Fortinet black logo

Administration Guide

Restricted SaaS access

Restricted SaaS access

Large organizations may want to restrict SaaS access to resources like Microsoft Office 365, Google Workspace, and Dropbox by tenant to block non-company login attempts and secure the users from accessing non-approved cloud resources. Many cloud vendors enable this by applying tenant restrictions for access control. For example, users accessing Microsoft 365 applications with tenant restrictions through the corporate proxy will only be allowed to log in as the company’s tenant and access the organization’s applications.

To implement this, access requests from the clients pass through the company’s web proxy, which inserts headers to notify the SaaS service to apply tenant restrictions with the permitted tenant list. Users are redirected the SaaS service login page, and are only allowed to log in if they belong to the permitted tenant list.

For more information, refer to the vendor-specific documentation:

Basic configuration

A web proxy profile can specify access permissions for Microsoft Office 365, Google Workspace, and Dropbox by inserting vendor-defined headers that restrict access to the specific accounts. Custom headers can also be inserted for any destination. The web proxy profile can then be applied to a firewall policy to control the header's insertion.

To implement Office 365 tenant restriction, Google Workspace account access control, and Dropbox network access control:
  1. Configure a web proxy profile according to the vendors' specifications:

    1. Set the header name (defined by the service provider).

    2. Set the traffic destination (the service provider).

    3. Set the HTTP header content to be inserted into the traffic (defined by your settings).

    config web-proxy profile
        edit <name>
            config headers
                edit <id>
                    set name <string>
                    set dstaddr <address> 
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content <string>
                next
            end
        next
    end
  2. Apply the web proxy profile to a policy. SSL deep inspection must be used in the firewall policy:

The following table lists the vendor-specific config headers settings that must be configured in the web proxy profile (config web-proxy profile):

Setting

Vendor specification

Microsoft Office 365

Google Workspace

Dropbox

name <string>

  • Restrict-Access-To-Tenants
  • Restrict-Access-Context
  • X-GoogApps-Allowed-Domains
  • X-Dropbox-allowed-Team-Ids

dstaddr <address>

  • Use the built-in Microsoft Office 365 address.
  • Use the built-in G Suite address.
  • Use the built-in wildcard.dropbox.com address.

content <string>

  • Enter the domain for Restrict-Access-To-Tenants.
  • Enter the directory ID for Restrict-Access-Context.
  • Enter the domain.
  • Enter the Dropbox team ID.

Due to vendors' changing requirements, these settings may no longer comply with the vendors' official guidelines. See the vendor documentation for more details.

Microsoft Office 365 example

In this example, a web proxy profile is created to control permissions for Microsoft Office 365 to allow corporate domains and deny personal accounts, such as Hotmail and Outlook that are accessed through login.live.com.

  1. When a user attempts to access login.microsoftonline.com, login.microsoft.com, or login.windows.net, the traffic will match a proxy inspection mode firewall policy with the assigned web proxy profile.
  2. The web proxy profile adds new headers to the customer tenant, indicating the allowed domain and restricted access for personal accounts. Next, the FortiGate starts a new connection with the Microsoft Office 365 domain controller including the new headers.
  3. The Microsoft Office 365 domain controller assesses this data and will allow or deny this access, then sends a reply to the FortiGate.
  4. The FortiGate sends a reply to the client.

The FortiGate will only indicate the correct domains to be allowed or denied through the headers to Microsoft. The custom sign-in portal in the browser is generated by Microsoft.

Configuration summary

The following must be configured in FortiOS:

  • An FQDN address for login.live.com
  • An SSL inspection profile that uses deep inspection with an exemption for login.live.com

    Note

    Ensure that the firewall certificate is installed on the client machines. A company certificate signed by an internal CA is recommended.

  • A web filter profile in proxy mode with static URL filters for the SNI URLs
  • A web proxy profile that adds new headers to the customer tenant
  • A firewall policy using proxy mode inspection that applies the configured SSL SSL inspection, web filter, and web proxy profiles

The Restrict-Access-To-Tenants and Restrict-Access-Context headers are inserted for incoming requests to: login.microsoftonline.com, login.microsoft.com, and login.windows.net, which are part of the Microsoft Office 365 address group.

To restrict access to personal accounts using the login.live.com domain, the sec-Restrict-Tenant-Access-Policy header is inserted and uses restrict-msa as the header content.

Before configuring the FortiGate, collect the information related to the company domain in the Office 365 contract.

