Hello Krishna Chandrashekar,

You can use the custom header option on the WSA. Here is the process:-

WSA> advancedproxyconfig

Choose a parameter group:
- AUTHENTICATION - Authentication related parameters
- CACHING - Proxy Caching related parameters
- DNS - DNS related parameters
- EUN - EUN related parameters
- NATIVEFTP - Native FTP related parameters
- FTPOVERHTTP - FTP Over HTTP related parameters
- HTTPS - HTTPS related parameters
- SCANNING - Scanning related parameters
- PROXYCONN - Proxy connection header related parameters
- CUSTOMHEADERS - Manage custom request headers for specific domains
- MISCELLANEOUS - Miscellaneous proxy related parameters
- SOCKS - SOCKS Proxy parameters

[]> customheaders

Currently defined custom headers:

Choose the operation you want to perform:
- DELETE - Delete entries
- NEW - Add new entries
- EDIT - Edit entries

[]> new

Please enter the custom HTTP header (in the form field: value):
[]> Restrict-Access-To-Tenants: xyz.onmicrosoft.com, abc.onmicrosoft.com

Please enter the list of suffix of domains which will be sent this header, separated by commas:
[]> login.microsoft.com, login.microsoftonline.com, login.windows.net

[NOTE: you can any number of domains, there is no restriction on this]

2. Steps to be performed on the WSA GUI for the this setting to work

a. Create a new Custom URL category and enter the following domains (login.microsoft.com, login.microsoftonline.com, login.windows.net)

b. Under the decryption policy please set the Custom URL category to 'DECRYPT'

Once this setting is enabled on the WSA, then any request to O365 related sites coming from the user who does not belong to the corporate domains mentioned under Restrict-Access-To-Tenants will not be able to access those sites.

Please check https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions for more information.

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question.