Multi-Tenant Management
In the last decade, Microsoft 365 has established itself as a dominant force in the market, offering organizations a modern, cloud-based productivity suite. In fact, 4 out of every 5 Fortune 500 companies use Microsoft Office 365.
However, managing multiple Microsoft 365 subscriptions and tenants can present a significant challenge for administrators and resource owners alike. According to Microsoft’s data from 2020, a staggering “66% of enterprise customers and partners manage multiple Microsoft 365 tenants,” and the complexity of administration compounds with each additional tenant, hybrid AD Forest, Domain, or other connecting systems (like Federation Services and inter tenant collaboration).
Fortunately, or perhaps unfortunately, depending on your perspective, administrators are faced with a myriad of options to consider when it comes to evaluating multi-tenant management solutions for Microsoft 365. In my upcoming session at The Experts Conference (TEC) 2023 in Atlanta, Georgia, we will delve into the constantly evolving landscape of Microsoft 365 multi-tenant management solutions and carefully examine the advantages and drawbacks of each option. This comprehensive exploration will encompass Microsoft’s native solutions, third-party services, as well as IT, cloud, and managed service providers (ITSP/CSP/MSP). To assist you in making an informed decision, we will also present an evaluation framework designed to guide you in selecting the ideal multi-tenant management solution that aligns with your organization’s unique needs.
Challenges of Multi-Tenant Management
As the number of environments increases and the functions required for management broaden, it becomes very unlikely that a single solution or provider can meet all your needs. Currently, a Business Premium customer has to navigate through at least 17 primary Microsoft 365 administration portals, as seen in Figure 1. This complexity is further compounded when managing multiple subscriptions, leading to inefficiencies and potential security vulnerabilities resulting from human error or inadequate security practices. For a comprehensive list of Microsoft-related sites, portals, and tools, we recommend bookmarking msportals.io.
By acknowledging the complexities of relying solely on Microsoft’s native solutions, organizations can explore alternative approaches to achieve more efficient and secure multi-tenant management.
The Microsoft 365 Admin Center serves as the primary management interface for Microsoft 365, offering a centralized hub for managing Microsoft 365, Azure AD, and applications. However, in many instances, enterprise and SMB customers encounter the need to switch between tenants, requiring the use of separate credentials and multiple browsers, which leaves them more vulnerable to identity threats. To avoid this threat, you can use browser profiles to manage multiple Office 365 tenants and accounts simultaneously.
This fragmented approach to multi-tenant management can be cumbersome and time-consuming for administrators, resulting in potential inefficiencies and user frustrations. Streamlining navigation between tenants and simplifying credential management would greatly enhance the overall user experience and improve productivity.
To address this challenge, organizations can explore solutions that provide a more seamless and integrated experience for managing multiple tenants within the Microsoft 365 ecosystem.
While there are features, like the “tenant switcher” or “organization switcher,” designed to alleviate some of these limitations, it’s important to note that these features are currently limited to partners of record (Associated Partner) for a Microsoft cloud organization. Unfortunately, no public plans exist to extend this functionality beyond its current state.
This restriction poses a challenge for non-partner organizations, as they cannot leverage these features to simplify the management of multiple tenants. As a result, administrators outside the partner network must explore alternative solutions to enhance their multi-tenant management experience. However, despite the aforementioned restrictions, it is important to acknowledge that the various Microsoft 365 administrator centers hold significant value as a comprehensive set of tools and capabilities. The Microsoft administration centers cannot be disregarded, abandoned, or entirely replaced by any single alternative solution. They remain an integral part of the multi-tenant management landscape, providing essential functionality and features for administrators. While exploring alternative solutions and how third-party tools can enhance the overall management experience, the Microsoft 365 administrator portals remain a fundamental component that organizations must leverage to effectively navigate and oversee their Microsoft 365 environment.
In 2023, there is a range of potential solutions available to help administrators navigate various use cases for multi-tenant management within the Microsoft ecosystem. Here is a comprehensive list of these solutions:
Microsoft Solutions for Managing Microsoft 365 Tenants
- Microsoft 365 Admin Center – The admin center is designed to be a central portal to manage users, groups, activity, billing, and more. However, it is limited to managing a single subscription at a time with no bulk actions, monitoring, reporting, or analytics across tenants/subscriptions.
- Multi-tenant management for Microsoft 365 partner admins – Multi-tenant management offers a unified form of management that allows Microsoft 365 partner admins the ability to administer all the tenants they manage from a single location. This includes the ability to switch between tenants, assess service health, review license usage across subscriptions, and pin the most important tenants for easier administration. However, this is limited to registered partners of record (Associated Partner).
