Need Help with Multi-Tenant Azure Access Management

qublibjohnny 20 Reputation points
2024-06-07T09:28:06.63+00:00

Hi,

I'm seeking advice on managing Azure access across multiple external organizations. We manage Azure for Org A and create accounts for Orgs B and C but don't manage their Azure environments. Azure B2B isn’t an option for us.

Challenges:

  1. Multiple Accounts: Users have separate accounts for each Azure tenant, complicating access.
  2. Authentication Issues: Users often face problems when accessing resources across these tenants.
  3. Account Switching**:** Frequent account switching is cumbersome and error-prone.

We're considering Azure AD Conditional Access policies to simplify this, although I'm not familiar with them or how/if it will work.

We've also considered suggesting to users that they setup separate browser profiles for each Org, which works, but required end-users configuring browsers.

Questions:

  1. Has anyone managed similar setups? How did you streamline access?
  2. What Azure AD features or tools have you used for managing authentication across multiple tenants?
  3. Any best practices or pitfalls to avoid in setting up Conditional Access or other policies?

I’d appreciate any insights or suggestions to help us improve our setup.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
708 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,314 questions
Accepted answer
  1. Navya 6,115 Reputation points Microsoft Vendor
    2024-06-10T09:07:51.56+00:00

    Hi @qublibjohnny

    Thank you for posting this in Microsoft Q&A.

    I understand that you want to manage Azure access across multiple external organizations.

    B2B collaboration is a capability of Microsoft Entra External ID that lets you collaborate with users and partners outside of your organization. This B2B collaboration user can then access the apps and resources you want to share with them. A user object is created for the B2B collaboration user in the same directory as your employees.

    To avoid the challenges that you are facing, B2B collaboration is an only one way for you. With B2B collaboration, an external user is invited to sign in to your Microsoft Entra organization using their own credentials.

    Azure Active Directory Conditional Access is an advanced feature of Azure AD that allows you to specify detailed policies that control who can access your resources. Using Conditional Access, you can protect your applications by limiting users' access based on things like groups, device type, location, and role. For more information about conditional-access polices

    Conditional access policy works below users

    • All users that exist in the directory including B2B guests.
    • Select users and groups Guest or external users i.e. B2B collaboration guest users, B2B collaboration member users, B2B direct connect users, Service provider users, for example a Cloud Solution Provider (CSP) Other external user, or users not represented by the other user type selections.

    Template categories to create Conditional access policies: https://video2.skills-academy.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation

    What is the option which you use to create accounts for Orgs B and C in your OrgA. Can you confirm the user type in your Org A for B and C in orgs accounts?

    Any best practices or pitfalls to avoid in setting up Conditional Access or other policies?

    Please follow the document to configuring and providing user lifecycle management in Microsoft Entra multitenant environments.

    What Azure AD features or tools have you used for managing authentication across multiple tenants?

    When you build a multitenant solution, there are special considerations and approaches for several aspects of the authentication process. For more information: Authentication

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest