Azure ATP with single domain, multiple AAD tenants

%3CLINGO-SUB%20id%3D%22lingo-sub-1291688%22%20slang%3D%22en-US%22%3EAzure%20ATP%20with%20single%20domain%2C%20multiple%20AAD%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1291688%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20Azure%20ATP%20in%20any%20way%20usable%20in%20a%20single%20domain%2C%20multiple%20tenant%20setup%3F%20Our%20legacy%20on-prem%20AD%20is%20shared%20with%20our%20service%20provider%20and%20several%20other%20customers%2C%20but%20each%20has%20a%20dedicated%20AAD%20tenant%20for%20O365%20use%2C%20etc.%20AADC%20sync%20is%20set%20up%20per%20OU%2C%20which%20is%20functional%20if%20not%20particularly%20flexible.%20We%20don't%20have%20hybrid%20join%20for%20obvious%20reasons%2C%20although%20have%20considered%20the%20per-workstation%20GPO%20route%20to%20get%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20where%20does%20Azure%20ATP%20fall%20on%20this%20spectrum%3F%20Is%20the%20on-prem%20ATP%20sensor%20multitenant%20compatible%3F%20Can%20you%20have%20multiple%20sensors%20serving%20different%20AAD%20tenants%20in%20a%20single%20on-prem%20domain%3F%20Or%20if%20not%20sensors%2C%20how%20about%20standalones%3F%20Also%2C%20is%20the%20sensor%20smart%20enough%20to%20be%20aware%20of%20its%20own%20AAD%20tenant%2C%20and%20collect%20and%20forward%20on-prem%20data%20that%20is%20relevant%20to%20those%20AAD%20users%2C%20and%20those%20users%20only%3F%20Can%20we%20manually%20setup%20a%20sensor%20instance%20per%20OU%2C%20similar%20to%20AADC%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1291688%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20atp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emultitenant%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1295647%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20with%20single%20domain%2C%20multiple%20AAD%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1295647%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F614206%22%20target%3D%22_blank%22%3E%40VesaP1695%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHey%2C%20Since%20Azure%20ATP%20monitors%20on-premises%20AD%2C%20i'm%20not%20sure%20what%20the%20impact%20of%20having%20multiple%20AAD%20tenants%20would%20be%2C%20can%20you%20share%20an%20example%3F%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20additional%20on-prem%20forests%20without%20a%20trust%2C%20you%20could%20add%20them%20to%20the%26nbsp%3B%3CSTRONG%3Esame%3C%2FSTRONG%3E%20Azure%20ATP%20tenant%20by%20using%20different%20directory%20services%20credentials%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Is Azure ATP in any way usable in a single domain, multiple tenant setup? Our legacy on-prem AD is shared with our service provider and several other customers, but each has a dedicated AAD tenant for O365 use, etc. AADC sync is set up per OU, which is functional if not particularly flexible. We don't have hybrid join for obvious reasons, although have considered the per-workstation GPO route to get there.

 

So, where does Azure ATP fall on this spectrum? Is the on-prem ATP sensor multitenant compatible? Can you have multiple sensors serving different AAD tenants in a single on-prem domain? Or if not sensors, how about standalones? Also, is the sensor smart enough to be aware of its own AAD tenant, and collect and forward on-prem data that is relevant to those AAD users, and those users only? Can we manually setup a sensor instance per OU, similar to AADC?

1 Reply
Highlighted

@VesaP1695 

Hey, Since Azure ATP monitors on-premises AD, i'm not sure what the impact of having multiple AAD tenants would be, can you share an example?

If you have additional on-prem forests without a trust, you could add them to the same Azure ATP tenant by using different directory services credentials