- Delegated Administration Privileges (DAP) – DAP enables a partner to manage a customer’s service or subscription on their behalf.
- APIs: PowerShell & Microsoft Graph – Traditionally limited to highly privileged administrator roles only, these are not always suited for other roles such as help desk administrators or individual resource owners. However, these APIs can be leveraged to build custom tooling and solutions within an organization that fit their exact and immediate requirements.
- Manage billing across multiple tenants in the Microsoft 365 admin center – Multi-tenant billing relationships can be created in the Microsoft 365 Admin Center. This allows multi-tenant admins to simplify billing management by securely sharing the organization’s billing account with other tenants while maintaining control over billing data.
- Change Directory Tenants with your Azure Subscriptions – Another valuable feature for managing multiple subscriptions is the ability to switch between different Azure Active Directories. This functionality allows administrators with appropriate rights in other directories to manage objects from a single location conveniently. You can achieve this by switching to a direct account with the required access or utilizing the same account using B2B (Business-to-Business) collaboration. This capability streamlines the management process by providing a unified interface for handling objects across multiple directories, enhancing efficiency and simplifying administrative tasks.
- Microsoft 365 Lighthouse for SMB Managed Services Providers (MSPs) – Microsoft 365 Lighthouse is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small and medium-sized business (SMB) customers.
One noteworthy use case, which is not directly a solution for multi-tenant and subscription management but rather a method to meet data residency requirements, is Microsoft 365 Multi-Geo. This approach has some limitations, especially for existing organizations, as it necessitates consolidating or migrating all existing tenants, subscriptions, and data to a new home tenant/subscription before distributing it to the desired satellite geography. Once implemented, administrators can manage all objects within a single subscription and set of portals segregated by geographic tenancies.
Another recent development from Microsoft is the announcement that starting June 1, 2023, CSP partners can purchase Multi-Geo capabilities for their customers using Microsoft 365, Office 365, Exchange, OneDrive, and SharePoint subscriptions. These capabilities enable Enterprise Agreement customers to expand their Microsoft 365 presence to multiple geographic regions within a single existing Microsoft 365 Tenant. With Multi-Geo, customers can granularly manage data-at-rest locations for their users, SharePoint sites, Microsoft 365 Groups, and Microsoft Teams. This feature caters specifically to organizations that require data storage in multiple geographies to meet their data residency requirements.
While Multi-Geo provides a method to address data residency needs, it is important to consider its drawbacks, especially for established organizations with existing tenants and data structures. Additionally, organizations should carefully evaluate the feasibility and implications of implementing Multi-Geo based on their specific requirements.
By considering Multi-Geo as an additional option, organizations can potentially meet their data residency needs within the Microsoft ecosystem. Still, they should weigh the advantages and challenges, considering their unique circumstances before deciding.
See you at TEC 2023!
I trust that our brief exploration of Microsoft native solutions for multi-tenant management has provided valuable insights into their benefits, essential roles, and limitations. While the Microsoft 365 Admin Center offers a centralized hub for managing Microsoft 365, Azure AD, and applications, the challenges of navigating multiple tenants and subscriptions, performing Cross-Tenant activities, and monitoring overall health become apparent, particularly for those who are not partners, CSPs, or MSPs. At TEC 2023, we will delve deeper into the realm of third-party tools, managed service providers, and the evaluation framework. Join us there as we uncover the potential of these tools and their ability to streamline and optimize your multi-tenant management experience.
On Demand Migration
Migrate all your workloads and Active Directory with one comprehensive Office 365 tenant-to-tenant migration solution.
Microsoft provide no tools for delegating out chunks of Office 365 (e.g. users, groups, teams, sharepoint, etc in department “factory X” are managed by one person, but users in “factory Y” managed by someone else) nor do they provide any tools to manage multiple tenancies.
Office 365 really is the SMB solution that escaped into the wild.
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Splitting an organization up for management purposes requires two basic mechanisms. 1. Role-based access control (implemented in Exchange, Azure AD, and compliance), and 2, divisions within the directory (implemented as Azure AD administrative units). The latter is not fully supported across Office 365 at present, but it is effective within many of the compliance solutions, like retention, DLP, and eDiscovery. Have you tried using administrative units? Here’s an article about using their dynamic variant, which is what you might need for country-level management: https://practical365.com/using-dynamic-azure-ad-administrative-units/