|
| 1 | +--- |
| 2 | +title: Block access from other tenants |
| 3 | +description: Block connections shared from other tenants in Azure Logic Apps. |
| 4 | +services: logic-apps |
| 5 | +ms.suite: integration |
| 6 | +ms.reviewer: estfan, azla |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 08/01/2022 |
| 9 | +--- |
| 10 | + |
| 11 | +# Block shared connections from other tenants in Azure Logic Apps (Preview) |
| 12 | + |
| 13 | +> [!NOTE] |
| 14 | +> This capability is in preview and is subject to the |
| 15 | +> [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). |
| 16 | +
|
| 17 | +Azure Logic Apps includes many connectors for you to build integration apps and workflows and to access various data, apps, services, systems, and other resources. These connectors authorize your access to these resources by using Azure Active Directory (Azure AD) to authenticate your credentials. |
| 18 | + |
| 19 | +When you create a connection from your workflow to access a resource, you can share that connection with others in the same Azure AD tenant or different tenant by sending a consent link. This shared connection provides access to same resource. However, this capability creates a security vulnerability. Anyone in other Azure AD tenants can create a logic app workflow with a connection and share that connection's consent link with anyone else in a different tenant, for example, by sending a phishing email. If the receiver signs in using the shared connection, the sender can now access the resources in recipient's tenant. |
| 20 | + |
| 21 | +To prevent this scenario, you can block access to and from your own Azure AD tenant through shared connections. By setting up a tenant isolation policy, you can better control data movement between your tenant and resources that require Azure AD authorized access. |
| 22 | + |
| 23 | +## Prerequisites |
| 24 | + |
| 25 | +- An Azure subscription and account with owner permissions to set up a new policy or make changes to existing tenant policies. |
| 26 | + |
| 27 | + > [!NOTE] |
| 28 | + > |
| 29 | + > You can apply policies that affect only your own tenant, not other tenants. |
| 30 | +
|
| 31 | +- Collect the following information: |
| 32 | + |
| 33 | + - The tenant ID for your Azure AD tenant. |
| 34 | + |
| 35 | + - The choice whether to enforce two-way tenant isolation for connections that don't have a client tenant ID. |
| 36 | + |
| 37 | + For example, some legacy connections might not have am associated tenant ID. So, you have to choose whether to block or allow such connections. |
| 38 | + |
| 39 | + - The choice whether to initially enable or disable the isolation policy. |
| 40 | + |
| 41 | + - The tenant IDs for any tenants where you want to allow connections to or from your tenant. |
| 42 | + |
| 43 | + - The choice whether to allow inbound connections to your tenant from each allowed tenant. |
| 44 | + |
| 45 | + - The choice whether to allow inbound connections from your tenant to each allowed tenant. |
| 46 | + |
| 47 | +- To test the tenant isolation policy, you need a different Azure AD tenant from where you can try connecting to the isolated tenant and vice versa after the isolation policy takes effect. |
| 48 | + |
| 49 | +## Request an isolation policy for your tenant |
| 50 | + |
| 51 | +To start this process, you'll request a new isolation policy or update your existing isolation policy for your tenant. Only Azure subscription owners can request new policies or changes to existing policies. |
| 52 | + |
| 53 | +1. Open a Customer Support ticket to request a new isolation policy or update your existing isolation policy for your tenant. |
| 54 | + |
| 55 | +1. Wait for the request to finish verification and processing by the person who handles the support ticket. |
| 56 | + |
| 57 | + > [!NOTE] |
| 58 | + > |
| 59 | + > Policies take effect immediately in the West Central US region. However, these changes |
| 60 | + > might take up to four hours to replicate in all other regions. |
| 61 | +
|
| 62 | +## Test the isolation policy |
| 63 | + |
| 64 | +After the policy takes effect in a region, test the policy. You can try immediately in the West Central US region. |
| 65 | + |
| 66 | +### Test inbound connections to your tenant |
| 67 | + |
| 68 | +1. Sign in to your "other" Azure AD tenant. |
| 69 | + |
| 70 | +1. Create logic app workflow with a connection, such as Office 365 Outlook. |
| 71 | + |
| 72 | +1. Try to sign in to your isolated tenant. |
| 73 | + |
| 74 | + You get a message that the connection to the isolated tenant has failed authorization due to a tenant isolation configuration. |
| 75 | + |
| 76 | +### Test outbound connections from your tenant |
| 77 | + |
| 78 | +1. Sign in to your isolated tenant. |
| 79 | + |
| 80 | +1. Create a logic app workflow with a connection, such as Office 365 Outlook. |
| 81 | + |
| 82 | +1. Try to sign in to your other tenant. |
| 83 | + |
| 84 | + You get a message that the connection to your other tenant has failed authorization due to a tenant isolation configuration. |
| 85 | + |
| 86 | +## Next steps |
0 commit comments