We need to configure Tenant Lock Perimeter Headers at the network edge

Patel Krishna 0 Reputation points
2026-07-03T03:43:15.4733333+00:00

We’re looking to strengthen our Tenant Restrictions v2 policy by enforcing it twice. Besides configuring it at the Windows OS level, we also want our corporate firewall at the network perimeter to inject our tenant directory headers into all outbound identity traffic. Could you clarify the exact header names that Microsoft Entra ID requires in order to validate this filter ?

Windows for business | Windows 365 Enterprise
0 comments No comments

1 answer

Sort by: Most helpful
  1. Domic Vo 25,675 Reputation points Independent Advisor
    2026-07-03T04:14:54.23+00:00

    Hello,

    In Tenant Restrictions v2, Microsoft Entra ID validates enforcement through two specific HTTP headers that must be injected into outbound identity traffic. The headers are Restrict-Access-To-Tenants and Restrict-Access-Context.

    Restrict-Access-To-Tenants carries the tenant IDs that are permitted. This is how Entra ID knows which directories the client is allowed to authenticate against. Restrict-Access-Context carries the enforcement context identifier, which ties the request back to the configured policy in your tenant. Both headers must be present and correctly formatted; if either is missing, Entra ID will not apply the restriction.

    When you configure Tenant Restrictions v2 at the Windows OS level, the client stack automatically injects these headers. Extending enforcement to your perimeter firewall or proxy means you need to configure it to add the same headers into all outbound requests to Microsoft identity endpoints such as login.microsoftonline.com. This ensures unmanaged devices or non‑Windows clients are also subject to the same restrictions.

    The important distinction from Tenant Restrictions v1 is that v2 is centrally managed in Entra ID through cross‑tenant access settings. Your firewall does not need to maintain tenant lists itself; it only needs to inject the headers so that Entra ID can enforce the policy.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

    Domic Vo

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.