So, it seems Microsoft is (finally) putting work into giving their partners the tools to manage customers on scale.
Azure Lighthouse
Last year at Microsoft Inspire, Azure Lighthouse was announced. This was a huge deal, as it made it easy to do cross-tenant management in Azure. Well, not for everything in Azure though. It’s just the Azure Resource Manager api and no resource provider specific Azure endpoints, only the calls to management.azure.com. And of course, no Azure AD and no Microsoft 365.
To clarify, you could already do cross-tenant Azure as CSP by using the foreign principal with an admin agent for example, but with Azure Lighthouse you can define granular access to all azure subscription types.
PIM integration
This year at Inspire, Azure Lighthouse got an upgrade. Still in preview, but pretty awesome: It now supports Azure AD Privileged Identity Management (PIM). Just the Azure roles part of course, not the Azure AD roles as Azure Lighthouse only encompasses Azure, and not Azure AD. All the users in the managing tenant using this feature do require an Azure AD Premium P2 license as it’s a prerequisite for using PIM.
Microsoft 365 joins the party
It wasn’t all that clear (almost missed it myself), but at the same Inspire 2020 event there was this video about Microsoft 365 admin multi-tenant investments. The first public announcement after the post about the tenant switcher. This is huge! No private browser sessions or browser profiles anymore. Also the All Tenants page gives you an overview of all your tenants, with for example license info, service health and service requests. It’s a multi-tenant dashboard! As mentioned in the video, from June on the experience not only works for Partner of Record (which basically means for accounts in the admin agents security group in a Microsoft partners tenant, with Delegated Admin Privileges), but it works for B2B (guest accounts) too! It still means you either have to be an admin agent, or have guest account to be able to leverage this feature.
This Ignite there is a new video!
And now, some new features were officially announced: Tenant Lists.
Microsoft 365 Lighthouse
At the last microsoft Ignite, another multi-tenant experience was announced, called Microsoft 365 Lighthouse for Managed Service Providers (MSP). Microsoft is focussing this on the SMB segment, whereas the other multi-tenant experience is not. Features including are Device Compliance, Threat Management and User Access Management, so it’s obvious it’s more of a security and compliance overview of your customers, just like the first features within Azure Lighthouse.
Managed Service Providers
As an MSP these tools really come in handy. A lot of Microsoft Partners have built their own solution to make sure their admins have the correct permissions in their customers environments. Or they have lots of admins in the admin agent group. To clarify, this group gives global admin access to all the CSP customers of the partner, using something called Admin on behalf Of by means of Delegated Admin Privileges. This potentially gives an admin full control over hundreds or even thousands of customer tenants which is, to say the least, concerning. As hackers got to know this, Microsoft did drive up security by enforcing MFA for all accounts on partner tenants if they use the CSP program, or the admin agents will loose the ability to sign into customer tenants and the partner might loose the ability to transact in CSP at all.
Verdict
While all these efforts of using the Microsoft 365 admin portal for multiple customers is great, as long as the admin agent group and the helpdesk agent group are the only groups giving access to (all) customer tenants through Delegated Admin Privileges, the scope is just too big a scope to hand out these permissions. If you could only scope it to sets of customers, or sets of workloads (Intune / Exchange), it would already help tremendously. The multi-tenant experience does look promising!
But if you’d pay close attention to this video at 6:47, Microsoft admits this lack of granularity is a problem for partners and they are working on it.
As stated in some of the video’s, you can use B2B accounts to give access to customer tenants, and use the multi-tenant options. This makes way for partners to use this in the meantime.