search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.2k stars 21.34k forks source link

Guidance for multiple tenants #107596

Open DeanGross opened 1 year ago

DeanGross commented 1 year ago

What is the guidance for organizations that have multiple azure tenants? Should there be accounts that are used for multiple tenants or should each tenant have its own dedicated accounts. Please provide some explicit guidance.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

AjayBathini-MSFT commented 1 year ago

@DeanGross Thanks for your feedback! We will investigate and update as appropriate.

ManoharLakkoju-MSFT commented 1 year ago

@DeanGross For organizations that have multiple Azure tenants, it is recommended to use corporate identities through Azure AD B2B collaboration. Organizations can also implement Azure Lighthouse for cross-tenant management of Azure resources so that non-production Azure subscriptions can be managed by identities in the production counterpart. Azure Lighthouse can't be used to manage services outside of Azure, such as Intune or Microsoft Endpoint Manager. For Managed Service Providers (MSPs), Microsoft 365 Lighthouse is an admin portal that helps secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business. It is important to note that multi-tenant architectures with external identity access enabled provide only resource isolation, but don't enable identity isolation. Resource isolation using Azure AD B2B collaboration and Azure Lighthouse don't mitigate risks related to identities. Regarding the use of accounts, it is recommended to use a separate set of administrators for each tenant. Organizations can choose to use corporate identities through Azure AD B2B collaboration. Similarly, organizations can implement Azure Lighthouse for cross-tenant management of Azure resources so that non-production Azure subscriptions can be managed by identities in the production counterpart. Azure Lighthouse can't be used to manage services outside of Azure, such as Intune or Microsoft Endpoint Manager. For Managed Service Providers (MSPs), Microsoft 365 Lighthouse is an admin portal that helps secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business

For more information, please refer to the following document https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/secure-with-azure-ad-multiple-tenants

DeanGross commented 1 year ago

Thanks, but I am specifically asking about emergency access accounts, which is the topic of this page (multi-tenant management during normal operations is a separate issue). I will rephrase my question: For an organization that has multiple azure tenants, should each tenant have its own emergency access accounts OR should emergency access accounts be shared across tenants? there are risks and operational/management issues with both approaches. Does MSFT have a recommendation and if so, what is the basis for this recommendation.

ManoharLakkoju-MSFT commented 1 year ago

Hi @DeanGross According to Microsoft's documentation on emergency access accounts, it is recommended to have emergency access accounts for each tenant. This is because emergency access accounts are highly privileged and should be limited to scenarios where normal administrative accounts can't be used. Having separate emergency access accounts for each tenant can help to ensure that access is limited to only the necessary amount of time and that the accounts are used only when necessary.

DeanGross commented 1 year ago

Thanks, but where in the documentation is this stated? I don't see this recommendation on this page which is all about managing emergency access accounts

ManoharLakkoju-MSFT commented 1 year ago

@DeanGross I'm going to assign this to the document author so they can take a look at it accordingly

ManoharLakkoju-MSFT commented 1 year ago

@markwahl-msft Could you Please review this and update as appropriate.