  • Restrict-Access-To-Tenants: your <domain.com>
  • Restrict-Access-Context: Directory ID
Note

To find the Directory ID related to the domain, locate it in the Azure portal, or use the whatismytenantid.com open tool.

To configure the FortiGate:
  1. Add the FQDN address for login.live.com:
    config firewall address
        edit "login.live.com"
            set type fqdn
            set fqdn "login.live.com"
        next
    end
  2. Configure the SSL inspection profile. In this example, the deep-inspection profile is cloned, and the live.com FQDN is removed from the exemption list.
    1. Clone the deep-inspection profile:
      config firewall ssl-ssh-profile
          clone "deep-inspection" to "Tenant"
      end
    2. Edit the Tenant profile and remove live.com from the config ssl-exempt list.
  3. Configure the URL filter list:
    config webfilter urlfilter
        edit 1
            set name "Auto-webfilter-urlfilter"
            config entries
                edit 1
                    set url "login.microsoftonline.com"
                    set action allow
                next
                edit 2
                    set url "login.microsoft.com"
                    set action allow
                next
                edit 3
                    set url "login.windows.net"
                    set action allow
                next
                edit 4
                    set url "login.live.com"
                    set action allow
                next
            end
        next
    end
  4. Configure the web filter profile:
    config webfilter profile
        edit "Tenant"
            set comment "Office 365"
            set feature-set proxy
            config web
                set urlfilter-table 1
            end
        next
    end
  5. Configure the web proxy profile (enter the header names exactly as shown):
    config web-proxy profile
        edit "SaaS-Tenant-Restriction"
            set header-client-ip pass
            set header-via-request pass
            set header-via-response pass
            set header-x-forwarded-for pass
            set header-x-forwarded-client-cert pass
            set header-front-end-https pass
            set header-x-authenticated-user pass
            set header-x-authenticated-groups pass
            set strip-encoding disable
            set log-header-change disable
            config headers
                edit 1
                    set name "Restrict-Access-To-Tenants"
                    set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content <domain>
                next
                edit 2
                    set name "Restrict-Access-Context" 
                    set dstaddr "login.microsoftonline.com" "login.microsoft.com" "login.windows.net"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content <directory_ID>
                next
                edit 3
                    set name "sec-Restrict-Tenant-Access-Policy"
                    set dstaddr "login.live.com"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "restrict-msa"
                next
            end
        next
    end
  6. Configure the firewall policy:
    config firewall policy
        edit 10
            set name "Tenant"
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "users-lan"
            set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net" "login.live.com"
            set schedule "always"
            set service "HTTP" "HTTPS"
            set utm-status enable
            set inspection-mode proxy
            set webproxy-profile "SaaS-Tenant-Restriction"
            set ssl-ssh-profile "Tenant"
            set webfilter-profile "Tenant" 
            set logtraffic all
            set nat enable
        next
    end

Testing the access

To test the access to corporate domains and personal accounts:
  1. Get a client to log in with their corporate email using the login.microsoftonline.com domain.

  2. The client is able to enter their credentials and log in successfully.
  3. Get a client to log in to their personal Outlook account.

  4. After the client enters their credentials, a message appears that they cannot access this resource because it is restricted by the cross-tenant access policy.

