This article draws parallels to Microsoft 365 for enterprise tenants which include tenant models, optimal networking, identity, migration and device and app management. 

When we refer to a tenant, we refer to it by the tenant ID, but it is also possible to refer to them by the host names for the tenants in the deployment. A tenant specific sub-domain is set up in this case. The tenant host name, mytenant.myservice.com must be specified as an alternative in the tenant configuration.  The URL can specify the tenant ID and the tenant host name if we specify the host names as alternative IDs for tenants.   

Optimal networking involves optimizing the path between the on-premises users, and the closest location to the Microsoft Global Network, optimizing the access for remote users over VPN, using network insights to design the network perimeter for the office locations, optimizing access to specific assets hosted on SharePoint sites with the office 365 CDN, configure proxy and network edge devices to bypass processing for Microsoft 365 trusted traffic using an allowed list of endpoints.  

Optimal networking is only the first step in tenant management.  Identity Management is the next step.  

Identity infrastructure must be configured correctly, which is vital to managing the Microsoft 365 user access and permissions for an organization.   

There are two types of identity models which are Cloud only model and Hybrid model. User accounts only exist in the Azure AD tenant for the Microsoft 365 tenant in a cloud-only model.  Hybrid accounts have user accounts both in the on-premises Active Directory domain services as well as in the Azure AD tenant.  

The hybrid identity model and directory synchronization are the most common choice for enterprise customers who are adopting Microsoft 365. There are two types of authentications when using the hybrid identity model – the managed authentication and the federated authentication.  

In the managed authentication case, Azure AD handles the authentication process by using a locally stored hashed version of the password or sends the credentials to the on-premises Active Directory Domain Services.  In the federated authentication case, Azure AD redirects the client computer requesting authentication to another identity provider.  

 

Strong sign-in is another requirement for multitenant applications. This is enforced by capabilities such as Windows Hello for Business which replaces passwords with strong two-factor authentication, Azure AD Password protection which detects and blocks known weak passwords and their variants, MFA which requires user sign-ins to be subject to another verification beyond the user account password, identity and device access configurations such as the settings and policies that include conditional access, Intune, and Azure AD identity protection policies which protect against credential compromise. 

Determining which identity model to use and how to enforce strong user and device access is critical to the identity management for tenants. Besides that, only ongoing maintenance might be required for adding or modifying user accounts and groups, and adding or modifying identity and device access configuration to enforce sign-in security requirements. 

Enterprises can manage devices and the apps used on those devices with the help of Microsoft 365 Mobile Device Management and Mobile Application Management. There are two options for device management which include Microsoft Intune, which is a comprehensive device and app management solution for enterprises and Basic mobility and security which is a subset of Intune services. Intune helps with both MDM or MAM. MDM is used when users enroll their device into Intune. After a device is enrolled, it is a managed device and can receive organization’s policies, rules and settings. MAM helps to protect the organizational applications and their data by isolating it from the personal profile for the user on their devices and requiring strong sign-ins. A set of configurations is still required above MDM and MAM to ensure a secure and productive workforce and this includes Azure AD Conditional access policies, Microsoft Intune device compliance and app protection policies, and Azure AD Identity Protection user risk policies and additional policies of cloud applications. As with identity management, device and app management also involves maintenance to manage device enrollment, and revisions to settings and policies for additional applications, devices and security requirements.