Supported Applications for Tenant-Based Policy Enforcement
A reference of all applications that support tenant-based policy enforcement in Prisma Browser, including their available tenant identifiers.
| Where Can I Use This? | What Do I Need? |
- Strata Cloud Manager
- Prisma Browser standalone
|
- Prisma Access with Prisma Browser bundle license or
Prisma Browser standalone license
- Superuser or Prisma Browser
role
|
Tenant-Based Policy Enforcement enables you to apply granular, instance-level
security policies to supported multi-tenant applications. Instead of applying a uniform
policy to an entire application, you can target specific tenants within an application —
for example, allowing full capabilities in a corporate Google Workspace tenant while
enforcing read-only access in a personal account.
- All Tenants - The rule applies to all instances of the
application (default).
- Specific Tenant - The rule applies only to sessions matching
the configured tenant identifier.
Each supported application uses one or more identifier types to distinguish between
tenants.
Supported Applications and Identifiers
The following table lists all applications that support tenant-based policy
enforcement and their available identifier types.
| Application | Identifier Type | Description | Example |
| Google Workspace | Domain | The user's Google Workspace domain | acme.com |
| Microsoft 365 | Domain | The user's Microsoft 365 tenant domain | contoso.com |
| Microsoft 365 | Resource Host | The SharePoint or OneDrive host where content is
hosted | partner-org (from
partner-org.sharepoint.com) |
| AWS | Account ID | The 12-digit AWS account identifier | 123456789012 |
| AWS | Region | The AWS region where the session operates | us-east-1 |
| Slack | Workspace Name | The name of the Slack workspace | acme-workspace |
| OpenAI (ChatGPT) | Domain | The user's email domain associated with the ChatGPT
account | acme.com |
| OpenAI (ChatGPT) | Account ID | The ChatGPT organization or workspace identifier | org-abc123 |
| GitHub | Account ID | The GitHub organization or account identifier | my-org-id |
Google Workspace
You can target Google Workspace tenants by domain. The domain corresponds to the
Google Workspace organization's primary or secondary domain.
- Identifier - Domain
- Validation - Must be a valid domain format (e.g.,
company.com, sub.company.com)
- Scope - Applies to all Google Workspace applications (Gmail, Drive, Docs,
Calendar)
Microsoft 365
You can target Microsoft 365 tenants using two identifier types. These identifiers
can be combined using AND logic for precise, multi-dimensional enforcement.
- Domain - The user's Microsoft 365 tenant domain. Distinguishes between
corporate, personal, and partner tenants based on user identity.
- Validation: Must be a valid domain format
- Scope: Applies to all Microsoft 365 applications
- Resource Host - The SharePoint or OneDrive host where content resides.
Distinguishes between internally-hosted and externally-hosted content.
- Scope: Applies to OneDrive and SharePoint only; all other Microsoft 365
applications continue to be scoped by domain
- Automatic extraction: Prisma Browser automatically identifies the
resource host from SharePoint and OneDrive URLs
When both Domain and Resource Host are configured, both
conditions must match (AND logic). This enables policies such as "allow full access
when a corporate user accesses internally-hosted SharePoint content" while
restricting access to externally-hosted partner content.
AWS
You can target AWS tenants using Account ID, Region, or both.
- Account ID - The 12-digit AWS account identifier.
- Validation: Must be exactly 12 digits, containing only numbers
(0–9)
- Region - The AWS region where the session operates.
- Selection: Choose from the list of all available AWS regions (e.g.,
us-east-1, eu-west-2,
ap-southeast-1)
When both Account ID and Region are configured, both
conditions must match (AND logic).
Slack
You can target Slack tenants by workspace name.
- Identifier - Workspace Name
- Scope - Applies to the specified Slack workspace
OpenAI (ChatGPT)
You can target ChatGPT tenants using Domain, Account ID, or both.
- Domain - The user's email domain associated with the ChatGPT account.
Distinguishes between corporate and personal accounts.
- Validation: Must be a valid domain format
- Account ID - The ChatGPT organization or workspace identifier. Targets
specific ChatGPT enterprise environments.
When both Domain and Account ID are configured,
both conditions must match (AND logic).
GitHub
You can target GitHub tenants by account ID.
- Identifier - Account ID
- Description - The GitHub organization or enterprise account
identifier
- Scope - Applies to all GitHub activity within the specified account
Configuration Notes
- Migration behavior - Existing policies for supported applications
automatically default to "All Tenants." No disruption to current security
posture occurs during upgrade.
- Tenant configuration availability - The tenant scope control appears in
the rule wizard only when a supported application is selected in the rule's
application scope.
- Pre-login behavior - Access to login pages matches the Specific Tenant
rule even before the tenant identity is known, allowing users to reach the
sign-in screen. Data controls apply only after tenant identification is
confirmed.
- Draft Mode - Modifying the tenant scope of an active policy moves the
rule into Draft state. Changes do not take effect until the policy is
published.