Today's complex enterprise environments involve the existence of multiple identity structures, especially in the case of cloud resource management. The management and governance of Azure Active Directory tenants, cloud & federated identities, and authorizations and roles on Azure subscriptions and resources, is the purpose of this session.

1. Multi-Tenant Governance
with Azure Active Directory
Marius Zaharia

2. Merci à nos sponsors !

3. • Intro
• Challenges at scale
• Azure Active Directory. Single vs Multiple-Tenants
• Multi-tenancy management
• Directories
• Azure resources
• Conclusion
Agenda

4. Marius Zaharia
Azure Cloud Tech Lead, Société Générale
Azure MVP and Advisor
Community manager of AZUG FR community
@lecampusazure
www.linkedin.com/in/mzaharia
DISCLAIMER : Below are my own opinions, not my emplyer’s ones.

5. Intro

6. Beginning is good.
Welcome to Azure!
• 1 subscription.
Welcome to Office 365!
• 1-5 Office licences.
1 Azure Active Directory.
Individuals, SMBs

7. Moving further...
Welcome back to Azure!
• 10 subscriptions.
Welcome back to Office 365!
• 100 Office licences.
1 Azure Active Directory.
Larger businesses…

8. Moving beyond...
GO Azure!
• 100+ subscriptions.
GO Office!
• 10000+ Office licences.
?Azure Active Directory?
To MUCH larger businesses -

9. Challenges at Scale

10. Challenges at scale
Azure
• Many users and groups
• Many, many Azure
resources
• …spread in subscriptions
• Accounts / CSP / EA
• Access rights management
Office 365
• Many users and groups
• More Office apps
• More complex licensing
plans
Microsoft 365
Dynamics 365
Other Cloud services

11. • What a large enterprise may look
like:
(from an IT perspective)
Challenges at scale
BU#1
BU#1 IT
BU#2 IT
BU#n IT
BU#2
BU#n
Corp IT
µBU
µBU
µBU
µBU
P
P
P
P
P
P
P
PP
P
P
P

12. Challenges at scale
Choosing multiple Azure subscriptions?
• Subscription more easily isolated than a resource group
• RBAC
• Billing
• Can be assigned completely to an app or project
• Allow autonomy for the team
But:
• Agreement becomes more complex: Depts, Accounts, Subs
• Create/disable subscriptions more often
• Global security governance becomes more difficult

13. Challenges at scale
That’s not all.
• Large companies may have complicated structure
• Single central governance may affect agility and reactivity
• Some BUs want to move faster thant others
So: BUs create separate Azure AD Tenants
• A BU will be owner of an Azure AD tenant
• A BU will have 1(+) account in Enterprise Agreement
• Will be responsible of billing and security of its own Azure
subscriptions.
GREAT!

14. Challenges at scale
But:
• Security compliance and best practices must be audited
and enforced across BUs
• Some BUs not necessary involved in managing
subscriptions
So a transversal IT team may need to audit or manage:
• Azure accounts and subscriptions across tenants
• Azure AD tenants configuration
• Other cloud related assets

15. Azure Active Directory.
Single vs Multiple Tenants

16. • Azure AD tenant
allows us manage
• Users and groups
• Service principals /
applications
• Access rights to Azure
resources
• Access rights to Office
• Access to SaaS
applications
Azure AD: single vs multi-tenant
Users and Groups
Azure
subscriptions
SaaS
applications
Office 365
Service Principals

17. • Multi-tenant:
Azure AD B2B
Collaboration
Azure AD: single vs multi-tenant
Users and Groups
Azure
subscriptions
SaaS
applications
Office 365
Service Principals

18. • A user (not admin!) can create (in 2 min) a Azure AD tenant
• He will be Global Admin of the new tenant
• Original user mapped as External AD User in the new tenant
• If he is owner of an Azure subscription, then he can transfer the
subscription management to the new tenant
A (new) tenant into your place

19. • From the portal
Access a specific tenant
• From the command line
• Login-AzAccount -Tenant
xxxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx
• Login-AzAccount -Tenant
mydomain.onmicrosoft.com
• Login-AzAccount -Tenant
mydomain.net
• az login –t xxxxxxxx-xxxx-xxxx-
xxxx-xxxxxxxxxxxx
• …
• From Libs / API

