Add tenant name to AzureAD tenant restrictions error log
Azure AD tenant restrictions work great, however rely on you being told the 3rd party tenant name, eg contoso.onmicrosoft.com. Many orgs users simply have no idea what their tenant name is as they use the org domain name instead.
In the AAD signin logs you clearly see the target tenant id code, but there is no way to map that on to a tenant name to use in your proxy configuration. This would make life soooo much simpler for organisations that restrict access to tenants and need to manage the config.
In my case this is for a large central government organisation who are really struggling with managing tenant restrictions.
Thomas B commented
Hi Ben, do the logs really show the target tenant ID though?
I've found that the ID that is shown is only what is injected by the proxy (the restrict-access-context) header, so for me the logs only show my own Tenant ID, which makes them useless.
MS support have stated to me that using this ID instead of TenantName.onmicrosoft.com on the proxy works in allowing access also, which would be fine, however for me the logs only show my tenant ID for both failed and successful logins.