In SIA, you can configure custom headers to control access to your enterprise SaaS applications. For example, you can use custom headers to restrict user access to only your organization's application account.

You configure custom headers in a policy configuration. As part of this configuration, you provide the domain of the application or the website that users access. You then enter the header name and value. The header name is inserted into the request and used to control access. The header name is usually defined by the provider of the application, while the header value is specific for your enterprise. For example, the header value may be an ID associated with your organization's application account.

📘
To use this feature, your organization need to be licensed for SIA Advanced Threat and configure SIA Proxy as a full web proxy.

After custom headers are used to grant user access to an application, you can use other SIA features to scan content that is downloaded or uploaded. These features include:

Data loss prevention. You can use DLP to scan uploaded files. For more information about DLP, see Data loss prevention.
Inline payload analysis. You can use inline payload analysis to scan downloaded content with SIA Proxy. For more information about inline payload analysis, see Inline payload analysis.

You can add a maximum of 1,000 headers.

Add a custom header

You can use custom headers to control access to your SaaS application and limit access to only the corporate account of the application.

To to add a custom header to a policy:

In the Threat Protection menu of Enterprise Center, select Policies > Policies.
To edit a policy, click the name of the policy that you want to edit.

If you are creating a policy, see Create a policy.
Click the Custom Header tab, and click the plus sign icon.
In the Domains field, enter the domain or domains that users request to access the application.
In the Header Name field, enter the header that's inserted into the request.
In the Header Value field, enter the header value.
Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the SIA network. For instructions, see Deploy configuration changes.

Headers for common SaaS applications

This table lists domains and headers for some common applications. For instructions on configuring custom headers for any of these applications, see the provided link:

Application	Domains	Header	Header Configuration Steps
Dropbox	dropbox.com	`X-Dropbox-allowed-Team-Ids`	See Set up a custom header for Dropbox
Google G Suite	drive.google.com .google.com .googleusercontent.com .gstatic.com	`X-GooGApps-Allowed-Domains`	See Set up a custom header for Google G Suite
Microsoft 365	login.microsoftonline.com login.microsoft.com login.windows.net	`Restrict-Access-To-Tenants` `Restrict-Access-Context`	See Set up custom headers for Microsoft 365
YouTube	www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com	`YouTube-Restrict`	See Set up custom headers for YouTube

Set up a custom header for Dropbox

Before you begin

Make sure Network Control is enabled in the Dropbox Admin Console. For instructions, see Network Control in the Dropbox help. Take note of the Team ID that is associated with your organization's account.

To set up a custom header for Dropbox, your organization needs to be on a Dropbox Enterprise plan and have access to the Network Control feature in the Dropbox Admin Console. Network Control allows an administrator to identify the user accounts that can access Dropbox in the corporate network.

To create a custom header that block users from accessing personal Dropbox accounts:

In the Threat Protection menu of Enterprise Center, select Policies > Policies.
To edit a policy, click the name of the policy that you want to edit.

If you are creating a policy, see Create a policy.
Click the Custom Header tab, and click the plus sign icon.
In the domain field, enter dropbox.com.
In the Header Name field, enter X-Dropbox-allowed-Team-Ids.
In the Header Value field, enter the team ID that is associated with your organization's Dropbox account.
Click Save If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the SIA network. For instructions, see Deploy configuration changes.

Set up a custom header for Google G Suite

Before you begin

In the Google Admin Console, make sure you block access to personal accounts and allow access to your corporate G Suite account. For instructions, see Block access to consumer accounts in the Google Admin Help.

This procedure describes how to create a custom header in SIA and block users from accessing personal accounts to G Suite applications such as Gmail, Google Drive, Google Doc, Google Calendar, and more.

To create a custom header that block users from accessing personal accounts to G Suite applications:

In the Threat Protection menu of Enterprise Center, select Policies > Policies.
To edit a policy, click the name of the policy that you want to edit.

If you are creating a policy, see Create a policy.
Click the Custom Header tab, and click the plus sign icon.
In the domain field, enter:
- drive.google.com
- google.com
- googleusercontent.com
- gstatic.com
In the Header Name field, enter X-GooGApps-Allowed-Domains.
In the Header Value field, enter the domains for your organization that you want to allow.

This would be the domains and subdomains that your organization registered with Google.
Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the SIA network. For instructions, see Deploy configuration changes.

Set up custom headers for Microsoft 365

Before you begin

You can use a tenant restriction in Azure AD to control application access based on the Azure AD tenant that's used for single sign-on (SSO). For more information on tenant restrictions, see Use tenant restrictions to manage access to SaaS cloud applications in the Microsoft Azure documentation.

This procedure describes how to create a custom header in SIA and block users from accessing personal accounts to Microsoft 365 apps.

To create a custom header that block users from accessing personal accounts to Microsoft 365 apps:

In the Threat Protection menu of Enterprise Center, select Policies > Policies.
To edit a policy, click the name of the policy that you want to edit.

If you are creating a policy, see Create a policy.
Click the Custom Header tab, and click the plus sign icon.
In the domain field, enter:
- login.microsoftonline.com
- login.microsoft.com
- login.windows.net
In the Header Name field, enter:

Restrict-Access-To-Tenants
In the Header Value field, enter the domains that are registered with your tenant. This would be the domains that are specific to your organization's account.
Click the plus sign icon to add another header.
Repeat step 4
In the Header Name field, enter:

Restrict-Access-Context
In the Header Value field, enter the directory ID that is associated with your organization's AD.

📘
You can find this ID in the Azure Active Directory portal. Log in as an administrator and from the navigation menu, select Azure Active Directory and then click Properties.
Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the SIA network. For instructions, see Deploy configuration changes.

Set up custom headers for YouTube

You can use custom headers to control the video content that users can access while on the corporate network. You can restrict access through DNS with the YouTube menu that is available in a policy, while custom headers allows you to restrict access through HTTP. To restrict access through DNS, see SafeSearch and YouTube restricted mode.

For more information, see Restrict YouTube content available to users in the Google documentation. You need to be a G Suite administrator to access these instructions from Google.

To set up custom headers for YouTube:

In the Threat Protection menu of Enterprise Center, select Policies > Policies.
To edit a policy, click the name of the policy that you want to edit.

If you are creating a policy, see Create a policy.
Click the Custom Header tab, and click the plus sign icon.
In the domain field, enter:
- www.youtube.com
- m.youtube.com
- youtubei.googleapis.com
- youtube.googleapis.com
- www.youtube-nocookie.com
In the Header Name field, enter:

YouTube-Restrict
In the Header Value field, enter one of these values depending on the type of restriction you want to configure:
- Strict. Provides access to a limited collection of video content. This is the most restricted mode.
- Moderate. Provides some restricted access but is less strict than Strict mode. Moderate mode allows users to access a larger collection of video content.
Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the SIA network. For instructions, see Deploy configuration changes.