UCPrimer
  • Tech Blog
  • About UCPrimer.com

AzureAD Tenant Restriction Support for Teams Devices

1/27/2023

0 Comments

 
Picture
Large organizations that prioritize security want to migrate to cloud services such as Microsoft 365, but they must ensure that their users can only access approved resources. Companies have traditionally restricted access by restricting domain names or IP addresses. This strategy fails in a world where software as a service (SaaS) apps are hosted in the public cloud and use shared domain names such as outlook.office.com and login.microsoftonline.com. Instead of restricting users to approved identities and resources, blocking these addresses would prevent them from accessing Outlook on the web entirely. Tenant restrictions are a feature in Azure Active Directory (Azure AD) that addresses this issue . In this blogpost, we look at how MTR devices can potentially implement this capability.
​Organizations can use tenant restrictions to specify which tenants users on their network can access. Azure AD then only grants access to these permitted tenants; all other tenants, including those in which your users may be guests, are blocked. More information on this can be found in the official MS Docs page: Restrict access to a tenant. 

Essentially, the implementation requires the organization to deploy a web proxy capable of TDL Deep Packet Inspection and HTTP header insertion to insert a header into outgoing https messages. This header is the Restrict-Access-To-Tenants: <permitted tenant list>. To support tenant restrictions, client software must request tokens directly from Azure AD, so that the proxy infrastructure can intercept traffic. Fortunately browser-based Microsoft 365 applications currently support tenant restrictions, as do Office clients that use modern authentication (like OAuth 2.0). But what exactly is TLS Deep Packet Inspection (DPI)? Below is a diagram (courtesy of Palo Alto Networks) that explains the difference between regular Web Proxy and DPI Web Proxy:
Picture
As shown in the diagram, as HTTPS data is passed back and forth between a client and a webserver, all of the traffic must first go via the inspection appliance, where it is encrypted and checked for any potentially harmful content. When the inspection is finished, the appliance initiates a new SSL session with the end client so that it can decrypt the content and then re-encrypt it. Another name for this kind of interception is known as the "Man-in-the-Middle Attack" but this term is often used in a negative way. However, the concept is similar for DPI. Since the web proxy pretends to be the actual server that each http request is trying to reach, the proxy needs to be able to issue phony certificates for each and every domain. The proxy does not decrypt a connection that is already established between the client and the server; rather, it creates two distinct connections between itself and the server by acting both as a client toward the server and as a server for the client.

The SSL inspection appliance needs to be able to generate SSL Certificates on the fly so that it can decrypt and re-encrypt the content before sending it back to the end users. This indicates that it requires a CA certificate, which is also sometimes referred to as an intermediate or issuing CA certificate, to be put on it. Overall the flow would look something like the diagram below
Picture
So the big question is: can we support this in MTR devices such as Teams Rooms and Teams Phones? In order for the clients to trust the certificates issued by the SSL Inspection Appliance, its Root CA certificate must be installed in the clients' trusted Roots certificate repository. For MTRW devices running Windows10, this is possible. However, there is no way to install the SSL Inspection Appliance's Root CA certificate on Android based devices, at the time of this writing. Hence by default Tenant Restrictions may be implemented for MTR on Windows devices but not on Teams Phones, Displays or Panels which run on the Android OS. On a separate note, ADFS and ADFS Proxy servers that use an internal issued CA certificate cannot be supported on Teams Android devices for the same reason and these servers must always use a certificate issued by a public CA provider.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies