Apr 10 2020
11:48 AM
- last edited on
Jan 14 2022
04:32 PM
by
TechCommunityAP
Apr 10 2020
11:48 AM
- last edited on
Jan 14 2022
04:32 PM
by
TechCommunityAP
Is there a way i can federate identities between two Azure AD tenants to manage Azure Resources?
Following is the scenario i have at hand.
Organization - ABC has two business units X and Y. Both these units want separate Azure AD tenants however IT staff will be the same to manage Azure resources so need to provide access to subscriptions created under both the tenants to IT staff.
I tried to look at AD B2B option, but thought it would be a bit complex to implement. Was looking for sometime similar to trust relationship in ADDS.
Any direction would be helpful.
Apr 11 2020 09:05 AM
SolutionB2B/Guest users allows you to assign permissions at least in some of the management portals, so that's your best goal. Microsoft have been playing with a more robust feature that addresses cross-tenant scenarios for few years now, so we might see something later this year. But until then, the above applies.
Apr 11 2020 08:55 PM
Apr 19 2020 12:07 PM
Jul 07 2020 10:39 AM
While Microsoft works on more robust features, this paper on Multi-tenant user management gives some ideas on this, based on solutions we have seen customers successfully implement.
Please let me know if this helps you!
Jul 30 2020 06:12 AM
Hi @kulman ,
If I understood your scenario right, your primary goal is to allow your IT org (let's assume their accounts are in AAD tenant of business unit X) to manage Azure subscriptions and resources in both tenants.
While AAD B2B Collaboration can be a good solution, it requires "context switching" for IT staff while managing Azure resources, guest accounts provisioning and management, etc.
I suggest you look into Azure Lighthouse. It was primarily designed for Managed Services Partners for more seamless management of their customers` tenants & subscriptions, but it can be also used within one organization that has several tenants.
I won't go into details, but it is based on "delegated resource management", giving your IT staff a possibility to manage resources in "external AAD tenants" while using their primary identity and having a 'single pane of glass' over resources across tenants and subscriptions. It means you don't need to provision their accounts in 'Business unit Y AAD tenant'. There is a simple onboarding process (using ARM templates) with steps done on both sides (tenants), but otherwise it works very well.
I hope this helps.
Jan 27 2021 07:34 AM
Hello @BarbaraWinter ,
I would like to set up the federation between several tenants, but I don't know where to start. I would like to know if there is a procedure that I can follow.
As said in the document you provided, I would like to set up the Synchronized Collaboration
and more precisely the "mesh technology" in order to be able to have the same address book (Synchronized) between the different tenants
Any suggestion could be helpful to me.
thank you in advance
Mehdi benderradji
Apr 11 2020 09:05 AM
SolutionB2B/Guest users allows you to assign permissions at least in some of the management portals, so that's your best goal. Microsoft have been playing with a more robust feature that addresses cross-tenant scenarios for few years now, so we might see something later this year. But until then, the above applies.