Strict Conditional Access with access between o365 tenants?

Question

Strict Conditional Access with access between o365 tenants?

nollzy 1

We have multiple o365 tenants to keep some of our business units separate, for, reasons. After some recent security breaches we're looking at applying some pretty strict Conditional Access Rules, including Require Hybrid Azure AD joined device. Simple enough so far. Where we get the fun part is device and email access. All of the computers for both companies are managed by the AD for Company A, and are listed in the Azure AD portal for Company A. People from Company A don't need to access the 365 for Company B. People from Company B need to be able to access their 365 from the RDS of Company A, as well as from the computers which are part of the Company A domain. The people from Company B also need to be able to access the 365 of Company A. So from my understanding, with Require Hybrid Azure AD joined device, this wouldn't work, unless the devices can be listed in both Azure portals, somehow. Is there any way to make this work? I was thinking along the lines of Azure Active Directory B2B, Microsoft 365 inter-tenant collaboration - Microsoft 365 Enterprise | Microsoft Learn and What is B2B collaboration in Azure Active Directory? | Microsoft Learn, but I'm not sure if this will cover what we're wanting to do? I hope this made sense.

0 comments

1 answer

Your answer

Answer 1

Pa_D 1,076

@nollzy

There are few things need to be done.

1) Com A employees will have 1 CA policy requiring them to use Hybrid domain joined PC.
2) Com B employees if they are provided Com A PC hardware then those will required to be HDJ.
3) Com B employees use Com B PC hardware, then have them use OWA and Sharepoint Online and enable MFA.
4) Com B employees using RDS, implement Azure MFA (using NPS) to apply mfa before accessing RDS session.

nollzy 1 Reputation point

2021-02-24T23:52:20.14+00:00

Thanks for the idea, but this isn't quite what we're after, we want Conditional Access Rules, including Require Hybrid Azure AD joined device for both tenants, but to still be able to access resources from the other tenants.
Company B staff have email accounts in both tenants and access both SharePoint sites. Company B staff use computers joined to AD from Company A, so they're Hybrid Azure AD Joined to the Company A tenant. Conditional Access Rules, including Require Hybrid Azure AD joined device, would mean that Company B staff can't access their Company B emails or SharePoint from their devices, but they would be able to access the Company A emails and SharePoint. If we moved their computers to be Azure AD Joined, then Company B staff wouldn't be able to access their Company A emails or SharePoint.
We need Company B to be able to access Company A with Conditional Access Rules, including Require Hybrid Azure AD joined device on both tenants.
Pa_D 1,076 Reputation points

2021-02-25T20:28:36.74+00:00

I am trying understand here,

comp B employee has email address compB@jaswant .com
comp A email is compA@xyz .com

comp B have their own unique Azure AD tenant
Similarly comp A have their own AAD tenant.

You want to apply CA on Comp A tenant requiring Hybrid domain join.

Comp B employees have comp A issued PC hardware joined to comp A domain and also hybrid domain joined to comp A.

Now comp B employee will be compliant with Comp A CA policy.

Does Comp B has any CA policy if so what is it requiring it?
nollzy 1 Reputation point

2021-02-25T22:27:55.417+00:00

Comp B employee has compb@jaswant .com AND compa@xyz .com
Comp A has compa@xyz .com

Both have their own AAD tenants

All devices for both companies are joined to the Comp A tenant, through on-prem AD and synced with the Comp A AAD.
Comp B has no on-prem servers.

At the moment we have international logins blocked on both tenants and MFA for all users but want to lock down further. this is after a recent security breach and 3,000+ failed international logins per day, where someone logged on from an infected personal device.
We want to move to requiring Hybrid domain join for both tenants, so they can only log on through our work provided devices.

We need Comp B to still be able to access their tenant on Comp A devices, OR be able to access their Comp A emails if we move their devices to their tenant. We also need our Support team, on Comp A devices to be able to access their logins for the Comp B tenant.
Pa_D 1,076 Reputation points

2021-03-01T07:13:15.24+00:00

Device can technically register with only 1 tenant. This is by design.

Assuming these are 2 domains belonging to 2 different companies (and not in same AD forest), only 1 domain can take advantage of Hybrid join check in CA.

Other domain will have to use other security measures such as, MFA, Azure Identity protection and trusted IPs

Share via

Strict Conditional Access with access between o365 tenants?

1 answer

Your answer