Have you managed to resolve this issue yet,DAVAADEMBEREL PU ? Please don't hesitate to leave a message or ask any questions! I will always do my best to support you.
Header Insertion for restrict-msa (KB kA14u000000g1E2CAI) not blocking personal accounts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 99%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
DAVAADEMBEREL PU
5
Reputation points
Hi Community,
I am a cybersecurity admin currently testing the implementation of Microsoft Personal Account (MSA) blocking using Palo Alto Networks Header Insertion, as described in KB kA14u000000g1E2CAI.
My Environment:
- Hardware: Palo Alto NGFW
Decryption: [Insert if you have SSL Forward Proxy enabled or not]
The Problem: I have configured a URL Filtering Profile with the custom header entry for login.live.com using the header sec-Restrict-Tenant-Access-Policy and value restrict-msa. However, I can still successfully log in to personal @outlook.com accounts.
Questions for the experts:
Domain Coverage: Does Microsoft now require this header on additional domains like login.microsoftonline.com, login.microsoft.com, or login.windows.net for the restriction to take effect in 2026?
SSL Decryption: The KB article doesn't explicitly mention it, but is it correct that SSL Forward Proxy is mandatory for the firewall to insert this header into the HTTPS session?
Modern Auth: Does this method still work for "Modern Authentication" flows, or is there a newer standard (like Tenant Restrictions v2) that we should be moving toward?
I would appreciate any insights or if anyone has a working "Decryption + Header Insertion" lab export they could share!Hi Community,
Windows for business | Windows Client for IT Pros | Devices and deployment | Other
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 36%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETL%3C/text%3E%3C/svg%3E)
Tracy Le 3,555 Reputation points Independent Advisor2026-03-05T04:26:02.53+00:00 -
Tracy Le 3,555 Reputation points Independent Advisor
2026-03-04T12:14:30.97+00:00 Hi DAVAADEMBEREL PU,
To permanently resolve the issue you are experiencing in your lab, here are the core details and the optimal solution:
You must turn on SSL Decryption (SSL Forward Proxy). This is the primary reason your configuration isn't working yet. The Palo Alto firewall cannot inspect or inject HTTP Headers (
sec-Restrict-Tenant-Access-Policy) into an encrypted HTTPS session. You must enable SSL Forward Proxy for traffic destined forlogin.live.com.About Domain coverage: For the method you are currently testing (using the restrict-msa value, which is part of Tenant Restrictions v1), you only need to apply the policy to the login.live.com domain to block personal Microsoft accounts.
While your current setup will work once SSL decryption is enabled, the best practice and Microsoft-recommended approach for "Modern Authentication" flows is Tenant Restrictions v2.
- TRv2 offers more flexible policy management through Microsoft Entra cross-tenant access policies in the cloud, rather than relying solely on the proxy.
- To use TRv2, you will inject the header using a new format (
<DirectoryID>:<policyGUID>) and it must be applied across all four domains:login.live.com,login.microsoftonline.com,login.microsoft.com, andlogin.windows.net.
Go into your Palo Alto NGFW configuration and enable SSL Decryption for the
login.live.comdestination. Once applied, try logging in with an @outlook.com account again—the system should successfully block it.I hope this information is helpful. If this answer clarifies your issue, please click "Accept answer" so that other community members facing similar issues can find the solution.
Best regards,
Tracy Le.
-
Q&A Assist2026-03-04T06:53:15.2866667+00:00 AI generated content. This question contains an answer created with AI from Q&A Assist. Learn moreDomain coverage:
- For the legacy MSA-blocking method (tenant restrictions v1), only
login.live.comis used for consumer Microsoft accounts. Therestrict-msavalue on thesec-Restrict-Tenant-Access-Policyheader is specifically documented as being injected only for traffic tologin.live.com. - The other sign-in domains (
login.microsoftonline.com,login.microsoft.com,login.windows.net) are used for Microsoft Entra ID (work/school) authentication and for tenant restrictions (v1 and v2) on organizational tenants, not for the MSA-onlyrestrict-msasignal. - In tenant restrictions v2, the same header name (
sec-Restrict-Tenant-Access-Policy) is reused with a different value format (<TenantId>:<policyGuid>) and must be sent to all four sign-in domains (includinglogin.live.com). When moving to v2, therestrict-msavalue must be removed to avoid conflicts.
SSL decryption requirement:
- The proxy/firewall must be able to perform TLS interception and HTTP header insertion to enforce tenant restrictions. This is explicitly listed as a prerequisite for tenant restrictions on a corporate proxy.
- Practically, this means SSL Forward Proxy (or equivalent TLS break-and-inspect) is required on the Palo Alto NGFW for HTTPS traffic to
login.live.com(and the other sign-in endpoints when using v2). Without decryption, the firewall cannot see or modify HTTP headers inside the TLS session, so thesec-Restrict-Tenant-Access-Policyheader will not be inserted and MSA blocking will not work.
Modern auth and tenant restrictions v2:
- The original
restrict-msaheader is part of tenant restrictions v1 and still blocks consumer applications when correctly injected tologin.live.com. It is described as a deny signal to the Microsoft account platform for consumer apps. - Tenant restrictions v2 moves configuration from the proxy into Microsoft Entra cross-tenant access policies and uses the same header name with a new value format (
<DirectoryID>:<policyGUID>). The proxy simply tags traffic; the actual allow/deny logic is enforced in the cloud policy. - When migrating from v1 to v2:
- Remove the v1 headers from the proxy, including
sec-Restrict-Tenant-Access-Policy: restrict-msa. - Configure partner tenant policies (including for the Microsoft account tenant) in Entra.
- Re-enable header insertion with the v2 value (
<DirectoryID>:<policyGUID>) and send it tologin.live.com,login.microsoft.com,login.microsoftonline.com, andlogin.windows.net.
- Remove the v1 headers from the proxy, including
- Tenant restrictions v2 is the current model and is designed to work with modern authentication flows, including both authentication-plane protection via the proxy and optional data-plane protection via client-side signaling on Windows-managed devices.
Why personal accounts may still be working in the lab:
- SSL Forward Proxy/TLS interception is not enabled or not applied to
login.live.com, so the header is never actually inserted. - The header name or value is misconfigured (must be exactly
sec-Restrict-Tenant-Access-Policy: restrict-msafor v1 MSA blocking). - There is a coexistence/migration scenario where tenant restrictions v2 has been enabled and the proxy is still sending
restrict-msa, which is explicitly called out as a conflict that must be removed.
For a forward-looking design and modern auth support, tenant restrictions v2 with proxy header tagging (
sec-Restrict-Tenant-Access-Policy: <TenantId>:<policyGuid>) and Entra cross-tenant access policies should be preferred over the legacyrestrict-msaapproach.
References:
- For the legacy MSA-blocking method (tenant restrictions v1), only