If you're an enterprise organization or service provider with multiple tenants in Azure AD, you're already familiar with the challenges that come with maintaining organizational consistency, ensuring proper collaboration, and isolating security vulnerabilities across different subsidiaries and clients.
A few years ago, the lack of automated solutions made it very difficult for organizations to set up and maintain multi-tenant architectures, requiring engineers to swap back and forth between tenants to sync configuration files, access resources, and manage users.
Luckily, with specialized native and third-party platforms like Azure AD Connect, Azure Lighthouse, Microsoft Graph, and Simeon Cloud, it has become a lot easier to manage configurations across several tenants at once. In this detailed guide to multi-tenant management in Azure AD, we'll work through the different challenges, solutions, and best practices for creating and maintaining a multi-tenant architecture in Microsoft 365. Let's dive in.
The primary purpose of having multiple tenants in Azure Active Directory is to create separate environments for different business units or subsidiaries within a larger organization. By creating a separate instance of Azure AD for every unit within your organization, you're effectively isolating each environment from the resources, applications, and users included in all other environments.
Multi-tenant architectures carry a number of benefits for large organizations and service providers, from isolating security vulnerabilities between clients to creating separate environments for development and production to helping each unit stay separate during a merger or acquisition. Here are a few examples:
For Managed Service Providers (MSPs):
Despite the benefits, there are some serious considerations that need to be given due thought when you move to a multi-tenant architecture with Microsoft 365. Aside from the expected overhead that comes with setup and maintenance, you may also have to deal with separate licensing costs, compliance issues, and staffing shortages as a by-product of having multiple tenants up and running.
Creating multiple tenants in Azure AD is a repetitive process. For each new tenant you wish to create, you'll need to set up a new resource and configure it to match your needs. Here's an overview of what that looks like, without any third-party tools or platforms to guide the process:
Step 1: Sign into the Azure Portal
Step 2: Create a New Azure AD Tenant
Step 3: Fill in Organization Details
Step 4: Review and Create
Step 5: Switch to the New Tenant
Step 6: Configure your New Tenant
However, there's no reason why you should take on the cumbersome task of managing a large-scale multi-tenant operation all by yourself. There's a number of tools, platforms, and workarounds to help you in the process of setting up and managing multiple tenants in Azure AD — both native and third-party. Here's a detailed look at each solution:
Azure Lighthouse (Native)
Azure Lighthouse is a native Azure service that provides capabilities for cross-customer management at scale. It allows Managed Service Providers (MSPs) and large organizations to manage multiple Azure AD tenants from a single control plane, providing greater efficiency and visibility across the entire environment.
How it works: Azure Lighthouse uses Azure Delegated Resource Management to provide service providers with the ability to perform management tasks on their customers' behalf, across tenants. It uses Azure Resource Manager templates or Azure Marketplace for onboarding at scale.
What it does: Azure Lighthouse allows for managing multiple Azure AD tenants, providing unified management and governance across tenants. It enables performing tasks such as monitoring, policy enforcement, and managing resources across different tenants.
PowerShell & Microsoft Graph API (Unofficial)
PowerShell and Microsoft Graph API are powerful tools that can be used to manage Azure AD and other Microsoft services. While not an official multi-tenant management solution, they can be used to script and automate tasks across tenants.
How it works: PowerShell is a scripting language that allows for task automation and configuration management. Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. You can write PowerShell scripts that call the Microsoft Graph API to manage Azure AD resources.
What it does: You can use PowerShell and Microsoft Graph API to perform a wide range of tasks in Azure AD, such as creating and managing users, groups, and other resources. By scripting these tasks, you can automate them across multiple tenants.
Simeon Cloud (Third-Party)
Simeon Cloud is a third-party solution that provides a suite of tools for managing and automating Azure AD and Office 365.
How it works: Simeon Cloud provides a cloud-based platform that connects to your Azure AD and Office 365 tenants. It provides a user-friendly interface for managing these services, and it also provides automation capabilities.
What it does: Simeon Cloud allows you to manage users, groups, licenses, and configurations across multiple tenants. It also provides compliance and security tools, and it can automate tasks such as user provisioning and deprovisioning.
Simeon Cloud is the only no-code solution that enables the setup, administration, and maintenance of multiple tenants at scale in Azure AD and Microsoft 365. It comes with an intuitive interface, real-time synchronization, automatic backups, drift detection, audit trails, and dedicated support.
But, Simeon's configuration management features extend far beyond Azure AD. It also works with other M365 platforms and applications, such as Office 365, Intune, Exchange Online, SharePoint, and Microsoft Teams. It's a rare solution that offers 24/7/365 automation, management protection, and monitoring of your cloud architecture.
Want to learn more about Simeon Cloud? Request a demo with our sales team today!