Managing Multiple Tenants in Azure AD: A Handbook for Enterprise IT Managers & System Administrators

Managing Multiple Tenants in Azure AD: A Handbook for Enterprise IT Managers & System Administrators

By
June 30, 2023

If you're an enterprise organization or service provider with multiple tenants in Azure AD, you're already familiar with the challenges that come with maintaining organizational consistency, ensuring proper collaboration, and isolating security vulnerabilities across different subsidiaries and clients.

A few years ago, the lack of automated solutions made it very difficult for organizations to set up and maintain multi-tenant architectures, requiring engineers to swap back and forth between tenants to sync configuration files, access resources, and manage users.

Luckily, with specialized native and third-party platforms like Azure AD Connect, Azure Lighthouse, Microsoft Graph, and Simeon Cloud, it has become a lot easier to manage configurations across several tenants at once. In this detailed guide to multi-tenant management in Azure AD, we'll work through the different challenges, solutions, and best practices for creating and maintaining a multi-tenant architecture in Microsoft 365. Let's dive in.

What's the Point of Having Multiple Azure AD Tenants?

The primary purpose of having multiple tenants in Azure Active Directory is to create separate environments for different business units or subsidiaries within a larger organization. By creating a separate instance of Azure AD for every unit within your organization, you're effectively isolating each environment from the resources, applications, and users included in all other environments.

Multi-tenant architectures carry a number of benefits for large organizations and service providers, from isolating security vulnerabilities between clients to creating separate environments for development and production to helping each unit stay separate during a merger or acquisition. Here are a few examples:

For Enterprises:

  • Business Unit Separation: Distinct business units within an organization can each have their own tenant, allowing for separate management of resources, applications, and identities.
  • Mergers and Acquisitions: In the event of a merger or acquisition, the acquired company's Azure AD tenant can be kept separate, easing the integration process.
  • Development and Testing: Separate tenants can be used for development and testing, allowing developers to test changes without affecting the production environment.
  • External Collaboration: For enterprises that collaborate with external partners, a separate tenant can be used to manage access and permissions for external users separately from internal users.
  • Regulatory Compliance: In industries with strict regulatory requirements, separate tenants can be used to ensure compliance by isolating data and resources.
  • Geographical Separation: For multinational corporations, separate tenants can be used to manage resources and users in different geographical locations.
  • Disaster Recovery: A separate tenant can be used as a failover environment in case of a disaster, ensuring business continuity.

For Managed Service Providers (MSPs):

  • Client Isolation: Each client's resources, identities, and data are kept separate and secure in their own tenant.
  • Customized Service Delivery: Each tenant can be configured according to the specific needs and preferences of each client.
  • Scalable Service Model: As MSPs acquire more clients, they can easily add new tenants, allowing for scalable growth.
  • Broad Service Offerings: MSPs can use multiple tenants to offer a wider range of services, including Azure AD management as a standalone service or as part of a larger package.

Considerations When Setting Up Multiple Tenants in Azure AD

Despite the benefits, there are some serious considerations that need to be given due thought when you move to a multi-tenant architecture with Microsoft 365. Aside from the expected overhead that comes with setup and maintenance, you may also have to deal with separate licensing costs, compliance issues, and staffing shortages as a by-product of having multiple tenants up and running.

  • Business Requirements: Do you have distinct business units, subsidiaries, or client projects that require isolation from each other? Understanding your business needs will help you decide whether a multi-tenant architecture is the right approach.
  • Security and Compliance: Each tenant can have its own security settings and compliance policies. Consider whether your organization has security or compliance requirements that might be easier to meet with a multi-tenant architecture.
  • Collaboration and Communication: If users need to collaborate and communicate across different tenants, consider how you will facilitate this. Some features, like calendar sharing and file sharing, can be more difficult to manage across tenants.
  • Licensing and Cost: Licenses are managed at the tenant level, and each tenant may incur its own costs. You need to consider how you will manage licenses and costs across multiple tenants.
  • Data Migration and Integration: If you need to move data or users between tenants, or if you need to integrate data across tenants, this can be a complex process. You need to consider whether you have the necessary tools to manage these tasks.
  • Administration and Management: Managing multiple tenants can be more complex and time-consuming than managing a single tenant. You need to consider whether you have the administrative resources to manage multiple tenants properly.

How to Set Up Multiple Tenants in Azure Active Directory

Creating multiple tenants in Azure AD is a repetitive process. For each new tenant you wish to create, you'll need to set up a new resource and configure it to match your needs. Here's an overview of what that looks like, without any third-party tools or platforms to guide the process:

Step 1: Sign into the Azure Portal

Step 2: Create a New Azure AD Tenant

  • In the left-hand menu, click on "Create a resource".
  • In the "New" window, search for "Azure Active Directory" in the search box.
  • In the search results, select "Azure Active Directory".
  • On the Azure Active Directory page, click "Create".
  • You will now be asked to fill in some details about your organization and your new directory.

