Zscaler tenant restriction and allow non tenant traffic

We have recently deployed ZIA with ZPA. We are a ZCC shop only. We have tenant restrictions for Google, Microsoft and Slack. We are trying to allow read only access to any tenant and allow upload/download to our tenant on both platforms.

We cannot get Microsoft to work at all.

We can get Gmail to work as intended, but not Drive. We asked Zscaler and they said it is not feasible currently.

Has anyone been successful in making this work?