Restrict Microsoft 365 Sign-ins to Your Corporate Tenant using SonicWall DPI-SSL (Header Insertion)

This article helps with steps to allow only corporate Microsoft 365 (Entra ID/Azure AD) sign-ins and block personal/other-tenant accounts by inserting Microsoft’s tenant-restriction headers into HTTPS requests.

Applies to:

SonicOS 7.x/8.x (GEN7/GEN8)

Features: Client DPI-SSL (TLS decryption) and Content Filtering Service (CFS) “Custom Header Insertion”

Managed endpoints that can trust the DPI-SSL certificate

Overview
Microsoft supports enforcing tenant access by using two HTTP headers on its login endpoints. When SonicWall Firewall decrypts the client’s HTTPS session and inserts these headers, Microsoft will restrict authentication to the specified tenant(s), effectively blocking personal Microsoft accounts (MSA) and other tenants.

Prerequisites

CFS license and Client DPI-SSL enabled on the inside/user zones (LAN/WLAN).

The DPI-SSL CA certificate is deployed/trusted on client devices (so browsers/apps accept the SonicWall MITM proxy).

No DPI-SSL bypass rules for the Microsoft login endpoints below.

Know your Entra ID (Azure AD) Tenant ID (GUID) and, optionally, your verified tenant domain(s).

Find your Tenant ID

Microsoft Entra admin center → Identity → Overview → Tenant ID (GUID).
(Older UI path: Microsoft 365 Admin Center → Admin centers → Identity → Tenant ID.)

Configuration Steps

1. Enable Client DPI-SSL (if not already)
   

   Turn on Client DPI-SSL and deploy the SonicWall DPI-SSL CA certificate to all client devices that will be inspected (machines must trust the firewall’s re-signing CA).

   Docs for reference:

   SonicOS 8.0 DPI-SSL: https://www.sonicwall.com/support/technical-documentation/docs/sonicos-8-0-dpi_ssl/Content/client-ssl-config.htm

   SonicOS 7.1 DPI-SSL: https://www.sonicwall.com/support/technical-documentation/docs/sonicos-7-1-dpi_ssl/Content/dpi-ssl-client-ssl-config.htm

2. Create/Update a CFS Profile with Header Insertion
   

   Go to OBJECT → Profile Objects and Add/Edit your CFS profile.

   (Refer: https://www.sonicwall.com/support/technical-documentation/docs/sonicos-8-0-content_filtering/Content/Profile_Objects/profile-custom-header.htm )

   Go to the Custom Header tab and toggle Enable Custom Header Insertion.
   Add the following rows:

   Domain	Key	Value
   login.microsoftonline.com	Restrict-Access-To-Tenants	<your-tenant-domain>
   login.windows.net	Restrict-Access-To-Tenants	<your-tenant-domain>
   login.microsoft.com	Restrict-Access-To-Tenants	<your-tenant-domain>
   login.microsoftonline.com	Restrict-Access-Context	<Azure AD Tenant ID>
   login.windows.net	Restrict-Access-Context	<Azure AD Tenant ID>
   login.microsoft.com	Restrict-Access-Context	<Azure AD Tenant ID>

   
   
   
   Note: Microsoft also allows to get the header like this:  Restrict-Access-To-Tenants: your-tenant-domain1,your-tenant-domain2,your-tenant-domain3 . So please configure as per the organization's requirement.
3. Bind the CFS Profile to policy
   

   Attach the CFS profile to the relevant CFS policies (Policies → Rules and Policies → Security Policies → ensure Content Filter Profile uses your header-inserting profile on egress to WAN).

   Doc for reference: https://www.sonicwall.com/support/technical-documentation/docs/sonicos-8-0-content_filtering/Content/Policies/policy-add-edit.htm

4. Commit and Test
   
   • Corporate account -> should succeed.
   • Personal/other-tenant account -> should be denied with a Microsoft message indicating access is restricted by your organization