Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Federation between two Azure AD tenants

Copper Contributor

Is there a way i can federate identities between two Azure AD tenants to manage Azure Resources? 

Following is the scenario i have at hand. 

 

Organization - ABC has two business units X and Y. Both these units want separate Azure AD tenants however IT staff will be the same to manage Azure resources so need to provide access to subscriptions created under both the tenants to IT staff. 

 

I tried to look at AD B2B option, but thought it would be a bit complex to implement. Was looking for sometime similar to trust relationship in ADDS.

 

Any direction would be helpful. 

6 Replies
best response confirmed by kulman (Copper Contributor)
Solution

B2B/Guest users allows you to assign permissions at least in some of the management portals, so that's your best goal. Microsoft have been playing with a more robust feature that addresses cross-tenant scenarios for few years now, so we might see something later this year. But until then, the above applies.

@Vasil thanks for your response. If thats the only option, i will explore more B2B.
if these business units are going to be using O365, they will be totally separate with nothing shared, all settings will be maintained independently, searches won't find content in the other business unit and much more. There are a lot of issues with this approach that should be considered very carefully before making a final decision.

@kulman 

While Microsoft works on more robust features, this paper on Multi-tenant user management gives some ideas on this, based on solutions we have seen customers successfully implement.

Please let me know if this helps you!

Hi @kulman ,

 

If I understood your scenario right, your primary goal is to allow your IT org (let's assume their accounts are in AAD tenant of business unit X) to manage Azure subscriptions and resources in both tenants.

 

While AAD B2B Collaboration can be a good solution, it requires "context switching" for IT staff while managing Azure resources, guest accounts provisioning and management, etc.

 

I suggest you look into Azure Lighthouse. It was primarily designed for Managed Services Partners for more seamless management of their customers` tenants & subscriptions, but it can be also used within one organization that has several tenants. 

 

I won't go into details, but it is based on "delegated resource management", giving your IT staff a possibility to manage resources in "external AAD tenants" while using their primary identity and having a 'single pane of glass' over resources across tenants and subscriptions. It means you don't need to provision their accounts in 'Business unit Y AAD tenant'. There is a simple onboarding process (using ARM templates) with steps done on both sides (tenants), but otherwise it works very well.

 

I hope this helps.

 

Hello @BarbaraWinter ,
I would like to set up the federation between several tenants, but I don't know where to start. I would like to know if there is a procedure that I can follow.

As said in the document you provided, I would like to set up the Synchronized Collaboration
and more precisely the "mesh technology" in order to be able to have the same address book (Synchronized) between the different tenants


Any suggestion could be helpful to me.

thank you in advance

 

Mehdi benderradji

 

1 best response

Accepted Solutions
best response confirmed by kulman (Copper Contributor)
Solution

B2B/Guest users allows you to assign permissions at least in some of the management portals, so that's your best goal. Microsoft have been playing with a more robust feature that addresses cross-tenant scenarios for few years now, so we might see something later this year. But until then, the above applies.

View solution in original post