cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

multiple companies in one tenant

Jente Paredis
Copper Contributor

‎Jul 03 2017 03:49 AM

‎Jul 03 2017 03:49 AM

multiple companies in one tenant

Hello All,

 

I would like to spin up a discussion on privacy and security within Office 365.

 

A scenario I already encountered with several of my customers is with holdings, containing several companies. The same scenario can also apply to multiple companies that are merging their activities, but still are separate entities.

 

If they leverage the functionalities of Exchange Online or Exchange Online Protection, they in fact use a single tenant for those activities.

 

While this enables the companies to work better together, it also introduces a security problem. All of those separate companies often have separate IT or mail admins, that are responsible for managing quarantines.

When using EXO or EOP in a single tenant, all hygiene admins can see all mail flow of the whole tenant. There is currently no option to limit what certain admins can see (e.g: mail admins of division X should only see quarantine mails for domain X, Y, Z).

 

Ofcourse there are ways to script this, using PowerShell to create separate reports, but the user that is used to generate those scripts still has access to the total mail flow in such a scenario.

 

To me (and to the specific companies I am talking about) this poses a serious privacy issue. Taking into account the upcoming GDPR regulations, this is something to look at, in my opinion.

 

Is Microsoft aware of this situation and are there actions planned to mitigate these privacy risks / concerns?

 

Thanks for every reply.

 

 

 

9,668 Views
0 Likes
5 Replies
Reply
5 Replies
Dean Gross

‎Jul 04 2017 08:15 AM

‎Jul 04 2017 08:15 AM

Re: multiple companies in one tenant

With that set of requirements, I would recommend using separate tenants for each company, and then using Azure B2B to simplify authentication between tenants. Each tenant would be able to keep administration separated and implement their own DLP and governance policies as necessary. Advanced Security Management could be used to provide oversight of admin actions. It may even make sense to have another tenant for the Holdings organization for the people that run that business.  Granted this would be more complicated, but, corporate structures like this are inherently complicated and should expect to incur additional costs when they have complex regulatory scenarios. 

0 Likes
Reply
Vasil Michev

‎Jul 04 2017 12:09 PM

‎Jul 04 2017 12:09 PM

Re: multiple companies in one tenant

Exchange in particular has a very robust RBAC support, which you can utilize to control access to almost all of the functionalities. Including building "geo-fencing" type of solutions. Some of the other workloads also have RBAC support, but in general if you are using the same tenant, you can expect that there always will be some functionality that can be (ab)used across the department/company/country boundary. Even if you had full control over things, the Global admins would still be able to revert/bypass those restrictions. At some point you will have to make a decision between being able to tightly control access and all the collaboration features you get by using the same tenant.

0 Likes
Reply
Dean Gross

‎Jul 04 2017 12:43 PM

‎Jul 04 2017 12:43 PM

Re: multiple companies in one tenant

@Vasil Michevcan the RBAC feature of EXO be used to limit an admin to a specific email domain within a Tenant?

0 Likes
Reply
best response confirmed by Alexander Auras (Iron Contributor)
Vasil Michev

‎Jul 04 2017 11:07 PM

‎Jul 04 2017 11:07 PM

Solution

Re: multiple companies in one tenant

Yes, you can create "management scopes" that limit the users/mailboxes which a particular admin can manage. You can also create "exclusive" scopes which prevent any other admins from touching the mailbox. It's a very robust model, and would be nice to see it expand to other workloads (for example the SCC now has some similar controls).

 

I couldnt find an article tailored for ExO , but this one should give you the idea behind management scopes: https://technet.microsoft.com/en-us/library/dd351083(v=exchg.150).aspx

1 Like
Reply
Dean Gross

‎Jul 05 2017 02:21 AM

‎Jul 05 2017 02:21 AM

Re: multiple companies in one tenant

Thanks, that is good to know and just reconfirms how little I know about the details of Exchange :).
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Alexander Auras (Iron Contributor)
Vasil Michev

‎Jul 04 2017 11:07 PM

‎Jul 04 2017 11:07 PM

Solution

Re: multiple companies in one tenant

Yes, you can create "management scopes" that limit the users/mailboxes which a particular admin can manage. You can also create "exclusive" scopes which prevent any other admins from touching the mailbox. It's a very robust model, and would be nice to see it expand to other workloads (for example the SCC now has some similar controls).

 

I couldnt find an article tailored for ExO , but this one should give you the idea behind management scopes: https://technet.microsoft.com/en-us/library/dd351083(v=exchg.150).aspx

View solution in original post

1 Like
Reply