Add and AAD Tenant Restrictions logging option to log all external tenant usage
Currently with AAD Tenant Restrictions, we can get AAD log records of blocked sign-ins by having our proxy insert the request header "Restrict-Access-Context". This is good as far as it goes (and I upvoted another user's suggestion to include the external tenant's name and not just the ID).
I'm asking that there be an additional option to log all use of external AAD tenants (both sign-ins, and the URIs of resources for which tokens are issued). The use case is analytics for risks of data leakage and malicious data exfiltration as well as for potential legal liability scenarios. If we don't know what external tenants our users are using and what they are using them for, then we are left to guess whether we need to begin enforcing tenant restrictions in the first place, and in the dark about whether our device users are accessing external tenants that don't reasonably correspond to their work.
Monitoring via AAD is increasingly needed, as we see more and more cases in which interception and inspection of outgoing data is discouraged (e.g. with Microsoft Office 365) or prevented (e.g. with certificate pinned applications, TLS Token-binding which Microsoft is supporting with Edge, and Public Key Pinning with web sites.
I understand the desire to protect session content from malicious Man-In-The-Middle (MITM) threats, but enterprises who are obligated to prevent data leakage need visibility to the use of external tenants so they can evaluate data loss risk, identify malicious insider threats, and make informed decisions about what tenant restrictions policies to enforce.