Single organisation. Two tenancies - should they use the same or different accounts?

Dan Bhatoa 46 Reputation points
2023-11-02T12:39:48.37+00:00

Hi,

We have 2 microsoft tenancies, one for our user accounts using O365 services and another tenancy for our Azure infrastructure. Currently there are no guest accounts or sync between the two tenancies. Essentially we're talking the same organisation, same administrators, but 2 different accounts in 2 tenancies - one admin account in O365 and one in the infrastructure tenancy.

What's the best practice for security?

  • Should we have separate admins for each tenancy rather than guest or cross-tenant sycnrhonisation

Here's my thinking:

Separate accounts

  • separate username and password
  • additional licence requirements (AAD premium, PIM, etc)
  • additional management overhead (needs to be considering in JML, password resets, group and role management, etc)

Same account

  • same username and password, single identity, no additional licences, easier management
  • less secure (if admin in one tenancy is compromised, it can compromise the other)

I'm looking for some advice here and ideally Microsoft recommendations

Thanks

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,024 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,214 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sandeep G-MSFT 20,721 Reputation points Microsoft Employee
    2023-11-06T09:21:05.8766667+00:00

    @Dan Bhatoa

    Thank you for posting this in Microsoft Q&A platform.

    Keeping 2 different account with 2 different passwords for users while accessing 2 different tenants is always difficult.

    You can surely make use of Cross-tenant synchronization feature in Azure AD.

    Cross-tenant synchronization automates creating, updating, and deleting Microsoft Entra B2B collaboration users across tenants in an organization. It enables users to access applications and collaborate across tenants, while still allowing the organization to evolve.

    Users continue to benefit from the security capabilities in Microsoft Entra ID, such as Microsoft Entra Conditional Access and cross-tenant access settings, and can be governed through features such as Microsoft Entra entitlement management.

    With this user doesn't need to remember 2 different accounts with their passwords.

    You can also check below article to know more about the cross tenant synchronizations.

    https://learn.microsoft.com/en-us/entra/identity/multi-tenant-organizations/cross-tenant-synchronization-overview

    Let me know if you have any further questions on this.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.