Configuring contextual login controls

Forcepoint ONE SSE can restrict tenant access based on HTTP Header Requests by domains applied to the entirety of users in Microsoft 365, or by domains applied by contextual policies.

1. Start on the Policies > Policies page and either add a new policy line or edit the Action column of an already configured policy line.
   
   
   
2. Scroll to the bottom of the Action dialog window and you will see three check boxes you can enable for login controls.
   
   
   
   1. Restrict access to approved domains: Will only allow users to access domains configured within your Microsoft 365 instance in Forcepoint ONE SSE as well as any domains that you add to the list.
   2. Restrict managed device login to approved username domains: Will only allow users with the specific domains within your Microsoft 365 instance that match their username domain.
      Attention: The Restrict access to approved domains and Restrict managed device login to approved username domains options are deprecated and do not function. Alternatively, use HTTP Header based tenant restrictions or Field Programmable SASE Logic to implement tenant based restrictions.
   3. HTTP Header Restrictions: Configure HTTP Headers that are sent with the SAML Request to apply login controls enforced by M365.
3. To configure simply check the box to display the table. Add a new row(s) to the table and input the domains you wish to allow users to connect to and save your settings. You can add as many domains as needed on individual row lines.