Entra ID & Azure AD Tenant Management: Best Practices for MSPs Managing Multiple Tenants

Entra ID & Azure AD Tenant Management: Best Practices for MSPs Managing Multiple Tenants

August 8, 2023

Azure Active Directory (Azure AD) tenant management is the process of managing your organization's identity and access management (IAM) needs using Azure AD.

A tenant in Azure AD is a dedicated instance of Azure AD that's created automatically when your organization signs up for a Microsoft cloud service subscription, such as Microsoft 365, Office 365, or Azure. Depending on the needs of your organization, you may have one or multiple tenants set up in Azure AD.

The task of managing your tenant architecture in Azure AD is usually handled by your organization's IT team. A few key responsibilities associated with this task include:

  • User and Group Management: Azure AD allows you to manage users and groups, assign roles, and enforce rules. You can add or remove users, assign them to groups, and manage their access to your organization's resources.
  • Access and Authentication Management: Azure AD provides a variety of features for managing access and authentication, such as multi-factor authentication, conditional access policies, and identity protection.
  • Application Management: You can manage your organization's cloud and on-premises apps with Azure AD. This includes adding applications, managing access to them, and setting up single sign-on.
  • Directory Synchronization: If your organization has an on-premises Active Directory, you can synchronize it with Azure AD to manage your users and groups in one place.
  • Security and Compliance: Azure AD includes features for managing security and compliance, such as auditing, reporting, and threat detection.
  • B2B and B2C Functions: Azure AD B2B (Business-to-Business) allows you to share your organization's applications and services with external users, while Azure AD B2C (Business-to-Customer) is a customer identity access management solution that allows you to customize and control how customers sign up, sign in, and manage their profiles when using your applications.

In this article, we want to walk you through a step-by-step list of best practices for setting up, configuring, managing, securing, and monitoring your Azure AD tenant architecture in Microsoft 365. We'll talk about things like tenant heirarchy, user access control, licensing requirements, security configurations, auditing, and more. We'll also share some tips for achieving long-term cost efficiency, using specific tools to automate mundane tasks, and more.

Let's dive in!

How to Set Up Your Azure AD Tenant Architecture

A "tenant architecture" in Azure AD doesn't exist in the way you might think. Azure AD doesn't inherently support a hierarchical architecture for tenants, like a tree or nested structure where tenants can be parents or children of other tenants. Each tenant is a standalone entity, and there's no built-in concept of a tenant being superior or subordinate to another tenant.

However, the term "tenant architecture" is used informally to describe how an organization chooses to structure its multiple Azure AD tenants. For example, a large multinational corporation might choose to have separate tenants for each of its subsidiaries or regions. In this case, the "tenant architecture" would reflect the organizational structure of the company.

If you're setting up Azure AD within your organization for the first time, you will need to decide on a tenant hierarchy that works for your company, assign permissions to different users based on their roles, and create access policies so that everyone can view and manage the resources they need.

Deciding on Tenant Hierarchy

Start by understanding your organization's structure and needs. Consider factors such as the size of your organization, the number of departments or subsidiaries, and the level of autonomy and separation needed between them.

  • Single-Tenant: If your organization is small to medium-sized or if there's a high degree of collaboration and shared resources across all departments, a single-tenant setup might be more suitable.
  • Multi-Tenant: If your organization is large, or if there are distinct departments or subsidiaries that require a high level of autonomy and separation, a multi-tenant setup might be more appropriate.

Remember, the decision you make at this stage is crucial as it's difficult to change the tenant hierarchy later.

Assigning Permissions to Different Users

The goal here is to ensure that users have the necessary permissions to perform their roles without having excessive permissions that could pose a security risk. This is often referred to as the principle of least privilege.

  • Role-Based Access Control (RBAC): Understand the different roles within your organization and the permissions each role requires. Azure AD provides a range of built-in roles that you can assign to users. If these don't meet your needs, you can create custom roles.
  • User Groups: Consider creating user groups based on roles, departments, or other factors. This allows you to manage permissions for multiple users at once, rather than managing permissions for each user individually.

Setting Up Access Policies

This enables you to control who has access to what resources and under what conditions. This involves balancing the need for security with the need for usability.

  • Conditional Access Policies: These allow you to enforce controls based on specific conditions. Think about the conditions under which you'd want to enforce additional controls. For example, you might require additional verification for sign-ins from unfamiliar locations or outside of normal working hours.
  • Multi-Factor Authentication (MFA): Consider where MFA might be necessary for added security. While MFA can provide a significant boost to security, it can also add friction for users, so it's important to strike the right balance.
  • Identity Protection: Consider how you'll monitor and respond to potential security threats. Azure AD provides features for detecting potential security risks and responding to them.

Best Practices for Managing Licensing and User Access

Azure Active Directory (Azure AD) is a comprehensive identity and access management service that offers a variety of features for managing user access and licenses. The management process is crucial in both single-tenant and multi-tenant architectures.

Purchasing and Managing Licenses

The first step in this process is understanding the licensing options available in Azure AD. These options range from the free tier, which provides basic features, to the premium tiers, P1 and P2, offering advanced features like conditional access and identity protection. The choice of a licensing option should align with your organization's needs and budget.

Once a licensing option is chosen, setting up licensing permissions becomes the next task. Azure AD allows the delegation of license assignment to specific users or groups by assigning the "License Administrator" role. This role-based approach ensures that only authorized personnel can assign or remove licenses.

