SOLVED

multiple companies in one tenant

%3CLINGO-SUB%20id%3D%22lingo-sub-84342%22%20slang%3D%22en-US%22%3Emultiple%20companies%20in%20one%20tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84342%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20spin%20up%20a%20discussion%20on%20privacy%20and%20security%20within%20Office%20365.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20scenario%20I%20already%20encountered%20with%20several%20of%20my%20customers%20is%20with%20holdings%2C%20containing%20several%20companies.%20The%20same%20scenario%20can%20also%20apply%20to%20multiple%20companies%20that%20are%20merging%20their%20activities%2C%20but%20still%20are%20separate%20entities.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20they%20leverage%20the%20functionalities%20of%20Exchange%20Online%20or%20Exchange%20Online%20Protection%2C%20they%20in%20fact%20use%20a%20single%20tenant%20for%20those%20activities.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20this%20enables%20the%20companies%20to%20work%20better%20together%2C%20it%20also%20introduces%20a%20security%20problem.%20All%20of%20those%20separate%20companies%20often%20have%20separate%20IT%20or%20mail%20admins%2C%20that%20are%20responsible%20for%20managing%20quarantines.%3C%2FP%3E%3CP%3EWhen%20using%20EXO%20or%20EOP%20in%20a%20single%20tenant%2C%20all%20hygiene%20admins%20can%20see%20%3CSTRONG%3Eall%20mail%20flow%20of%20the%20whole%20tenant%3C%2FSTRONG%3E.%20There%20is%20currently%20no%20option%20to%20limit%20what%20certain%20admins%20can%20see%20(e.g%3A%20mail%20admins%20of%20division%20X%20should%20only%20see%20quarantine%20mails%20for%20domain%20X%2C%20Y%2C%20Z).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOfcourse%20there%20are%20ways%20to%20script%20this%2C%20using%20PowerShell%20to%20create%20separate%20reports%2C%20but%20the%20user%20that%20is%20used%20to%20generate%20those%20scripts%20still%20has%20access%20to%20the%20total%20mail%20flow%20in%20such%20a%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20me%20(and%20to%20the%20specific%20companies%20I%20am%20talking%20about)%20this%20poses%20a%20serious%20privacy%20issue.%20Taking%20into%20account%20the%20upcoming%20GDPR%20regulations%2C%20this%20is%20something%20to%20look%20at%2C%20in%20my%20opinion.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20Microsoft%20aware%20of%20this%20situation%20and%20are%20there%20actions%20planned%20to%20mitigate%20these%20privacy%20risks%20%2F%20concerns%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20every%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84771%22%20slang%3D%22en-US%22%3ERe%3A%20multiple%20companies%20in%20one%20tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84771%22%20slang%3D%22en-US%22%3EThanks%2C%20that%20is%20good%20to%20know%20and%20just%20reconfirms%20how%20little%20I%20know%20about%20the%20details%20of%20Exchange%20%3A).%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84737%22%20slang%3D%22en-US%22%3ERe%3A%20multiple%20companies%20in%20one%20tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84737%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20you%20can%20create%20%22management%20scopes%22%20that%20limit%20the%20users%2Fmailboxes%20which%20a%20particular%20admin%20can%20manage.%20You%20can%20also%20create%26nbsp%3B%22exclusive%22%20scopes%20which%20prevent%20any%20other%20admins%20from%20touching%20the%20mailbox.%20It's%20a%20very%20robust%20model%2C%20and%20would%20be%20nice%26nbsp%3Bto%20see%20it%20expand%20to%20other%20workloads%20(for%20example%20the%20SCC%20now%20has%20some%20similar%20controls).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20couldnt%20find%20an%20article%20tailored%20for%20ExO%20%2C%20but%20this%20one%20should%20give%20you%20the%20idea%20behind%20management%20scopes%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdd351083(v%3Dexchg.150).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdd351083(v%3Dexchg.150).aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84696%22%20slang%3D%22en-US%22%3ERe%3A%20multiple%20companies%20in%20one%20tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84696%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3Ecan%20the%20RBAC%20feature%20of%20EXO%20be%20used%20to%20limit%20an%20admin%20to%20a%20specific%20email%20domain%20within%20a%20Tenant%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84693%22%20slang%3D%22en-US%22%3ERe%3A%20multiple%20companies%20in%20one%20tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84693%22%20slang%3D%22en-US%22%3E%3CP%3EExchange%20in%20particular%20has%20a%20very%20robust%20RBAC%20support%2C%20which%20you%20can%20utilize%20to%20control%20access%20to%20almost%20all%20of%20the%20functionalities.%20Including%20building%20%22geo-fencing%22%20type%20of%20solutions.%20Some%20of%20the%20other%20workloads%20also%20have%20RBAC%20support%2C%20but%20in%20general%20if%20you%20are%20using%20the%20same%20tenant%2C%20you%20can%20expect%20that%20there%20always%20will%20be%20some%20functionality%20that%20can%20be%20(ab)used%20across%20the%20department%2Fcompany%2Fcountry%20boundary.%20Even%20if%20you%20had%20full%20control%20over%20things%2C%20the%20Global%20admins%20would%20still%20be%20able%20to%20revert%2Fbypass%20those%20restrictions.%20At%20some%20point%20you%20will%20have%20to%20make%20a%20decision%20between%20being%20able%20to%20tightly%20control%20access%20and%20all%20the%20collaboration%20features%20you%20get%20by%20using%20the%20same%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84661%22%20slang%3D%22en-US%22%3ERe%3A%20multiple%20companies%20in%20one%20tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84661%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20that%20set%20of%20requirements%2C%20I%20would%20recommend%20using%20separate%20tenants%20for%20each%20company%2C%20and%20then%20using%20Azure%20B2B%20to%20simplify%20authentication%20between%20tenants.%20Each%20tenant%20would%20be%20able%20to%20keep%20administration%20separated%20and%20implement%20their%20own%20DLP%20and%20governance%20policies%20as%20necessary.%20Advanced%20Security%20Management%20could%20be%20used%20to%20provide%20oversight%20of%20admin%20actions.%20It%20may%20even%20make%20sense%20to%20have%20another%20tenant%20for%20the%20Holdings%20organization%20for%20the%20people%20that%20run%20that%20business.%26nbsp%3B%20Granted%20this%20would%20be%20more%20complicated%2C%20but%2C%20corporate%20structures%20like%20this%20are%20inherently%20complicated%20and%20should%20expect%20to%20incur%20additional%20costs%20when%20they%20have%20complex%20regulatory%20scenarios.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello All,