Verifying the header insertion

To verify the header insertion for corporate domains and personal accounts:
  1. On the FortiGate, start running the WAD debugs:
    # diagnose wad debug enable category http
    # diagnose wad debug enable level info
    # diagnose debug enable
  2. After a client attempts to access corporate domains, verify that the header information is sent to the Microsoft Active Directory:
    [I][p:234][s:2481][r:33] wad_dump_fwd_http_req             :2567  hreq=0x7fc75f0cd468 Forward request to server:
    POST /common/GetCredentialType?mkt=en-US HTTP/1.1
    Host: login.microsoftonline.com
    Connection: keep-alive
    Content-Length: 1961
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
    hpgrequestid: d7f706a8-1143-4cdd-ad52-1cc69dc7bb00
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
    client-request-id: 5c3d196d-5939-45cc-a45b-232b9ed13fce
    ...
    Restrict-Access-To-Tenants: fortinet-us.com
    Restrict-Access-Context: ********-****-452f-8535-************
  3. After a client attempts to access a personal account, verify that the header information is sent to the Microsoft Active Directory:
    [I][p:234][s:2519][r:34] wad_dump_fwd_http_req             :2567  hreq=0x7fc75f0ce6a8 Forward request to server:
    GET /oauth20_authorize.srf?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&scope=openid+profile+https%3a%2f%2fwww.office.com%2fv2%2fOfficeHome.All&redirect_uri=https%3a%2f%2fwww.office.com%2flandingv2&response_type=code+id_token&state=7tAtndYhcA3132S--UOTyLVEtyIZs8FgndTpeYM9mJ1EeA-X5nfqrSalnnPH41cHxfHGug6N5cbliK676v6xZgszgH_JARVKrptZwBvjI2cbnZ4mttYNNdK1FTlbEtu5VBjgtBOX2u6v3F_9g7UikCpGTnBRGhvO2pyTndT3EEIyAHvhg9LsKRtY3kxce8dQkfk1iDjLcc3q-01r4rpxSx2xZSbwg_KkAN3kCRQ9uLfE0ziHAcpvunuKmzGBWKnBhC4sJJkXrMEfXwCg4nsOjg&response_mode=form_post&nonce=637877163655610380.MjNjZmM4NzQtOTU5My00OGZlLTk0NTItZTE5NDU2YjVlODdjNjViOTQwYmUtOTZlMS00M2Y5LTkyN2MtN2QyMjgwNjcxY2Uz&x-client-SKU=ID_NETSTANDARD2_0&x-client-Ver=6.12.1.0&uaid=5c3d196d593945cca45b232b9ed13fce&msproxy=1&issuer=mso&tenant=common&ui_locales=en-US&epct=AQABAAAAAAD--DLA3VO7QrddgJg7WevrfA6SLaDsJUcjb1Bg9OKonF3d_lfNJsdDAIH5hlJdUSGejEBIqsko-A7JX67PzaGdEJgOIGa37VhJzGTYBZ-KgATe9FHssnNmLjM_dojr0dAT83xDhiqQTN2-UcYdcP2s3vPainF7Nqes5ecXRaEoE9Vw9-sN7jfASOkPRWW03aI6buz0niABvA860YOWDb98vdJWPGkWE-euDr6n8_zI5iAA&jshs=0&username=****************%40outlook.com&login_hint=***************%40outlook.com HTTP/1.1
    Host: login.live.com
    Connection: keep-alive
    ...
    Referer: https://login.microsoftonline.com/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    sec-Restrict-Tenant-Access-Policy: restrict-msa

Restricted SaaS access

Large organizations may want to restrict SaaS access to resources like Microsoft Office 365, Google Workspace, and Dropbox by tenant to block non-company login attempts and secure the users from accessing non-approved cloud resources. Many cloud vendors enable this by applying tenant restrictions for access control. For example, users accessing Microsoft 365 applications with tenant restrictions through the corporate proxy will only be allowed to log in as the company’s tenant and access the organization’s applications.

To implement this, access requests from the clients pass through the company’s web proxy, which inserts headers to notify the SaaS service to apply tenant restrictions with the permitted tenant list. Users are redirected the SaaS service login page, and are only allowed to log in if they belong to the permitted tenant list.

For more information, refer to the vendor-specific documentation:

Basic configuration

A web proxy profile can specify access permissions for Microsoft Office 365, Google Workspace, and Dropbox by inserting vendor-defined headers that restrict access to the specific accounts. Custom headers can also be inserted for any destination. The web proxy profile can then be applied to a firewall policy to control the header's insertion.

To implement Office 365 tenant restriction, Google Workspace account access control, and Dropbox network access control:
  1. Configure a web proxy profile according to the vendors' specifications:

    1. Set the header name (defined by the service provider).

    2. Set the traffic destination (the service provider).

    3. Set the HTTP header content to be inserted into the traffic (defined by your settings).

    config web-proxy profile
        edit <name>
            config headers
                edit <id>
                    set name <string>
                    set dstaddr <address> 
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content <string>
                next
            end
        next
    end
  2. Apply the web proxy profile to a policy. SSL deep inspection must be used in the firewall policy:

The following table lists the vendor-specific config headers settings that must be configured in the web proxy profile (config web-proxy profile):

Setting

Vendor specification

Microsoft Office 365

Google Workspace

Dropbox

name <string>

  • Restrict-Access-To-Tenants
  • Restrict-Access-Context
  • X-GoogApps-Allowed-Domains
  • X-Dropbox-allowed-Team-Ids

dstaddr <address>

  • Use the built-in Microsoft Office 365 address.
  • Use the built-in G Suite address.
  • Use the built-in wildcard.dropbox.com address.

content <string>

  • Enter the domain for Restrict-Access-To-Tenants.
  • Enter the directory ID for Restrict-Access-Context.
  • Enter the domain.
  • Enter the Dropbox team ID.