User Access and Authentication

Managing group-based access is a key aspect of Azure AD. This feature allows you to manage access to resources based on group membership. Groups can be created based on roles, departments, or any other criteria that suit your organization. Assigning access permissions to a group means any user who is a member of the group will inherit those permissions.

Assigning roles and permissions is achieved using Azure AD's Role-Based Access Control (RBAC) feature. RBAC allows you to define what actions a user can perform and what resources they can access. You can assign built-in roles like User Administrator or Global Administrator, or create custom roles that fit your organization's needs.

A Framework for Addressing Security and Compliance

Managing security and compliance in Azure AD involves a combination of proactive measures, regular monitoring, and responsive actions. Let's dig into each topic to understand how to implement a comprehensive and well-rounded solution for your tenants in Azure AD.


You need to develop a comprehensive approach to protect your organization's data and resources. This may involve implementing measures to prevent unauthorized access, ensuring the integrity and confidentiality of data, and maintaining the availability of services. Here are some key practices:

  • Enabling Access and Identity Protection: Implement features like Multi-Factor Authentication (MFA) and Conditional Access to add an extra layer of security to user sign-ins. Use Azure AD's Identity Protection feature to detect and respond to potential security risks.
  • Configuring Security Settings: Regularly review and adjust settings related to password policies, user sign-in, and device management to meet your organization's security needs.
  • Setting Up Alerts and Notifications: Stay informed about potential security issues by setting up alerts for events such as suspicious sign-in activity or changes to important settings.
  • Setting Up a Backup and Restore Process: Protect your data in the event of accidental deletion or a security incident by establishing a robust backup and restore process.
  • Automating Back-ups: Ensure that backups are performed regularly and consistently by automating the process.
  • Monitoring Back-up Updates: Regularly monitor your backups to ensure they are successful and up-to-date.


Compliance is all about ensuring your organization meets the necessary regulatory and policy requirements in your area of operation. It involves understanding these requirements, setting up processes to meet them, and responding effectively when issues arise. Here are some key practices:

  • Understanding Auditing Requirements: Know what data you need to collect, how long you need to retain it, and who needs access to it.
  • Setting Up Audit Reports: Use Azure AD's detailed audit logs to track user activity, changes to settings, and other important events. Export these logs to create comprehensive audit reports.
  • Responding to Audits and Compliance Violations: Investigate any potential violations, take corrective action, and document your response. Use features like access reviews and compliance reports to aid in this process.

Ways to Simplify Large-Scale Tenant Management in Azure AD

Managing large-scale tenant environments in Azure Active Directory (Azure AD) presents a unique set of challenges. With thousands of users, a multitude of groups, complex permissions, and myriad policies to manage, administrators can quickly find themselves overwhelmed. However, the task becomes more manageable with the right strategies and tools:

PowerShell Scripts

PowerShell scripts offer a way to automate repetitive tasks, making them a valuable tool for managing large-scale Azure AD environments. Administrators can write scripts to perform tasks such as creating users in bulk, assigning licenses, and configuring settings. While this approach requires a solid understanding of PowerShell and Microsoft Graph API, it can save significant time and reduce the risk of manual errors.

Native Azure AD Features

Azure AD itself comes equipped with several features designed to aid in large-scale tenant management. Administrative units, for instance, allow for the delegation of administrative tasks to specific users for specific groups of users. Role-Based Access Control (RBAC) provides the ability to control what actions different administrators can perform. Additionally, Azure AD's reporting and auditing features offer a way to monitor activity and maintain compliance, providing crucial insights into user behavior and security incidents.

Third-Party Platforms

Third-party platforms can provide a more user-friendly interface and advanced features for managing users, groups, permissions, and policies. These platforms often integrate with Azure AD and offer additional features like single sign-on, identity governance, and privileged access management. They can provide a more streamlined and efficient way to manage large-scale tenant environments.

Simeon: The Best Way to Automate Tenant Management in Azure AD

Simeon Cloud is a comprehensive tool designed to automate and streamline the management of Microsoft 365 configurations, including Azure AD. It offers a range of features that focus on enhancing efficiency, maintaining compliance, and ensuring consistency across multiple tenants.

  • Audit & Backup: Simeon Cloud provides detailed audit trails of your Microsoft 365 environments, all viewable in a single pane of glass. This feature allows administrators to keep track of all changes and activities. In case of any configuration errors or accidental changes, Simeon Cloud allows you to restore configurations to a desired state, enhancing the security and reliability of your Azure AD environment.
  • Baselines & Compliance: With Simeon Cloud, you can establish baselines for best practices, track drift, and align configurations to the desired state. This feature is particularly useful for maintaining compliance in Azure AD, as it ensures that your configurations adhere to established standards and policies.
  • Monitoring & Reporting: Simeon Cloud provides holistic reporting on your Microsoft 365 environments, including Azure AD, in a single pane of glass. It also alerts you to changes before they become problems, enabling proactive management and quick resolution of potential issues.
  • Multi-Tenant Management: For organizations with multiple Azure AD tenants, Simeon Cloud offers a single set of policies for improved scale and standardization. This feature simplifies the management of multiple tenants, ensuring consistency across all environments.
  • Automated Provisioning: Simeon Cloud allows you to deploy Microsoft 365 environments, including Azure AD, from customizable templates with a single click. This feature enhances scale, automation, and consistency, making it easier to manage large-scale tenant environments.