What Are Tenant Restrictions?

Tenant Restrictions are security policies that limit user access to external tenants or organizations in cloud environments, preventing unauthorized data sharing, cross-tenant collaboration, and compliance violations.

What Are Tenant Restrictions?
Why Are Tenant Restrictions Important?
Authentication Plane vs. Data Plane Protection
Implement Universal Tenant Protection with Check Point Harmony SaaS

Why Are Tenant Restrictions Important?

The traditional approach to securing resource access was to identify which IP addresses or domain names should be accessible – and block those that shouldn’t be. However, because Software as a Service (SaaS) applications rely on public cloud infrastructure, they are hosted on shared domains.

Take Outlook, or Office: blocking these at the domain-level would prevent an employee from accessing their email account or workspace entirely.

At the same time, attackers are all too happy to take advantage of lax permission settings.

SaaS and cloud-based workspaces rely heavily on cross-authorization – where the authentication issued by one app or workspace remains valid across all of its connected ones.
The default settings on many cloud-based productivity suites are wide open: Outlook, amongst others, allows cross-tenant collaboration (ie. inviting a guest to access your resources, and being invited to others’) by default.

How Tenant Restrictions Improve Security

Cloud access controls provide more precise security by granting access to specific employee accounts rather than relying on broad IP restrictions.

Since public cloud infrastructure is identity-based, a role-based security approach is more effective than IP blocks.
Tenant restrictions enforce security by defining internal, trusted resources and ensuring employees cannot access external, potentially risky tenants.

However, tenant restriction is shipped with its own demands: organizations used to install an on-premises proxy server between their Identity Provider and the cloud services they wanted to protect or block. This is where they would implement their access policies.

Now, however, cloud providers are increasingly offering inbuilt tenant restriction capabilities. Understanding how this works is key to securing employees, and the data that is stored on your organization’s own cloud workspaces.

Supercharge Your Business Security

Request Demo

Start Now

Authentication Plane vs. Data Plane Protection

Since Microsoft announced its release of tenant restrictions version 2, interest in tenant restriction-based security potential has piqued. Microsoft’s tenant restriction builds on Azure’s previous cross-tenant access settings, finally allowing admins to natively control how employees can interact with other organizations’ resources and accounts.

Version 1 worked by giving admins an allow list that linked specific endpoints with the corresponding tenant IDs they were allowed access to.
Microsoft’s v2 provides a useful framework for the cloud provider’s tenant restrictions – it allows tenant restrictions across both the authentication plane and data plane.

Authentication Plane Protection

Authentication plane restrictions are the more traditional form of tenancy protection.

It sees what sign-ins are being used to access cloud resources and if it’s a sign-in that originates from another organization, or an employee’s own personal accounts, it’s blocked.

(unless explicitly allowed by the security admin team.)

Data Plane Protection

The data plane is deeper – data-focused tenant restrictions allow policies to be put in place around the data that is stored within a cloud resource. Should a data access request not align with the endpoint details expected, further security checks can be sent, like an authentication request.

Data-focused tenant restriction prevents attacks that otherwise bypass authentication, like:

Access token theft
Illicit file sharing

Together, these two types of tenant access settings provide cloud customers with a secure approach to external collaboration. While Microsoft has paved the way as one of the first cloud providers to offer this natively, it’s rare that organizations rely solely on one cloud provider.

Implement Universal Tenant Protection with Check Point Harmony SaaS

Implementing tenant restrictions across the entirety of an organization’s cloud resources and accounts doesn’t have to be an administrative nightmare – nor does it need endless proxy servers.

Check Point Harmony SaaS allows the admin team to create tenant profiles for each cloud application and define which resource each account can pull from. Anything outside of this – like personal OneDrive accounts and outsiders’ Google Workspaces – is denied access.

Push cloud protection further than policy-based access control with Check Point’s behavioral monitoring across all tenants. This logs and relays all SaaS-based tenant activity to an analysis engine, which in turn identifies deviations in behavior from both human users and non-human entities. This cross-functional approach also allows Check Point to secure APIs and service accounts, automatically alerting the admin center to potentially malicious access requests.

That’s not the only way CheckPoint Harmony brings automation to tenant restriction: playbook responses allow security teams to contain and instantly prevent data exfiltration attacks.

Keep cohesive oversight of how tenant restrictions are put in place with detailed reporting. This lends critical visibility into user activities, integrations, and access tokens, ensuring your organization maintains pace with its own regulatory standards. To see how Check Point brings new visibility to your tenant protection, schedule a demo with us today.

FAQ

Can tenant restrictions prevent access to personal cloud accounts on corporate devices?

Yes. Tenant restrictions can block users from logging into personal cloud accounts (like personal Gmail or OneDrive) on managed devices, reducing the risk of shadow IT and accidental data exfiltration.

How do tenant restrictions impact third-party contractor or partner collaboration?

Tenant restrictions require admins to explicitly allow access to external tenants. This means collaboration with contractors or partners must be planned and configured in advance—otherwise, their access requests may be automatically blocked.

Are tenant restrictions effective against insider threats?

Partially. While they can prevent users from sharing data outside the organization or accessing unauthorized tenants, tenant restrictions don’t prevent all forms of insider misuse. Behavioral monitoring and audit logging are needed for full coverage.

How do tenant restrictions interact with bring-your-own-device (BYOD) policies?

Tenant restrictions can still be enforced on unmanaged devices if users are required to authenticate through secure access gateways or endpoint posture checks. However, enforcement is strongest when used alongside device management tools.

Do all cloud providers offer native tenant restriction controls?

No. While Microsoft has advanced built-in tenant restriction features, many other providers lag behind or rely on third-party solutions. For full cross-cloud protection, organizations often need a centralized SaaS security solution like Check Point Harmony.

Do you have more questions? Let’s Book a Demo