Skip to main content
Skyhigh Security

Prevent Users from Accessing Services through Personal Accounts

The tenant restriction rules block users from accessing sanctioned cloud services through their personal accounts, while allowing access to these services through the accounts that you configure.

Before you begin

The tenant restriction rules support these sanctioned cloud services. To configure each tenant restriction rule, you need these application-specific details.

  • Amazon Web Services (AWS) — Allowed AWS Account IDs
  • Box — Allowed Box subdomains and allowed user email address domains
  • Dropbox — Allowed Dropbox Team IDs
  • Google — Allowed user email address domains
  • Microsoft Office 365 — Directory ID of your Azure Active Directory instance and allowed user email address domains
  • Slack — Allowed Slack Team IDs

To block access to personal accounts, you configure the accounts which users are allowed to access. Web requests sent to these accounts are allowed. All other requests are blocked.

  1. In Skyhigh CASB, select Policy > Web Policy > Policy.
  2. In the policy tree, select Application Control > Tenant Restriction.
  3. Optionally configure criteria to limit the scope of this rule set.
  4. Select each tenant restriction rule that you want to apply. For each selection, configure the accounts which are not blocked by entering a string of one or more comma-separated values. Then click Save. Spaces are not allowed.
    • Block personal instances of Amazon Web Services — Enter the AWS account IDs that are not blocked.
    • Block personal instances of Box
      1. Enter the Box subdomains that are not blocked. If your domain name is forestry.box.com, enter the subdomain: forestry.
      2. Enter the user email address domains that are not blocked.
    • Block personal instances of Google — Enter the user email address domains that are not blocked.
    • Block personal instances of Microsoft Office 365
      1. Enter the Directory ID of your Azure Active Directory instance.
      2. Enter the user email address domains that are not blocked.
    • Block personal instances of Dropbox — Enter the Dropbox Team IDs that are not blocked.
    • Block personal instances of Slack — Enter the Slack Team IDs that are not blocked.

Changes to the policy tree, rule sets, or rules are automatically saved. You can publish them to the cloud now or keep working and publish later.

  • Was this article helpful?