This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ZTNA and Azure MultiTennant with Central

Hi,

we've a main company with multiple daughters. All are in the same AD. But in Azure every daughter has an own tennant (and needs it because of external branding) and each tennant provisioned by "Azure Active Directory Connect" .

We are also provisioning the daughters from the same Sophos Central (Intercept, Firewall).

ZTNA can only auth against Azure (We don't want to Octa!). In Sophos Central it's only possible to add one tennant.

So, the daughters wouldn't get the heartbeat for ZTNA.

Is there an solution for one AD with mulitple tennants?

Regards

Henry



This thread was automatically locked due to age.
Parents
  • Do you have any kind of Relationship between those tenants? So are they in one subscription within Azure? Because you could give the APP registration the permission to query the entire Azure AD (cross tenant). 

    __________________________________________________________________________________________________________________

Reply
  • Do you have any kind of Relationship between those tenants? So are they in one subscription within Azure? Because you could give the APP registration the permission to query the entire Azure AD (cross tenant). 

    __________________________________________________________________________________________________________________

Children
  • Only a federation between the tennants.

  • Currently you can only use one Azure AD Account per ZTNA Instance. So if there is no relationship between those accounts, we cannot use the other accounts. 

    BTW: I am not sure, if the approach of using one Central Account for all Companies is even the right approach for this construct. If they are separate instances and companies, mixing data between in one tenant within Central could be problematic (from a legal / data privacy perspective). 

    __________________________________________________________________________________________________________________

  • I think "cross tenant" and federation (B2B) are in that case the same (https://learn.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-overview). I have problems to stay tuned with the Microsoft wording Slight smile.

    So, it should be possible?

    To btw: the people are often jumping between the daughters, depending on the project. They have to see them all. It would be the hell to manage it. That's the demand from the customer. We're seeing meanwhile that construction often used. An seperate IT (daughter or so), maintaining the company mesh.

  • So - Essentially the question is: Can you get one app registration to be able to fetch the data of all azure account or not?

    This is something, which needs to be reviewed by a Microsoft Architect. Because Sophos can only integrate one app registration per Central Account, the data needs to be accessible by this app registration. 

    Multi AAD support is currently not available.  

    __________________________________________________________________________________________________________________