Policy

Cloud Policy Details

Windows 11 25H2

Back to categoryOpen picker

Policy overview

Key metadata and intent for this policy.

ClassComputer
CategoryWindows Components > Tenant Restrictions
Supported onAt least Windows 10 Version 1909

Supported OS tags: Windows10, Windows10RT

This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory. When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant. Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details. https://go.microsoft.com/fwlink/?linkid=2148762 Before enabling firewall protection, ensure that an App Control for Business policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding App Control for Business policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information. For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230

Internal name
trv2_payload
Policy ID
602ce7dc9b8f
Elements
7

Registry values

How enabled and disabled states update the registry.

No explicit registry values are set for enabled or disabled states.

Policy elements

Inputs and configuration options exposed by this policy.

ElementTypeRegistry mappingConstraints & behavior
Cloud ID (optional):
ID PayloadCloudId
text
HKLM\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload\cloudid
Type REG_SZ
None
Azure AD Directory ID:
ID PayloadTenantId
text
HKLM\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload\tenantid
Type REG_SZ
None
Policy GUID:
ID PayloadPolicyId
text
HKLM\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload\policyid
Type REG_SZ
None
Hostnames (optional):
ID PayloadHostnamesId
list
HKLM\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload\hostnames
Type REG_MULTI_SZ
None
Subdomain Supported Hostnames (optional):
ID PayloadSubdomainSupportedHostnamesId
list
HKLM\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload\subdomainSupportedHostnames
Type REG_MULTI_SZ
None
IP Ranges (optional):
ID PayloadIpRangesId
list
HKLM\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload\ipRanges
Type REG_MULTI_SZ
None
Enable firewall protection of Microsoft endpoints
ID EnforceFirewall
boolean
HKLM\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload\enforceFirewall
Type REG_DWORD
Options: true (1), false ()
True: Set value = 1 · False: None