Hello,
In Tenant Restrictions v2, Microsoft Entra ID validates enforcement through two specific HTTP headers that must be injected into outbound identity traffic. The headers are Restrict-Access-To-Tenants and Restrict-Access-Context.
Restrict-Access-To-Tenants carries the tenant IDs that are permitted. This is how Entra ID knows which directories the client is allowed to authenticate against. Restrict-Access-Context carries the enforcement context identifier, which ties the request back to the configured policy in your tenant. Both headers must be present and correctly formatted; if either is missing, Entra ID will not apply the restriction.
When you configure Tenant Restrictions v2 at the Windows OS level, the client stack automatically injects these headers. Extending enforcement to your perimeter firewall or proxy means you need to configure it to add the same headers into all outbound requests to Microsoft identity endpoints such as login.microsoftonline.com. This ensures unmanaged devices or non‑Windows clients are also subject to the same restrictions.
The important distinction from Tenant Restrictions v1 is that v2 is centrally managed in Entra ID through cross‑tenant access settings. Your firewall does not need to maintain tenant lists itself; it only needs to inject the headers so that Entra ID can enforce the policy.
I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!
Domic Vo