20. Multi-tenancy management

21. Multi-tenancy management means…
• Managing multiple Azure AD tenants
and/or
• Managing (Azure) resources « spread »
over multiple Azure AD tenants
Multi-tenancy management

22. Responsibilities cross-tenant

23. Managing multiple AAD tenants

24. Requires having configured, in the « remote » tenant, either:
1. Dedicated AAD user
2. Guest (invited) user (B2B Collaboration)
Managing multiple AAD tenants

25. 1. Whitelist invitation domains
2. Add users without invitation
New-AzureADMSInvitation -InvitedUserEmailAddress "user@example.com" `
-InviteRedirectUrl "https://example.com" `
-SendInvitationMessage $false `
-InvitedUserType "Member“
• Go directly to https://portal.azure.com/*yourtenantid* and accept terms
Securing invited identities

26. • Fact: Service Principals cannot be invited as users in
other tenants
• Enterprise Application => multi-tenant
• App registration (Service Principal): mono-tenant
• https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-
service-principals
What about SPNs ?

27. Limit perimeter to only the set of trusted tenants, by domains
• From inside :
« Only My Tenant » feature
• From outside :
Direct AAD federation with AD FS or t.p. STS provider
• https://docs.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
Securing « only » our tenants

28. • A SaaS application registered in Azure AD can be
configured to work (accept signins) with/from multiple
tenants
• Configure Authentication / Supported account types /
Accounts in any organizational directory
• App ID URI must be globally unique
SaaS applications as multi-tenant

29. Managing Azure over
multiple AAD tenants

30. Manage Azure over multiple AAD tenants via:
• « Classical » way: see previous section
• New way: Azure Lighthouse
Managing Azure over multiple AAD tenants

31. Azure Lighthouse
Single control plane to view and manage Azure across all customers

32. • Azure delegated resource management
• Works for users and service principals
• Azure portal experience
• Azure Resource Manager templates
• Managed Services offers in Azure Marketplace
• Azure managed applications
Capabilities

33. • Through Azure MarketPlace
• Perfect for MS Partners and Service Providers
• Not suitable for internal use in companies
• Or through Delegated Resource Management
• Customer deploys an ARM template into his Azure subscription(s)
Onboarding Customer

34. • Define roles and permissions to be used on Customer’s assets
• Build-in RBACs as of today
• What you need for setup
• Tenants
• Service provider's tenant ID (yours)
• Customer's tenant ID
• Group / User(s)
• Azure Subscription(s)
• (Azure) Role Definitions
Delegated RM - Setup

35. • Create ARM Template – and pass it to the Customer
• mspOfferName
• mspOfferDescription
• managedByTenantId
• authorizations
• Group ID & display name
• Role ID
Get it by PS/CLI: Get-AzRoleDefinition -Name "Reader"
• Customer deploys the ARM Template on his subscription(s)
• One deployment per subscription
• New-AzDeployment
Delegated RM - Setup

36. • Customer view
• Service
Provider
View
Lighthouse in Use

37. DEMO
Delegated Deployment and Management
with Azure Lighthouse

38. Azure Security Center!
• Cross-tenant visibility on Azure resources
• Cross-tenant security posture management
• Cross-tenant threat detection and protection
Azure Policy!
• Can create definitions and apply/assign them
• Enforcement w/ deployIfNotExists
Cross Tenant Security w/ Az Lighthouse

39. • Specific set of supported services
• Azure Databricks blocking
• Resource specific URIs (ex. blob.core.windows.net) not
supported
• Build-in RBACs only
• Many évolutions and features planned to come
(Current) Az Lighthouse Limitations

40. Conclusion

41. • Govern Azure resources : w/ Azure Lighthouse
Great solution for simplifying onboarding & experience
• For Partners & SPs, but also for large enterprises
• Govern AAD tenants:
• Users
• With dedicated users in target tenant w/ strong governance rules
• With restricted invitations (by domain)
• Service Principals
• « Multi-tenant enterprise application »
• ALL: minimum privilege principle
Conclusion

42. Merci.