The following section continues to describe the tenant management of enterprise tenants with example of Microsoft 365.

Optimal networking involves optimizing the path between the on-premises users, and the closest location to the Microsoft Global Network, optimizing the access for remote users over VPN, using network insights to design the network perimeter for the office locations, optimizing access to specific assets hosted on SharePoint sites with the office 365 CDN, configure proxy and network edge devices to bypass processing for Microsoft 365 trusted traffic using an allowed list of endpoints.

Network design tries to minimize latency by reducing round trip time between clients and network. Some networks such as the Azure Backbone network offer much lower latencies than the public internet. When the Frontdoors are placed on the internet and the tenant is placed in the Microsoft Global Network, the path and the access are optimized. Routing over the network must also be followed up with proper identification of Microsoft 365 network traffic, allowing local egress of that traffic to the internet from each location, bypassing proxies and packet inspection devices for that traffic and avoiding network hairpins.

As with all networks, some maintenance is required for optimal networking on an ongoing basis. These might include updating edge devices and deployed PAC files for changes in endpoints or verifying that the automated process works correctly, managing assets in the CDN and updating the split configuration in the VPN clients for changes in the endpoints.

Optimal networking is only the first step in tenant management.  Identity Management is the next step.

Identity infrastructure must be configured correctly, which is vital to managing the Microsoft 365 user access and permissions for an organization.

There are two types of identity models which are Cloud only model and Hybrid model. User accounts only exist in the Azure AD tenant for the Microsoft 365 tenant in a cloud-only model.  Hybrid accounts have user accounts both in the on-premises Active Directory domain services as well as in the Azure AD tenant.

The hybrid identity model and directory synchronization are the most common choice for enterprise customers who are adopting Microsoft 365. There are two types of authentications when using the hybrid identity model – the managed authentication and the federated authentication.

In the managed authentication case, Azure AD handles the authentication process by using a locally stored hashed version of the password or sends the credentials to the on-premises Active Directory Domain Services.  In the federated authentication case, Azure AD redirects the client computer requesting authentication to another identity provider.