Defender Multi-tenancy - B2B vs GDAP

Question

Defender Multi-tenancy - B2B vs GDAP

DH 0

Hi,

I am hoping someone can point me in the right direction.

We have a number of Azure tenancies as part of our organisation that are federated.

I want to enable our SOC analysts access to all the Defender instances across the tenancies (about 10 total) in a single pane of glass (in the main tenant), by enabling XDR multi-tenancy this seems possible. I have seen this documentation;

Set up multi-tenant management in Microsoft Defender XDR | Microsoft Learn

Respond to threats across tenants more effectively with Microsoft 365 Defender multi-tenant support

Although I am unclear as to which option to go for:

Either Microsoft Entra B2B or use GDAP?

GDAP seems to refer to partners and Microsoft CSPs, although AI tells me that GDAP is still applicable and that it is somehow more secure. We already have B2B set up for the other tenants, would I need to create guest accounts or allow my existing accounts to be registered as guests in the other tenants.

We also need to factor in PIM. Currently analysts have three groups that they PIM against for timebound access to different functions.

I am leaning towards B2B, presumably I would send an invite from the secondary tenants, to the SOC accounts residing the main tenant to collaborate as guest accounts in the secondary tenants? I also want to use granular access to Defender custom roles, rather than Global Entra roles. SO this would be using group assignment.

Thanks in advance.

Marilee Turscak-MSFT 37,251 Reputation points Microsoft Employee Moderator

2023-12-01T00:18:58.4833333+00:00

Hi @DH ,

Just wanted to check if you had further questions or were able to get the information you needed? The short answer to your question is that it depends, but since you don't seem to have a partner account, B2B would be the right choice and a more straightforward setup.

If the information was useful, please remember to "Accept the answer." This will help us and improve searchability for others in the community who may be researching similar questions.
JamesTran-MSFT 37,211 Reputation points Microsoft Employee Moderator

2023-12-05T20:28:54.4+00:00

@DH

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

Marilee Turscak-MSFT 37,251 Reputation points Microsoft Employee Moderator

2023-12-01T00:18:58.4833333+00:00

Hi @DH ,

Just wanted to check if you had further questions or were able to get the information you needed? The short answer to your question is that it depends, but since you don't seem to have a partner account, B2B would be the right choice and a more straightforward setup.

If the information was useful, please remember to "Accept the answer." This will help us and improve searchability for others in the community who may be researching similar questions.
JamesTran-MSFT 37,211 Reputation points Microsoft Employee Moderator

2023-12-05T20:28:54.4+00:00

@DH

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Hi @DH ,

GDAP is for setting up granular roles and is exclusively for partners that are Cloud Solution Providers (CSPs). Partners who are CSPs should opt for GDAP because it is better suited to meet CSP compliance standards and is replacing DAP anyway in the future. https://learn.microsoft.com/en-us/partner-center/gdap-faq

In addition, some partners could have a compliance requirement that prevents them from having an identity in a customer's tenant. In this scenario, GDAP would be the best choice since it allows partners to securely access customer resources without requiring the existence of an identity in the customer's tenant. It will also be replacing GDAP soon so it is a better long-term solution.

If you don't have a Partner Center account and don't have a compliance requirement preventing you from having an identity in a customer tenant, I agree with you that B2B would be the more straightforward setup. Like you said, you can invite the SOC accounts to collaborate as guest accounts in the second tenant.

Share via

Defender Multi-tenancy - B2B vs GDAP

1 answer

Your answer