No alternative way to tighten security if whitelisting urls is the only solution. #5140
Description
Article URL
On what page did you find the problem?
https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud&source=docs
Describe the problem
The document does not provide a way for admins to allow addins to communicate with login.microsoftonline.com. So imagine a case where an admin whitelists login.microsoftonline.com in the proxy server which effectively means that anybody within the organization will now be allowed to access the said url. One of our cases has the following issue :
We are against whitelisting this domain because doing so would lessen our security controls. For example, we have one policy on the proxy that prevents users from being able to login to other O365 tenants that they may be guests of. For this control to be in place, we must perform SSL inspection on domains like login.microsoft.com, which cannot be done if we are whitelisting (bypassing) the domains.
Does Microsoft have any recommendation/documentation that can help us allow addins to access login.microsoftonline.com without having to whitelist the url? Moreover, if whitelisting is the only way, how can an admin limit users from being able to login to other O365 tenants that they may be guests of? Can whitelisting be done based on the app/client ID of the addin?
I don't know if this is the right venue for this question but raised it here anyways. Thank you very much for your support and understanding.