Defender Multi-tenancy - B2B vs GDAP

DH 0 Reputation points


I am hoping someone can point me in the right direction.

We have a number of Azure tenancies as part of our organisation that are federated.

I want to enable our SOC analysts access to all the Defender instances across the tenancies (about 10 total) in a single pane of glass (in the main tenant), by enabling XDR multi-tenancy this seems possible. I have seen this documentation;

Set up multi-tenant management in Microsoft Defender XDR | Microsoft Learn

Respond to threats across tenants more effectively with Microsoft 365 Defender multi-tenant support

Although I am unclear as to which option to go for:

Either Microsoft Entra B2B or use GDAP?

GDAP seems to refer to partners and Microsoft CSPs, although AI tells me that GDAP is still applicable and that it is somehow more secure. We already have B2B set up for the other tenants, would I need to create guest accounts or allow my existing accounts to be registered as guests in the other tenants.

We also need to factor in PIM. Currently analysts have three groups that they PIM against for timebound access to different functions.

I am leaning towards B2B, presumably I would send an invite from the secondary tenants, to the SOC accounts residing the main tenant to collaborate as guest accounts in the secondary tenants? I also want to use granular access to Defender custom roles, rather than Global Entra roles. SO this would be using group assignment.

Thanks in advance.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,261 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,246 Reputation points Microsoft Employee

    Hi @DH ,

    GDAP is for setting up granular roles and is exclusively for partners that are Cloud Solution Providers (CSPs). Partners who are CSPs should opt for GDAP because it is better suited to meet CSP compliance standards and is replacing DAP anyway in the future.

    In addition, some partners could have a compliance requirement that prevents them from having an identity in a customer's tenant. In this scenario, GDAP would be the best choice since it allows partners to securely access customer resources without requiring the existence of an identity in the customer's tenant. It will also be replacing GDAP soon so it is a better long-term solution.

    If you don't have a Partner Center account and don't have a compliance requirement preventing you from having an identity in a customer tenant, I agree with you that B2B would be the more straightforward setup. Like you said, you can invite the SOC accounts to collaborate as guest accounts in the second tenant.

    0 comments No comments