Protect M365: Implement Universal Tenant Restrictions to protect Auth and Data Plane for M365
Implementation Effort: Medium
User Impact: High
Overview
Universal tenant restrictions enhance the functionality of tenant restriction v2 using Global Secure Access to tag all traffic no matter the operating system, browser, or device form factor. It allows support for both client and remote network connectivity. Administrators no longer have to manage proxy server configurations or complex network configurations and can apply TRv2 on any platform with the Global Secure Access client or via the Remote Networks feature.
When enabled, Global Secure Access adds Tenant Restrictions v2 policy information to the authentication plane network traffic, which includes Microsoft Entra ID traffic and Microsoft Graph. As the result, users using devices and networks in your organization must only use authorized external tenants, which helps prevent data exfiltration for any application integrated with SSO with your Microsoft Entra ID tenant.
With Microsoft Entra Global Secure Access and Universal Tenant Restrictions, organizations can:
- Enforce Identity Boundaries: Restrict authentication so that users can only sign in to your organization’s approved Microsoft 365 tenant, blocking attempts to use corporate credentials with untrusted or external tenants.
- Control Data Flow: Prevent the movement of data from your protected environment to unmanaged Microsoft 365 tenants, reducing the risk of accidental or intentional data leaks.
- Strengthen Zero Trust: UTR supports Zero Trust principles by continuously validating both the user and device context before granting access, and by applying consistent controls regardless of user location.
- Enhance Compliance: By limiting access to only sanctioned tenants, organizations can better meet regulatory and compliance requirements for data residency and sovereignty.