Forum Discussion
Join and manage Windows 10 device in different tenant than home tenant
Hi, A customer who owns an International Enterprise, has multiple regional AD forest domains syncing to one Azure AD tenant/ O365. He now has a special request. The customer would like to join th...
If you remove the on prem sync part of the issue as this can be done but using 3rd party tooling not the inbuilt AAD sync to sync across multiple tenants
Then you can join it partly like that to get what you want. But it would make no sense to do so, due to licencing and ongoing management costs.
You could enrol all the devices into their own tenant, then use Lighthouse and Rbac/ PIM to restrict each region to their devices based on tags / scopes for management. However, each user would end up using a guest account (b2b) when logging onto the device if you still want to get the best licensing from one main tenant for the users. This would mean you would not be using part of the entitlement for Intune in your main tenant but paying for extra licenced in the device management tenant
However, using the B2b access you lose all the benefit of using SSO and it create whole from the point of security so I would not recommend it. Unless you fully understand these risks
You could move to fully custom Rbac roles that way a user could have almost all of the GA roles but the Intune could be taken out.
The main part of the problem here is trust and training for the process that you are training to setup. If you do not feel the Global administrator can be trusted to understand the impact they may have. Then you have an internal process problem that needs to be addressed more than chaining the design of the management of the system.
If it is a case that the device will be managed by different third-party e.g different party in each region for the devices. Then that makes more sense to what you are trying to do. But if you give a user global admin you need to make sure they have adequate training and understanding of what they are doing if they are making changes. Otherwise you should be looking at what roles they need and limiting to just that
AAD is designed to be global and scale. so you really do need to try and remove the limiting legacy boundary's that where always in place with AD onprem and why you would end up with multiple logon accounts.
I would suggest getting a workshop with Microsoft to fully iron out key principles of your design around permission and requirements from the top of the organisation down for how to manage the permission and limit impact of Intune policy's, as licensing is best under one larger pool then individuals pools
Then you can join it partly like that to get what you want. But it would make no sense to do so, due to licencing and ongoing management costs.
You could enrol all the devices into their own tenant, then use Lighthouse and Rbac/ PIM to restrict each region to their devices based on tags / scopes for management. However, each user would end up using a guest account (b2b) when logging onto the device if you still want to get the best licensing from one main tenant for the users. This would mean you would not be using part of the entitlement for Intune in your main tenant but paying for extra licenced in the device management tenant
However, using the B2b access you lose all the benefit of using SSO and it create whole from the point of security so I would not recommend it. Unless you fully understand these risks
You could move to fully custom Rbac roles that way a user could have almost all of the GA roles but the Intune could be taken out.
The main part of the problem here is trust and training for the process that you are training to setup. If you do not feel the Global administrator can be trusted to understand the impact they may have. Then you have an internal process problem that needs to be addressed more than chaining the design of the management of the system.
If it is a case that the device will be managed by different third-party e.g different party in each region for the devices. Then that makes more sense to what you are trying to do. But if you give a user global admin you need to make sure they have adequate training and understanding of what they are doing if they are making changes. Otherwise you should be looking at what roles they need and limiting to just that
AAD is designed to be global and scale. so you really do need to try and remove the limiting legacy boundary's that where always in place with AD onprem and why you would end up with multiple logon accounts.
I would suggest getting a workshop with Microsoft to fully iron out key principles of your design around permission and requirements from the top of the organisation down for how to manage the permission and limit impact of Intune policy's, as licensing is best under one larger pool then individuals pools