Due to vendors' changing requirements, these settings may no longer comply with the vendors' official guidelines. See the vendor documentation for more details.

Microsoft Office 365 example

In this example, a web proxy profile is created to control permissions for Microsoft Office 365 to allow corporate domains and deny personal accounts, such as Hotmail and Outlook that are accessed through login.live.com.

  1. When a user attempts to access login.microsoftonline.com, login.microsoft.com, or login.windows.net, the traffic will match a proxy inspection mode firewall policy with the assigned web proxy profile.
  2. The web proxy profile adds new headers to the customer tenant, indicating the allowed domain and restricted access for personal accounts. Next, the FortiGate starts a new connection with the Microsoft Office 365 domain controller including the new headers.
  3. The Microsoft Office 365 domain controller assesses this data and will allow or deny this access, then sends a reply to the FortiGate.
  4. The FortiGate sends a reply to the client.

The FortiGate will only indicate the correct domains to be allowed or denied through the headers to Microsoft. The custom sign-in portal in the browser is generated by Microsoft.

Configuration summary

The following must be configured in FortiOS:

  • An FQDN address for login.live.com
  • An SSL inspection profile that uses deep inspection with an exemption for login.live.com

    Note

    Ensure that the firewall certificate is installed on the client machines. A company certificate signed by an internal CA is recommended.

  • A web filter profile in proxy mode with static URL filters for the SNI URLs
  • A web proxy profile that adds new headers to the customer tenant
  • A firewall policy using proxy mode inspection that applies the configured SSL SSL inspection, web filter, and web proxy profiles

The Restrict-Access-To-Tenants and Restrict-Access-Context headers are inserted for incoming requests to: login.microsoftonline.com, login.microsoft.com, and login.windows.net, which are part of the Microsoft Office 365 address group.

To restrict access to personal accounts using the login.live.com domain, the sec-Restrict-Tenant-Access-Policy header is inserted and uses restrict-msa as the header content.

Before configuring the FortiGate, collect the information related to the company domain in the Office 365 contract.

  • Restrict-Access-To-Tenants: your <domain.com>
  • Restrict-Access-Context: Directory ID
Note

To find the Directory ID related to the domain, locate it in the Azure portal, or use the whatismytenantid.com open tool.

To configure the FortiGate:
  1. Add the FQDN address for login.live.com:
    config firewall address
        edit "login.live.com"
            set type fqdn
            set fqdn "login.live.com"
        next
    end
  2. Configure the SSL inspection profile. In this example, the deep-inspection profile is cloned, and the live.com FQDN is removed from the exemption list.
    1. Clone the deep-inspection profile:
      config firewall ssl-ssh-profile
          clone "deep-inspection" to "Tenant"
      end
    2. Edit the Tenant profile and remove live.com from the config ssl-exempt list.
  3. Configure the URL filter list:
    config webfilter urlfilter
        edit 1
            set name "Auto-webfilter-urlfilter"
            config entries
                edit 1
                    set url "login.microsoftonline.com"
                    set action allow
                next
                edit 2
                    set url "login.microsoft.com"
                    set action allow
                next
                edit 3
                    set url "login.windows.net"
                    set action allow
                next
                edit 4
                    set url "login.live.com"
                    set action allow
                next
            end
        next
    end
  4. Configure the web filter profile:
    config webfilter profile
        edit "Tenant"
            set comment "Office 365"
            set feature-set proxy
            config web
                set urlfilter-table 1
            end
        next
    end
  5. Configure the web proxy profile (enter the header names exactly as shown):
    config web-proxy profile
        edit "SaaS-Tenant-Restriction"
            set header-client-ip pass
            set header-via-request pass
            set header-via-response pass
            set header-x-forwarded-for pass
            set header-x-forwarded-client-cert pass
            set header-front-end-https pass
            set header-x-authenticated-user pass
            set header-x-authenticated-groups pass
            set strip-encoding disable
            set log-header-change disable
            config headers
                edit 1
                    set name "Restrict-Access-To-Tenants"
                    set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content <domain>
                next
                edit 2
                    set name "Restrict-Access-Context" 
                    set dstaddr "login.microsoftonline.com" "login.microsoft.com" "login.windows.net"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content <directory_ID>
                next
                edit 3
                    set name "sec-Restrict-Tenant-Access-Policy"
                    set dstaddr "login.live.com"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "restrict-msa"
                next
            end
        next
    end
  6. Configure the firewall policy:
    config firewall policy
        edit 10
            set name "Tenant"
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "users-lan"
            set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net" "login.live.com"
            set schedule "always"
            set service "HTTP" "HTTPS"
            set utm-status enable
            set inspection-mode proxy
            set webproxy-profile "SaaS-Tenant-Restriction"
            set ssl-ssh-profile "Tenant"
            set webfilter-profile "Tenant" 
            set logtraffic all
            set nat enable
        next
    end

