	Access proceeds normally.
User accesses a disallowed tenant	A block page is displayed by the SaaS application (for example, Microsoft Office 365 and Google Workspace), indicating that access is not permitted.
User accesses another SaaS application	No restriction is enforced, and access is allowed (for example, Salesforce and Atlassian).