Azure CSP Management Tenant strategy

DaZzLa 61 Reputation points


i'm working for a MSP who has two Microsoft Tenants, one company tenant (M365, own company Azure resources..) and one CSP tenant (used to manage customers).

We are currently implementing Azure Lighthouse to manage our customers to get rid of guest accounts and directory switching into customer tenants.
The current strategy is to use the CSP Tenant as a management enviroment for all Azure Resources - Customers as well as own company resources. Therefore, every employee who has to manage Azure, gets an additional user in this CSP Tenant.

I'm sceptical if this is the right decision, because this leds to an increased management effort, because we need to manage an additional tenant and manage additional users which have additional license costs.
Our governance team decided to separate it for security reasons.

My question is if it is a common approach for CSPs to separate it's own company tenant and CSP management tenant, OR should a CSP use it's company tenant for internal workloads as well as for managing customers?

Is there any guidance or recommendation regarding this question?


Azure Lighthouse
Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
72 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,595 questions
0 comments No comments
{count} votes

Accepted answer
  1. Stanislav Zhelyazkov 22,251 Reputation points MVP

    This is a common scenario and as you mentioned it is done for security reasons. You have already mentioned the downsides of managing separate tenant with users and licenses. Nothing more can be said besides that you either accept the management overhead and licenses costs and have some better security or go with the simpler approach of one tenant and lower security compared to two tenants approach.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. DaZzLa 61 Reputation points

    Hi Stan,

    thanks for your quick and helpful answer!
    I'm happy to hear we are on the right path with a legit approach.

    So based on my description above, this is how the current setup/plan looks like.

    I first thought about cutting the Lighthouse delegation from the CSP tenant to the company tenant and use the company tenant instead to manage the internal workloads.
    But if a company user gets compromised through phishing, the attacker is able to access them.

    Any thoughts on the plan to use the CSP tenant also for company workload management?