Documentation Index

Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt

Use this file to discover all available pages before exploring further.

Tenant Restrictions

  • Updated on May 26, 2026
  • Published on Jul 24, 2025
  • 3 minute(s) read
  • R
  • m
 Prev Next

Tenant Restrictions allow administrators to control which Microsoft Office 365 and Google Workspace tenants users can access. It helps prevent unauthorized access to personal or unapproved corporate tenants, ensuring users only connect to organization approved environments. This reduces the risk of data leaks and unauthorized third-party collaborations. 

To view the Tenant Restrictions page, access the Check Point SASE Administrator Portal and click Internet Access > Tenant Restrictions.

ColumnDescription
Cloud ServiceDisplays the cloud service for which the restriction is applied:
  • Microsoft Office 365
  • Google Workspace
 This column is auto-populated and cannot be edited.
SourceDefines the groups or members the restriction applies to:
  • Any (default)- Applies to all users.
  • Groups or Members - Applies to selected groups or users from your identity provider.
Allowed Domains1Specifies the domains that users in the selected source groups and users are allowed to access. You can add domains and tenant IDs in various formats:
  • Standard domain, for example, contso.com
  • Microsoft domain, for example, fabrikam.onmicrosoft.com
  • Tenant identifier, for example, aaaabbbb-0000-cccc-1111-dddd2222eeee

1 Avoid setting the Allowed Domains value to Any, as this configuration has no effect on domain restrictions and does not limit access. Specify one or more domains explicitly to ensure the restriction is applied as intended. 

Configuration Requirements for Tenant Restrictions

To enable tenant restrictions enforcement:

  • Ensure that traffic to Microsoft 365 and Google Workspace is inspected. The following domains must be inspected and not bypassed:
  • Do not bypass these applications in the Bypass policy. For more information, see Certificate Pinning.
  • Do not block these applications in the Access policy.

This configuration allows Check Point SASE to apply tenant restriction rules and validate user access to authorized tenants.

Supported Applications

Tenant Restrictions supports these applications:

  • Microsoft Office 365
  • Google Workspace

Creating a Tenant Restriction

  1. Access the Check Point SASE Administrator Portal and click Internet Access.
  2. Go to Tenant Restrictions.
  3. For the cloud service you want to add a restriction, do these:
    1. In the Source field, add groups or users list to which you want to apply the rule. Default is Any.
    2. Click Any > Add Source > Groups or Members.
      The Manage Groups or Members window appears.
    3. Select group(s) or member(s) from the list.
    4. Click Apply.
    5. In the Allowed Domains field, select the domain(s) or tenant ID(s) that you want to allow or restrict for access.
    6. Click None > Add Allowed Domain > Domains or Tenant IDs.
      The Manage Domains window appears.
    7. Select the domain(s) or tenant ID(s).
    8. Click Apply.
    9. To activate the rule, turn on the Status toggle button.
    10. Click Apply in the bottom of the page.
    11. Click Apply.
Notes:
  • Each application support a single configuration. Rules are not prioritized or matched in order.
  • All changes to the Tenant Restrictions configuration (for example, domain updates, enabling or disabling rules) are recorded in the administrator audit log.
  • Restriction enforcement occurs on the end user side within the SaaS application. For more information, see Microsoft 365 documentation.
  • Changes are applied as part of the Internet Access policy and are enforced by the Internet Access engine once you click Apply.

End User Behavior

When Tenant Restrictions are enabled, users experience these behaviors based on their actions:

ScenarioUser Experience
User accesses an allowed tenantAccess proceeds normally.
User accesses a disallowed tenant

A block page is displayed by the SaaS application (for example, Microsoft Office 365 and Google Workspace), indicating that access is not permitted. 

User accesses another SaaS applicationNo restriction is enforced, and access is allowed (for example, Salesforce and Atlassian).

Tenant Restriction Logs

When a user attempts to sign in to a SaaS application using an account that does not belong to an allowed tenant, Check Point SASE blocks the login and generates a log entry. These logs help you identify unauthorized access attempts and policy gaps.

Logs are generated automatically. No additional configuration is required.

Prerequisite

Check Point SASE Agent version 12.7 or later.

What gets logged

  • Log for Microsoft Office 365
  • Log for Google Services
  • A single log entry is created for each blocked login attempt. Each entry includes:
    • User - The identity that attempted to sign in
    • Application - The SaaS application where the login was attempted
    • Restricted Domain - The domain the user tried to access
    • Category - The URL category of the login endpoint
    • Policy Rule - The tenant restriction rule that blocked the attempt
    • Action - Blocked

Limitations

  • Logs are generated only for failed login attempts.
  • Successful logins to allowed tenants are not logged.