Many Microsoft 365 enterprises rely upon a single, monolithic M365 environment. For very small organizations this is fine. However, larger enterprises with various departments, groups, locations – and often subsidiaries — would be better far served with Virtual Tenants.
What on earth is an M365 Virtual Tenant, you ask? It’s simple. You virtualize your tenant like you would an on-premises Microsoft environment with Active Directory Organizational Units (OU).
IT can take the entire organization served by Microsoft 365 and break it into logical groups, or sub-tenants, often based on Active Directory attributes. Once the organization is logically divided, regional admins can be assigned to the sub or Virtual Tenants. These Virtual Tenants can be based on geography, business unit, or even your company’s on-premises OU structure — stopping IT insider threats while boosting admin responsiveness.
Microsoft 365 and the Single Tenant Problem
In the world of Microsoft 365, most shops have a single tenant. If they acquire companies, they may have multiple tenants. Here they usually blend the multiple tenants back into a single environment to ease management, and promote collaboration and information sharing.
Having a single tenant creates a uniform ‘known’ environment, but comes with a host of issues. First, managing a single tenant that could have hundreds of thousands of users is immensely complex. Creating help and service desks for such a mass of users is likewise difficult, and these desks can become overwhelmed and non-responsive. Managing M365 licenses across a distributed massive environment is inefficient and expensive at best.
Security and the Virtual Tenant
With M365, Global Admin privileges are a security hole. If you have a single tenant with 300,000 users, an M365 admin can access data and settings from all 300,000 users. Every single M365 admin has that ability. If a hacker cracks an M365 admin’s credentials, they have that same power. Scary.
Management and the Virtual Tenant
The native M365 Admin Center has a centralized management model designed for a single tenant. That makes management more difficult, since admins are exposed to areas of the tenant they have no responsibility for. With CoreView, you can combine different tenants and segment your users into new groupings — Virtual Tenants — for more efficient management. Once you have those segments configured, you can grant a subset of actions to administrators who will ONLY be able to monitor and manage that subset of users.
One CoreView customer relies greatly on Virtual Tenants. “When we migrated, we made it a priority to make sure that if any of our libraries wanted their own email domain, they got it. Right now, we have 24 domains in the tenant. Since many of these domains are associated with a library, it was a simple thing to cut a virtual tenant based off that domain, and then assign administrative access for that domain and all the users under it to an IT administrator at the local library level,” said Tobin M. Cataldo, Executive Director Jefferson County Library Cooperative, Inc. Birmingham, Alabama.
The Tenant Virtualization Solution
As mentioned, the native M365 Admin Center is designed around a centralized management model for a single tenant. With the admin center provided by Microsoft, there is no easy way to merge different tenants, perhaps due to acquisition, from a management perspective so that administrators can monitor, report, and manage user accounts across multiple tenants.
The Pinnacle of M365 Virtual Tenants
Luckily, CoreView included Virtual Tenant, or tenant virtualization, in our O365 management software. This way, administrators can use single sign-on to monitor and manage their assigned user community, even though they might be deployed on different tenants.
With CoreView, IT can segment a single tenant into Virtual Tenants that might reflect a department, country, region, or even a single location. By breaking into smaller groups, you can restrict what users can see and act on, making it much easier to manage than having to tackle the entire organization in one bite.
“Using a simple, intuitive interface, CoreView lets IT segment the Microsoft 365 tenant in myriad ways — for example, by department, business unit, or location. This is what we call a ‘Virtual Tenant.’ After these groups are set up, IT can dive deeper, using CoreView’s deep RBAC capabilities to define specific permissions for administrators who then can only perform certain tasks — and only against a specific subset of users,” explained Michael Morrison, CEO of CoreView. “In essence, IT can take the entire organization served by Microsoft 365 and break it into logical groups, or sub-tenants, perhaps based on Active Directory attributes. Once the organization is logically divided, regional admins can be assigned to the sub or Virtual Tenants.”