Step 3: Fill in Organization Details

  • In the "Organization name" field, enter the name of your organization.
  • In the "Initial domain name" field, enter a domain name for your organization. This will form part of your default *.onmicrosoft.com domain.
  • From the "Country or region" dropdown, select the country or region where your organization is based.
  • After filling in these details, click "Next".

Step 4: Review and Create

  • Review the details you've entered. If everything is correct, click "Create".
  • Azure will now create your new Azure AD tenant. This may take a few minutes.

Step 5: Switch to the New Tenant

  • Once your new tenant has been created, you'll need to switch to it.
  • Click on your account in the top-right corner of the Azure portal, then click "Switch directory".
  • In the "All directories" list, click on the new tenant you just created.

Step 6: Configure your New Tenant

  • Now that you've switched to your new tenant, you can start configuring it.
  • You can add users, assign roles, configure settings, and more. Each of these tasks can be done from the Azure AD section of the Azure portal.

Useful Tools for Managing a Multi Tenant Azure AD Setup

However, there's no reason why you should take on the cumbersome task of managing a large-scale multi-tenant operation all by yourself. There's a number of tools, platforms, and workarounds to help you in the process of setting up and managing multiple tenants in Azure AD — both native and third-party. Here's a detailed look at each solution:

Azure Lighthouse (Native)

Azure Lighthouse is a native Azure service that provides capabilities for cross-customer management at scale. It allows Managed Service Providers (MSPs) and large organizations to manage multiple Azure AD tenants from a single control plane, providing greater efficiency and visibility across the entire environment.

How it works: Azure Lighthouse uses Azure Delegated Resource Management to provide service providers with the ability to perform management tasks on their customers' behalf, across tenants. It uses Azure Resource Manager templates or Azure Marketplace for onboarding at scale.

What it does: Azure Lighthouse allows for managing multiple Azure AD tenants, providing unified management and governance across tenants. It enables performing tasks such as monitoring, policy enforcement, and managing resources across different tenants.

Pros:

  • Centralized management of multiple tenants.
  • Enhanced visibility and control.
  • Greater efficiency with automation and at-scale management.
  • Built-in Azure service, ensuring compatibility and integration with other Azure services.

Cons:

  • Learning curve for understanding and implementing delegated resource management.
  • Limited to Azure environments.

PowerShell & Microsoft Graph API (Unofficial)

PowerShell and Microsoft Graph API are powerful tools that can be used to manage Azure AD and other Microsoft services. While not an official multi-tenant management solution, they can be used to script and automate tasks across tenants.

How it works: PowerShell is a scripting language that allows for task automation and configuration management. Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. You can write PowerShell scripts that call the Microsoft Graph API to manage Azure AD resources.

What it does: You can use PowerShell and Microsoft Graph API to perform a wide range of tasks in Azure AD, such as creating and managing users, groups, and other resources. By scripting these tasks, you can automate them across multiple tenants.

Pros:

  • Highly flexible and customizable.
  • Can automate a wide range of tasks.
  • Can manage a wide range of Microsoft services, not just Azure AD.

Cons:

  • Requires scripting knowledge.
  • Can be complex and time-consuming to set up and maintain.
  • Unofficial solution, so less guidance and support available.

Simeon Cloud (Third-Party)

Simeon Cloud is a third-party solution that provides a suite of tools for managing and automating Azure AD and Office 365.

How it works: Simeon Cloud provides a cloud-based platform that connects to your Azure AD and Office 365 tenants. It provides a user-friendly interface for managing these services, and it also provides automation capabilities.

What it does: Simeon Cloud allows you to manage users, groups, licenses, and configurations across multiple tenants. It also provides compliance and security tools, and it can automate tasks such as user provisioning and deprovisioning.

Pros:

  • User-friendly interface.
  • Automation capabilities.
  • Provides additional tools for compliance and security.

Cons:

  • Dependence on a third-party solution.
  • Costs associated with using a third-party service.
  • May not have all the capabilities of native or custom-scripted solutions.

Using Simeon to Manage Multiple Azure AD Tenants at Scale

Simeon Cloud is the only no-code solution that enables the setup, administration, and maintenance of multiple tenants at scale in Azure AD and Microsoft 365. It comes with an intuitive interface, real-time synchronization, automatic backups, drift detection, audit trails, and dedicated support.

But, Simeon's configuration management features extend far beyond Azure AD. It also works with other M365 platforms and applications, such as Office 365, Intune, Exchange Online, SharePoint, and Microsoft Teams. It's a rare solution that offers 24/7/365 automation, management protection, and monitoring of your cloud architecture.

Want to learn more about Simeon Cloud? Request a demo with our sales team today!