question

Marvin-1605 avatar image
0 Votes"
Marvin-1605 asked stan commented

Azure CSP Management Tenant strategy

Hi,

i'm working for a MSP who has two Microsoft Tenants, one company tenant (M365, own company Azure resources..) and one CSP tenant (used to manage customers).

We are currently implementing Azure Lighthouse to manage our customers to get rid of guest accounts and directory switching into customer tenants.
The current strategy is to use the CSP Tenant as a management enviroment for all Azure Resources - Customers as well as own company resources. Therefore, every employee who has to manage Azure, gets an additional user in this CSP Tenant.

I'm sceptical if this is the right decision, because this leds to an increased management effort, because we need to manage an additional tenant and manage additional users which have additional license costs.
Our governance team decided to separate it for security reasons.

My question is if it is a common approach for CSPs to separate it's own company tenant and CSP management tenant, OR should a CSP use it's company tenant for internal workloads as well as for managing customers?

Is there any guidance or recommendation regarding this question?

BR

azure-ad-tenantazure-lighthouse
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

stan avatar image
0 Votes"
stan answered

Hi,
This is a common scenario and as you mentioned it is done for security reasons. You have already mentioned the downsides of managing separate tenant with users and licenses. Nothing more can be said besides that you either accept the management overhead and licenses costs and have some better security or go with the simpler approach of one tenant and lower security compared to two tenants approach.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Marvin-1605 avatar image
0 Votes"
Marvin-1605 answered stan commented

Hi Stan,

thanks for your quick and helpful answer!
I'm happy to hear we are on the right path with a legit approach.

So based on my description above, this is how the current setup/plan looks like.

I first thought about cutting the Lighthouse delegation from the CSP tenant to the company tenant and use the company tenant instead to manage the internal workloads.
But if a company user gets compromised through phishing, the attacker is able to access them.

Any thoughts on the plan to use the CSP tenant also for company workload management?

198921-tenant-architecture.png







tenant-architecture.png (104.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

stan avatar image stan ·

Unfortunate this is where it becomes more complex. CSP has a service called CSP Shared Services where you create a special Tenant (similar like your customer tenants) but with different subscription offers. This is basically a third tenant for your organization. That tenant you can use for hosting your internal workloads. Unfortunately that means managing another tenant. Besides that if you have some resource that cannot use external AAD for authentication you will not be able to use your company Tenant AAD users. If you decide not to use Shared services you can go with PAYG subscriptions under your company tenant or CSP Tenant. Of course you will need credit card and pay for those subscriptions with it.

1 Vote 1 ·