 

I would like to spin up a discussion on privacy and security within Office 365.

 

A scenario I already encountered with several of my customers is with holdings, containing several companies. The same scenario can also apply to multiple companies that are merging their activities, but still are separate entities.

 

If they leverage the functionalities of Exchange Online or Exchange Online Protection, they in fact use a single tenant for those activities.

 

While this enables the companies to work better together, it also introduces a security problem. All of those separate companies often have separate IT or mail admins, that are responsible for managing quarantines.

When using EXO or EOP in a single tenant, all hygiene admins can see all mail flow of the whole tenant. There is currently no option to limit what certain admins can see (e.g: mail admins of division X should only see quarantine mails for domain X, Y, Z).

 

Ofcourse there are ways to script this, using PowerShell to create separate reports, but the user that is used to generate those scripts still has access to the total mail flow in such a scenario.

 

To me (and to the specific companies I am talking about) this poses a serious privacy issue. Taking into account the upcoming GDPR regulations, this is something to look at, in my opinion.

 

Is Microsoft aware of this situation and are there actions planned to mitigate these privacy risks / concerns?

 

Thanks for every reply.

 

 

 

5 Replies

With that set of requirements, I would recommend using separate tenants for each company, and then using Azure B2B to simplify authentication between tenants. Each tenant would be able to keep administration separated and implement their own DLP and governance policies as necessary. Advanced Security Management could be used to provide oversight of admin actions. It may even make sense to have another tenant for the Holdings organization for the people that run that business.  Granted this would be more complicated, but, corporate structures like this are inherently complicated and should expect to incur additional costs when they have complex regulatory scenarios. 

Exchange in particular has a very robust RBAC support, which you can utilize to control access to almost all of the functionalities. Including building "geo-fencing" type of solutions. Some of the other workloads also have RBAC support, but in general if you are using the same tenant, you can expect that there always will be some functionality that can be (ab)used across the department/company/country boundary. Even if you had full control over things, the Global admins would still be able to revert/bypass those restrictions. At some point you will have to make a decision between being able to tightly control access and all the collaboration features you get by using the same tenant.

@Vasil Michevcan the RBAC feature of EXO be used to limit an admin to a specific email domain within a Tenant?

best response confirmed by Alexander Auras (Contributor)
Solution

Yes, you can create "management scopes" that limit the users/mailboxes which a particular admin can manage. You can also create "exclusive" scopes which prevent any other admins from touching the mailbox. It's a very robust model, and would be nice to see it expand to other workloads (for example the SCC now has some similar controls).

 

I couldnt find an article tailored for ExO , but this one should give you the idea behind management scopes: https://technet.microsoft.com/en-us/library/dd351083(v=exchg.150).aspx

Thanks, that is good to know and just reconfirms how little I know about the details of Exchange :).