How to block personal Gmail but allow Work Gmail (Tenant restrictions)


I’m trying to block personal Gmail access without blocking access to the work Gmail tenant. I’ve read the docs about setting up tenant restrictions but I am still able to access my personal Gmail account. The docs are so brief it suggests this should be a simple thing to setup, but in testing it doesn’t work. I am wondering if anyone has successfully set this up before, and has any suggestions on how to get this working.

Current Configuration:

  1. I have enabled TLS decryption
  2. The Root CA is installed via the WARP agent
  3. I created a policy to block my user-email from accessing application “Gmail” and put the policy at the top of the list (so it takes precedence over other policies)
  4. I created an HTTP Policy to Allow Gmail and Google Workspace with a custom header (X-Googapps-Allowed-Domains) using my company’s domain

Expected (desired) Result:
Either block Gmail ( outright unless the connection is established via corp SSO, or allow access to Gmail and block any attempted sign-ins that do not come from my work domain.

Actual result:
I am only able to either outright block Gmail entirely, or I have to allow it entirely.

Welcome to the Cloudflare Community. :logodrop:

Have you checked the rule processing order?

1 Like