iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
💈

Blocking Microsoft consumer apps with Cloudflare Gateway

に公開
cloudfalre
tech

With Cloudflare Gateway's Tenant Control, you can implement the following two controls for Microsoft applications:

  1. Allow access only to your organization's Entra tenant
  2. Prevent connection to consumer applications

While the Devdoc provides a sample for the first point, I couldn't find one for the second, so I am documenting it here.

Although there is an example using Fiddler in the official Microsoft documentation,

You can achieve the same result using the Cloudflare API as follows:

  1. Allow access only to your organization's Entra tenant
{
    "name": "MS: Allows access to the listed tenants",
    "description" : "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tenant-restrictions#set-up-tenant-restrictions",
    "action": "allow",
    "filters": [
        "http"
    ],
    "traffic": "http.request.host in {\"login.microsoft.com\" \"login.microsoftonline.com\" \"login.windows.net\"}",
    "rule_settings": {
        "add_headers": {
            "Restrict-Access-Context": [
                "<Your directory ID>"
                ],
            "Restrict-Access-To-Tenants": [
                "<List of tenant identifiers>"
                ]
        }
    }
}
  1. Prevent connection to consumer applications
{
    "name": "MS: Blocks access to consumer apps",
    "description" : "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tenant-restrictions#blocking-consumer-applications",
    "action": "allow",
    "filters": [
        "http"
    ],
    "traffic": "http.request.host in {\"login.live.com\"}",
    "rule_settings": {
        "add_headers": {
           "Sec-Restrict-Tenant-Access-Policy": [
                "restrict-msa"
            ]
        }
    }
}

Here is how it looks in the Dashboard GUI.


Discussion