Supported Applications for Tenant-Based Policy Enforcement
Focus
Focus
Prisma Browser

Supported Applications for Tenant-Based Policy Enforcement

Table of Contents

Supported Applications for Tenant-Based Policy Enforcement

A reference of all applications that support tenant-based policy enforcement in Prisma Browser, including their available tenant identifiers.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Browser standalone
  • Prisma Access with Prisma Browser bundle license or Prisma Browser standalone license
  • Superuser or Prisma Browser role
Tenant-Based Policy Enforcement enables you to apply granular, instance-level security policies to supported multi-tenant applications. Instead of applying a uniform policy to an entire application, you can target specific tenants within an application — for example, allowing full capabilities in a corporate Google Workspace tenant while enforcing read-only access in a personal account.
When configuring an Access & Data Control rule for a supported application, the rule wizard displays a tenant scope control with two options:
  • All Tenants - The rule applies to all instances of the application (default).
  • Specific Tenant - The rule applies only to sessions matching the configured tenant identifier.
Each supported application uses one or more identifier types to distinguish between tenants.

Supported Applications and Identifiers

The following table lists all applications that support tenant-based policy enforcement and their available identifier types.
ApplicationIdentifier TypeDescriptionExample
Google WorkspaceDomainThe user's Google Workspace domainacme.com
Microsoft 365DomainThe user's Microsoft 365 tenant domaincontoso.com
Microsoft 365Resource HostThe SharePoint or OneDrive host where content is hostedpartner-org (from partner-org.sharepoint.com)
AWSAccount IDThe 12-digit AWS account identifier123456789012
AWSRegionThe AWS region where the session operatesus-east-1
SlackWorkspace NameThe name of the Slack workspaceacme-workspace
OpenAI (ChatGPT)DomainThe user's email domain associated with the ChatGPT accountacme.com
OpenAI (ChatGPT)Account IDThe ChatGPT organization or workspace identifierorg-abc123
GitHubAccount IDThe GitHub organization or account identifiermy-org-id

Google Workspace

You can target Google Workspace tenants by domain. The domain corresponds to the Google Workspace organization's primary or secondary domain.
  • Identifier - Domain
  • Validation - Must be a valid domain format (e.g., company.com, sub.company.com)
  • Scope - Applies to all Google Workspace applications (Gmail, Drive, Docs, Calendar)

Microsoft 365

You can target Microsoft 365 tenants using two identifier types. These identifiers can be combined using AND logic for precise, multi-dimensional enforcement.
  • Domain - The user's Microsoft 365 tenant domain. Distinguishes between corporate, personal, and partner tenants based on user identity.
    • Validation: Must be a valid domain format
    • Scope: Applies to all Microsoft 365 applications
  • Resource Host - The SharePoint or OneDrive host where content resides. Distinguishes between internally-hosted and externally-hosted content.
    • Scope: Applies to OneDrive and SharePoint only; all other Microsoft 365 applications continue to be scoped by domain
    • Automatic extraction: Prisma Browser automatically identifies the resource host from SharePoint and OneDrive URLs
When both Domain and Resource Host are configured, both conditions must match (AND logic). This enables policies such as "allow full access when a corporate user accesses internally-hosted SharePoint content" while restricting access to externally-hosted partner content.

AWS

You can target AWS tenants using Account ID, Region, or both.
  • Account ID - The 12-digit AWS account identifier.
    • Validation: Must be exactly 12 digits, containing only numbers (0–9)
  • Region - The AWS region where the session operates.
    • Selection: Choose from the list of all available AWS regions (e.g., us-east-1, eu-west-2, ap-southeast-1)
When both Account ID and Region are configured, both conditions must match (AND logic).

Slack

You can target Slack tenants by workspace name.
  • Identifier - Workspace Name
  • Scope - Applies to the specified Slack workspace

OpenAI (ChatGPT)

You can target ChatGPT tenants using Domain, Account ID, or both.
  • Domain - The user's email domain associated with the ChatGPT account. Distinguishes between corporate and personal accounts.
    • Validation: Must be a valid domain format
  • Account ID - The ChatGPT organization or workspace identifier. Targets specific ChatGPT enterprise environments.
When both Domain and Account ID are configured, both conditions must match (AND logic).

GitHub

You can target GitHub tenants by account ID.
  • Identifier - Account ID
  • Description - The GitHub organization or enterprise account identifier
  • Scope - Applies to all GitHub activity within the specified account

Configuration Notes

  • Migration behavior - Existing policies for supported applications automatically default to "All Tenants." No disruption to current security posture occurs during upgrade.
  • Tenant configuration availability - The tenant scope control appears in the rule wizard only when a supported application is selected in the rule's application scope.
  • Pre-login behavior - Access to login pages matches the Specific Tenant rule even before the tenant identity is known, allowing users to reach the sign-in screen. Data controls apply only after tenant identification is confirmed.
  • Draft Mode - Modifying the tenant scope of an active policy moves the rule into Draft state. Changes do not take effect until the policy is published.

Platform Support

Prisma Browser DesktopPrisma Browser ExtensionPrisma Browser for Mobile
Full supportFull supportNo support
Tenant-Based Policy Enforcement is not enforced within native mobile applications (iOS or Android).