Testing the access

To test the access to corporate domains and personal accounts:
  1. Get a client to log in with their corporate email using the login.microsoftonline.com domain.

  2. The client is able to enter their credentials and log in successfully.
  3. Get a client to log in to their personal Outlook account.

  4. After the client enters their credentials, a message appears that they cannot access this resource because it is restricted by the cross-tenant access policy.

Verifying the header insertion

To verify the header insertion for corporate domains and personal accounts:
  1. On the FortiGate, start running the WAD debugs:
    # diagnose wad debug enable category http
    # diagnose wad debug enable level info
    # diagnose debug enable
  2. After a client attempts to access corporate domains, verify that the header information is sent to the Microsoft Active Directory:
    [I][p:234][s:2481][r:33] wad_dump_fwd_http_req             :2567  hreq=0x7fc75f0cd468 Forward request to server:
    POST /common/GetCredentialType?mkt=en-US HTTP/1.1
    Host: login.microsoftonline.com
    Connection: keep-alive
    Content-Length: 1961
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
    hpgrequestid: d7f706a8-1143-4cdd-ad52-1cc69dc7bb00
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
    client-request-id: 5c3d196d-5939-45cc-a45b-232b9ed13fce
    ...
    Restrict-Access-To-Tenants: fortinet-us.com
    Restrict-Access-Context: ********-****-452f-8535-************
  3. After a client attempts to access a personal account, verify that the header information is sent to the Microsoft Active Directory:
    [I][p:234][s:2519][r:34] wad_dump_fwd_http_req             :2567  hreq=0x7fc75f0ce6a8 Forward request to server:
    GET /oauth20_authorize.srf?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&scope=openid+profile+https%3a%2f%2fwww.office.com%2fv2%2fOfficeHome.All&redirect_uri=https%3a%2f%2fwww.office.com%2flandingv2&response_type=code+id_token&state=7tAtndYhcA3132S--UOTyLVEtyIZs8FgndTpeYM9mJ1EeA-X5nfqrSalnnPH41cHxfHGug6N5cbliK676v6xZgszgH_JARVKrptZwBvjI2cbnZ4mttYNNdK1FTlbEtu5VBjgtBOX2u6v3F_9g7UikCpGTnBRGhvO2pyTndT3EEIyAHvhg9LsKRtY3kxce8dQkfk1iDjLcc3q-01r4rpxSx2xZSbwg_KkAN3kCRQ9uLfE0ziHAcpvunuKmzGBWKnBhC4sJJkXrMEfXwCg4nsOjg&response_mode=form_post&nonce=637877163655610380.MjNjZmM4NzQtOTU5My00OGZlLTk0NTItZTE5NDU2YjVlODdjNjViOTQwYmUtOTZlMS00M2Y5LTkyN2MtN2QyMjgwNjcxY2Uz&x-client-SKU=ID_NETSTANDARD2_0&x-client-Ver=6.12.1.0&uaid=5c3d196d593945cca45b232b9ed13fce&msproxy=1&issuer=mso&tenant=common&ui_locales=en-US&epct=AQABAAAAAAD--DLA3VO7QrddgJg7WevrfA6SLaDsJUcjb1Bg9OKonF3d_lfNJsdDAIH5hlJdUSGejEBIqsko-A7JX67PzaGdEJgOIGa37VhJzGTYBZ-KgATe9FHssnNmLjM_dojr0dAT83xDhiqQTN2-UcYdcP2s3vPainF7Nqes5ecXRaEoE9Vw9-sN7jfASOkPRWW03aI6buz0niABvA860YOWDb98vdJWPGkWE-euDr6n8_zI5iAA&jshs=0&username=****************%40outlook.com&login_hint=***************%40outlook.com HTTP/1.1
    Host: login.live.com
    Connection: keep-alive
    ...
    Referer: https://login.microsoftonline.com/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    sec-Restrict-Tenant-Access-Policy: restrict-msa