Palo Alto Networks Exam NetSec-Generalist Topic 6 Question 13 Discussion

A company using Prisma Access to secure Google Workspace access while blocking unsanctioned Google tenants must implement Tenant Restrictions.

Why are Tenant Restrictions the Right Choice?

Restricts Google Workspace Access to Approved Tenants

Tenant restrictions allow only authorized Google Workspace tenants (e.g., the company's official domain) and block access to personal or unauthorized instances.

Prevents Data Exfiltration & Shadow IT Risks

Without tenant restrictions, users could log into personal Google accounts and transfer corporate data to external environments.

Works with Prisma Access Security Policies

Prisma Access enforces tenant restrictions at the cloud level, ensuring compliance without requiring local device policies.

Other Answer Choices Analysis

(A) Dynamic Address Groups

Used to group IPs dynamically based on tags but does not control SaaS tenant access.

(C) Dynamic User Groups

Used for role-based access control (RBAC), not for restricting Google Workspace tenants.

(D) URL Category

Can filter web categories, but cannot differentiate between different Google Workspace tenants.

Reference and Justification:

Firewall Deployment & Security Policies -- Tenant restrictions enforce Google Workspace access policies.

Threat Prevention & WildFire -- Prevents data exfiltration via unauthorized Google accounts.

Zero Trust Architectures -- Ensures only authorized cloud tenants are accessible.

Thus, Tenant Restrictions (B) is the correct answer, as it effectively blocks access to unsanctioned Google Workspace environments while allowing corporate-approved tenants.