Configure SaaS Tenant Control Profiles

Last updated
Save as PDF

For supported software information, click here.

You use SaaS tenant control profiles to block users from directly accessing select services, such as web-based Office365, without going through a Versa gateway. When you configure a SaaS tenant control profile, the tenant control profile inserts fields and values in the HTTP header when traffic goes through the gateway. The headers come from the SaaS application vendors, such as YouTube or Office365. The profile is automatically inserted into all a tenant's TLS decryption profiles.

For a SaaS tenant control configuration to take effect, you must configure a TLS decryption profile that refers to the SaaS tenant control profile, and you must configure policy rules. For more information, see Configure SASE TLS Decryption.

You can configure only one SaaS tenant control profile for each tenant.

To configure SaaS a tenant control profile:

Go to Configure > Secure Services Edge > Real-Time Protection > Profiles.

The following screen displays.
Select the Cloud Access Security Broker (CASB - Inline) tab, and then select the SaaS Tenant Control subtab.

Note: In Release 12.2.2, the SaaS Tenant Control screens were moved under the Cloud Access Security Broker (CASB - Inline) tab. In prior releases, SaaS Tenant Control was under the Secure Web Gateway (SWG) tab.
To customize which columns display, click Select Columns, and then click the columns to select or deselect the one you want to display. Click Reset to return to the default column display settings.
Click the Add icon to create a profile. The Create SaaS Tenant Control Profile screen displays.

In step 1, Application Rules, click the

Add icon. In the Add Application Rule screen, enter information for the following fields.

Field	Description
Name (Required)	Enter a name for the application rule.
Action Type	Click to choose the action to use for the application: Delete Insert
Application	Select an application: Dropbox network control—Restricts Dropbox access to specific team IDs. Controls which Dropbox teams can be accessed from the network. Google apps access control—Limits access to Google Workspace applications to users with email addresses from specified domains and prevents access from personal or unauthorized Google accounts. Microsoft Office365 tenant restrictions—Limits Office365 access to specified organizational tenants, preventing data access across different organizations even when users have valid credentials. Microsoft Office365 block consumer account—Prevents users from accessing Office365 resources using personal Microsoft accounts, ensuring that only corporate-managed accounts within the organization can access the Office365 environment. Slack—Restricts access to specific Slack workspaces or organization IDs, controlling which workspaces or organizations users can access within the organization. YouTube safe search—Enforces YouTube's safe search functionality across the network, filtering out mature or inappropriate content from search results and recommended videos. For applications that have predefined headers, enter information for the following fields. For more information, see Predefined Application Headers and Values. Header—Select a header for the application. Value—Enter a name for the rule. To delete the header, click Delete Existing.

Field

Description

Name (Required)

Enter a name for the application rule.

Action Type

Click to choose the action to use for the application:

Delete
Insert

Application

Select an application:

Dropbox network control—Restricts Dropbox access to specific team IDs. Controls which Dropbox teams can be accessed from the network.
Google apps access control—Limits access to Google Workspace applications to users with email addresses from specified domains and prevents access from personal or unauthorized Google accounts.
Microsoft Office365 tenant restrictions—Limits Office365 access to specified organizational tenants, preventing data access across different organizations even when users have valid credentials.
Microsoft Office365 block consumer account—Prevents users from accessing Office365 resources using personal Microsoft accounts, ensuring that only corporate-managed accounts within the organization can access the Office365 environment.
Slack—Restricts access to specific Slack workspaces or organization IDs, controlling which workspaces or organizations users can access within the organization.
YouTube safe search—Enforces YouTube's safe search functionality across the network, filtering out mature or inappropriate content from search results and recommended videos.

For applications that have predefined headers, enter information for the following fields. For more information, see Predefined Application Headers and Values.

Header—Select a header for the application.
Value—Enter a name for the rule.

To delete the header, click Delete Existing.

Click Add. The Add Application Rules screen displays the rules created for applications.
Click Next to go to step 2, Review & Submit.
Review the information, and then click Save to save the SaaS tenant control profile. To make changes, click the Edit icon.

The Real-Time Protection Profile List screen displays the SaaS tenant control profile created.

Predefined Application Headers and Values

The following table shows the applications and their predefined headers and values for an application rule in a SaaS tenant control profile.

Application	Header	Value
Dropbox network control	X-Dropbox-allowed-Team-Ids	Enter multiple values, each one separated by a comma. For example, X-Dropbox-allowed-Team-Ids = 7282011, 27812910 allows access to teams with the specified IDs.
Google apps access control	X-GoogApps-Allowed-Domains	Enter the domains to permit user access to Google apps. For example, <my_company>.com. Replace the variable <my_company> with the domain name.
Microsoft Office365 tenant restrictions	Restrict-Access-To-Tenants	Enter the list of allowed Microsoft tenant domain names. For example, <tenant1>.onmicrosoft.com, <tenant2>.onmicrosoft.com. Replace the variables with the tenant domain names.
Microsoft Office365 tenant restrictions	Restrict-Access-Context	Enter the allowed tenant IDs. For example, <TenantId>. Replace the variable <TenantId> with the tenant ID.
Microsoft Office365 block consumer account	sec-Restrict-Tenant-Access-Policy	Enter "restrict-msa" as the header value.
Slack	X-Slack-Allowed-Workspaces-Requester	This header is the primary identifier for the request. You must configure this header first for the Slack-Allowed-Workspaces header to work. Enter the workspace or organization ID. For example, T12345
Slack	X-Slack-Allowed-Workspaces	Enter the list of allowed Slack workspaces or organizations, each one separated by a comma. For example, <workspace1>.slack.com, <workspace2>.slack.com, <team-dev>.slack.com. Replace the variables with the workspace or organization domain names.
YouTube safe search	X-YouTube-Restrict	Enter any of the following values: Strict—Sets strict restricted access, limiting the content available to users. Moderate—Sets moderate restricted access, allowing a wider range of content than Strict, but still filtering some content. Restricted mode—Administrators or viewers can enable this mode which limits the YouTube experience by filtering content and potentially hiding comments.

Supported Software Information

Releases 11.4.1 and later support all content described in this article, except.

In Release 12.2.2, the SaaS Tenant Control screens were moved under the Cloud Access Security Broker (CASB - Inline) tab.

Additional Information

Configure SASE TLS Decryption