Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

Tenant control

Cloudflare for Teams offers IT administrators a way to ensure users have access to SaaS applications for corporate use, while at the same time blocking access to their personal accounts. This helps prevent the loss of sensitive or confidential data from a corporate network.

You can create Gateway HTTP policies to control access to your corporate SaaS applications. When creating an HTTP policy with an Allow action, you will have the option to configure custom headers. The policy will use these headers to grant access to an application if a user’s request is headed to your organization’s account for the SaaS application, and to deny access if the request is headed to an account that does not match the information in the header.

Not all SaaS applications support tenant control. Examples of common applications that do support tenant control through the injection of HTTP headers are:

  • Microsoft 365
  • Slack
  • GSuite
  • Dropbox
  • YouTube

Add custom headers for a SaaS application (Microsoft 365 example)

This is a walkthrough of how to add custom headers for Microsoft 365. The procedure is the same for other SaaS applications, except for the values you will add for Custom Header Name. Values for Custom Header Value are specific to your organization; consult the documentation for your SaaS application for more information on where to find them.

  1. On the Teams Dashboard, navigate to Gateway > Policies > HTTP.

  2. Create a policy with the following values:

    • Action: Allow
    • Selector: Application
    • Operator: In
    • Value: select the application you would like to inject custom headers for.
  3. Under Policy Settings, add a custom header. You can add as many custom headers as needed.

    • Custom Header Name: Restrict-Access-To-Tenants
    • Custom Header Value: contoso.com,fabrikam.onmicrosoft.com,72f988bf-86f1-41af-91ab-2d7cd011db4
  4. Click Create policy.

Your Allow policy is now displayed in the list of HTTP rules. When an end user attempts to authenticate to an Office 365 application with a personal account, authentication will fail.

Common policy configurations

This section covers policy configurations for common SaaS applications.

Microsoft 365

SelectorOperatorValueActionHeader name
ApplicationInMicrosoft Office365AllowRestrict-Access-To-Tenants, Restrict-Access-Context

Slack

SelectorOperatorValueActionHeader name
ApplicationInSlackAllowX-Slack-Allowed-Workspaces-Requester, X-Slack-Allowed-Workspaces

G Suite

SelectorOperatorValueActionHeader name
ApplicationInGoogle WorkspaceAllowX-GooGApps-Allowed-Domains

Dropbox

SelectorOperatorValueActionHeader name
ApplicationInDropboxAllowX-Dropbox-allowed-Team-Ids

YouTube

SelectorOperatorValueActionHeader name
ApplicationInYouTubeAllowYouTube-Restrict