Cloud Policy Details

This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.

When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant.

Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details.

https://go.microsoft.com/fwlink/?linkid=2148762

Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information.
For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230

Supported on: At least Windows 10 Version 1909

Cloud ID (optional):

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
Value Namecloudid
Value TypeREG_SZ
Default Value
Azure AD Directory ID:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
Value Nametenantid
Value TypeREG_SZ
Default Value
Policy GUID:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
Value Namepolicyid
Value TypeREG_SZ
Default Value
Enable firewall protection of Microsoft endpoints
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
Value NameenforceFirewall
Value TypeREG_DWORD
Default Value
True Value1
False Value


Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
Value Namehostnames
Value TypeREG_MULTI_SZ
Default Value


Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
Value NamesubdomainSupportedHostnames
Value TypeREG_MULTI_SZ
Default Value


Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
Value NameipRanges
Value TypeREG_MULTI_SZ
Default Value

tenantrestrictions.admx

Administrative Templates (Computers)

Administrative Templates (Users)