Browse Docs

SaaS Application Restrictions

You can use SaaS Application Restrictions with vendors including Google GSuite, Microsoft O365 which provide methods to limit access to their services by Domain or Tenant ID values.

How it works?

You can configure Saas Restrictions in the backend, from SettingsSaaS Restrictions menu.

When you have enabled a SaaS Restriction, according to the type of the application installed, DefensX extensions append a specific HTTP header to every request sent to the related cloud application.

For example, if you enabled GSuite restrictions and only provided to example.com as allowed domains, DefensX extensions append X-GooGApps-Allowed-Domains: example.com in every request to *.google.com and gmail.com. When Google GSuite receives a request from a client that is using this header, it stops working for domains other than the included ones in the received header (https://groups.google.com/g/k12appstech/c/B1fsGYePm34).

Similarly, Microsoft also has a feature to restrict access by Tenant ID or the domain itself (https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions).

Tip
 Configuration changes will be populated to the clients in a maximum of 5 minutes period. If you want to speed up the process of testing it, we recommend left-clicking on the top-right DefensX extension icon in the browser and clicking on the Policy Refresh icon.

Enabling Google GSuite Restrictions

gsuite

In order to enable Google GSuite restrictions, first toggle the checkbox on the right-hand side and enter your allowed domains into the list. You can enter as many domains as you want.

Enabling Microsoft O365 Restrictions

ofis

In order to enable Microsoft O365 restrictions, first toggle the checkbox on the right-hand side and enter your allowed domains or Azure Tenant ID values into the list. You can enter as many domains/tenant id as you want.