I'm following the Build a Teams tab with SSO tutorial and I would like to restrict access to only a few tenants.
I have followed this tenant-restrictions walkthrough on restricting access using 2 HTTP headers:
Restrict-Access-To-Tenants
Restrict-Access-Context.
However, I'm not sure where to place those headers in the process.
When you create the Azure AD Application, there is an option to only allow users from the same tenant - using this is probably sufficient for your needs, as Azure AD wouldn't issue tokens to users from other tenants. Your API must then be sure that only requests with valid tokens can proceed (which it should do anyway).