Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
Unable to insert HTTP header via an application rule configure in Azure Firewall policy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 17%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
Beatrice DUPAS
0
Reputation points
Following this link, it's possible to insert a header: https://learn.microsoft.com/en-us/rest/api/firewall/firewall-policy-rule-collection-groups/create-or-update?view=rest-firewall-2025-05-01&tabs=HTTP
Unfortunately, it does not work in my environment (Firewall with Sku Premium) TLS enabled in Policy (child policy) with certificate configured in a Key vault, I configured the rule :
{
"rules": [
{
"ruleType": "ApplicationRule",
"name": "tenant-restriction-application",
"description": "Insert trusted tenants header",
"protocols": [
{
"protocolType": "Https",
"port": 443
},
{
"protocolType": "Http",
"port": 80
}
],
"fqdnTags": [],
"webCategories": [],
"targetFqdns": [
"login.microsoft.com",
"login.microsoftonline.com",
"login.windows.net"
],
"targetUrls": [],
"terminateTLS": true,
"sourceAddresses": [
"10.0.10.0/24"
],
"destinationAddresses": [],
"sourceIpGroups": [],
"httpHeadersToInsert": [
{
"headerName": "Restrict-Access-To-Tenants",
"headerValue": “mytenant.onmicrosoft.com"
}
]
}
]
}
What is the issue ?
Azure Firewall
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Venkatesan S 6,350 Reputation points Microsoft External Staff Moderator2026-03-17T17:44:09.34+00:00 Hi Beatrice DUPAS,
Thanks for reaching out in Microsoft Q&A forum,
Azure Firewall Premium header insertion doesn't work reliably for tenant restrictions on Microsoft Entra ID endpoints like
login.microsoftonline.com. These services ignore proxy-inserted headers likeRestrict-Access-To-Tenantsbecause they prioritize authentication flows (redirects, tokens, cookies) over firewall modifications.First fix the JSON syntax your smart quotes
("headerValue": “mytenant.onmicrosoft.com")break parsing. Use straight double quotes:"headerValue": "mytenant.onmicrosoft.com". Even with perfect config, Premium SKU, TLS inspection, andterminateTLS: true, Microsoft login endpoints bypass this mechanism.Official Microsoft Recommendations:
Tenant Restrictions v1 (Server-side headers)
Configure via Entra ID > Enterprise applications > Tenant restrictions:
Restrict-Access-To-Tenants: mytenant.onmicrosoft.com Restrict-Access-Context: [your-tenant-guid]Designed for proxies Microsoft recognizes, not Azure Firewall.
Tenant Restrictions v2 (Modern approach)
Entra admin center → Cross-tenant access settings → Block all external tenants, allow specific partners. Client-side enforcement via Conditional Access.
Test & Verify
- Fix quotes > Redeploy rule collection
- Validate header insertion > Test against
httpbin.org/headers - Check logs >
AzureFirewallApplicationRuletable confirms rule hits
Accept limitation → Microsoft endpoints require native tenant restrictions
Official docs:
Kindly let us know if the above helps or you need further assistance on this issue.
Please “up-vote” if the information helped you. This will help us and others in the community as well.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 51%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Aditya N 2,455 Reputation points Microsoft External Staff Moderator2026-03-20T17:23:51.9633333+00:00 Hello @Beatrice DUPAS
Please could you let us know if you had a chance to look into the information provided. Please feel free to reach out to us in case of any queries.
-
Beatrice DUPAS 0 Reputation points
2026-03-23T23:22:03.68+00:00 Thank you for your help.
BTW, Header insertion still not work.. I did the test using httpbin.org/headers (for HTTP & HTTPS) without success.
We really need a solution to apply Tenant Restriction. Any chance with explicit proxy feature ? (still in public preview ..)
-
Aditya N 2,455 Reputation points Microsoft External Staff Moderator
2026-03-27T03:58:30.76+00:00 Hello @Beatrice DUPAS
Have you tried inserting these. Please let us know if you're facing any error message.
httpHeadersToInsert": [
{
"headerName": "Restrict-Access-To-Tenants",
"headerValue": "mytenant.onmicrosoft.com"
},
{
"headerName": "Restrict-Access-Context",
"headerValue": "<YOUR_TENANT_ID_GUID>"
}
]
-
Aditya N 2,455 Reputation points Microsoft External Staff Moderator
2026-03-30T17:10:12.5766667+00:00 Hello @Beatrice DUPAS
Please could you let us know if the information provided was helpful. Please comment if you have any queries.
-
Beatrice DUPAS 0 Reputation points
2026-04-03T21:16:06.1266667+00:00 Hello, Unfortunately, not .. It seems that Header injection for Tenant Restriction is still under development ..
Thank you for your help.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 36%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Shree Hima Bindu Maganti 6,880 Reputation points Microsoft External Staff Moderator2026-04-06T12:33:32.3933333+00:00 Hi @Beatrice DUPAS
Apology for your inconvenience
Thank you for the update. If header insertion is not working even when testing againsthttpbin.org/headersfor both HTTP and HTTPS, it indicates that the issue is not specific to Microsoft Entra ID endpoints but rather a current limitation or instability in the header injection capability of Azure Firewall Premium itself. As of now, the explicit proxy feature (currently in public preview) does not provide a reliable or supported method to enforce Tenant Restrictions using header insertion either, and Microsoft has not confirmed this as a valid approach for production use. Azure Firewall is not considered a trusted forward proxy for enforcing Tenant Restrictions, which is why these headers may not be injected or honored correctly.The recommended and supported solution is to use Microsoft Entra ID Tenant Restrictions v2, which does not rely on network-level header injection but instead uses identity-based controls through cross-tenant access settings and Conditional Access policies.
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tenant-restrictions
https://learn.microsoft.com/en-us/entra/external-id/tenant-restrictions-v2
Let me know if you have any further assistance needed.
Sign in to comment
Sign in to answer