Defender MTO Multi-Tenant - Onboarding Google Workspace Customers

Dear Hernan Jim,

It has been a while and I am writing to see how things are going with this issue. Have you had a chance to check the reply provided? If there’s anything else I can assist you with or if you need further clarification, please don’t hesitate to let me know, I’m here to help.
Looking forward to hearing from you. Wishing you a great day ahead!

Warm regards,

Kai-L - MSFT | Microsoft Community Support Specialist

Dear Hernan Jim,

Thank you for posting in Microsoft Community.

For your question about onboarding a Google Workspace customer into Microsoft Defender Multi-Tenant Operations (MTO), this is a common, complex scenario due to integrating different ecosystem management platforms.

1. Is the customer required to create a Microsoft tenant?

Microsoft Defender for Endpoint (MDE) is a Microsoft cloud service. For a customer to utilize MDE and for you to manage it via MTO, they must have their own Microsoft 365 tenant (which includes an Azure Active Directory - now called Microsoft Entra ID - instance). This tenant will serve as the "home" for their MDE subscription, where:

• MDE licenses are purchased and assigned.
• Device identities for MDE are managed.
• Security configurations, alerts, and incidents are handled in the Microsoft 365 Defender portal (security.microsoft.com).
• Your MTO (Microsoft 365 Lighthouse or delegated access) connects to this customer-specific MDE tenant.

2.Key Considerations for Google Workspace Customers
The primary challenge lies in deploying the MDE sensor on devices governed by Google Workspace.

• MDE Agent Deployment: Deploying the MDE sensor on Google Workspace-managed Windows, macOS, or Linux devices requires alternative methods like manual scripting or third-party MDMs, as there's no native integration.
• Identity Alignment: Consider how Google Workspace user identities will align with Azure AD for comprehensive MDE features and user-based reporting.
• Google Workspace Permissions: Admin access within Google Workspace is essential for configuring API integrations, especially with Defender for Cloud Apps.
• Unified Cloud App Visibility (MDCA): Integrating Google Workspace with Defender for Cloud Apps provides centralized visibility and governance for cloud application usage across both ecosystems.
• Multi-Tenant Management: Utilize Microsoft 365 Lighthouse and delegated admin privileges (GDAP) for centralized management of all Defender security components across customer tenants.

3.Microsoft Articles and Documentation:

Here are essential Microsoft Learn/Docs resources that will be highly beneficial:

Microsoft Defender for Endpoint documentation hub:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide

Minimum requirements for Microsoft Defender for Endpoint:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide

Onboard devices and configure Microsoft Defender for Endpoint capabilities: (This is where you find OS-specific onboarding methods)

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding?view=o365-worldwide

Specifically look at sections for macOS, Linux, Android, iOS onboarding.

Microsoft 365 Lighthouse documentation (for MTO):

https://learn.microsoft.com/en-us/microsoft-365/lighthouse/?view=o365-worldwide

Delegated administration in Microsoft 365 Lighthouse:

https://learn.microsoft.com/en-us/microsoft-365/lighthouse/m365-lighthouse-delegated-admin?view=o365-worldwide

While I genuinely wish I could provide more direct, step-by-step instructions for this specific integration here, setting up Microsoft Defender for Endpoint on Google Workspace-managed devices and configuring Multi-Tenant Onboarding for such a blended environment can involve advanced security configurations. These scenarios often require a specialized level of expertise and diagnostic tools held by a dedicated product support team.

Therefore, to ensure you receive the most accurate and effective assistance, I strongly recommend taking the following steps:

Raising a support ticket directly with Microsoft Defender by following guidance provided in the link:

Contact Microsoft Defender for Cloud Apps support - Microsoft Defender for Cloud Apps | Microsoft Learn

The Microsoft Defender support team has the deep expertise and advanced diagnostic tools specifically designed to help with these complex onboarding and integration scenarios. They are best equipped to guide you through the process for Google Workspace customers.

Additionally, you may find valuable insights and community-driven discussions on the Microsoft Q&A. This is an excellent resource to ask questions and learn from other Microsoft experts and professionals who might have experience with similar deployments.

I sincerely apologize for this redirection, but I want to ensure you connect with the team possessing the precise knowledge for Defender MTO and cross-platform onboarding; it's vital for a successful setup.

Please don't hesitate to reach out if you need any assistance regarding Microsoft Office applications, Outlook, or Teams. I'll be more than happy to help with those.

Thank you for your patience and understanding. I hope you have a wonderful day!

Kind regards,

Kai-L - MSFT | Microsoft Community Support Specialist