This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ZTNA and Azure MultiTennant with Central

Hi,

we've a main company with multiple daughters. All are in the same AD. But in Azure every daughter has an own tennant (and needs it because of external branding) and each tennant provisioned by "Azure Active Directory Connect" .

We are also provisioning the daughters from the same Sophos Central (Intercept, Firewall).

ZTNA can only auth against Azure (We don't want to Octa!). In Sophos Central it's only possible to add one tennant.

So, the daughters wouldn't get the heartbeat for ZTNA.

Is there an solution for one AD with mulitple tennants?

Regards

Henry

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 1 year ago in reply to Heinrich Metel +1

So - Essentially the question is: Can you get one app registration to be able to fetch the data of all azure account or not? This is something, which needs to be reviewed by a Microsoft Architect. Because…

Parents

0 LuCar Toni over 1 year ago

Do you have any kind of Relationship between those tenants? So are they in one subscription within Azure? Because you could give the APP registration the permission to query the entire Azure AD (cross tenant).

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Heinrich Metel over 1 year ago in reply to LuCar Toni

Only a federation between the tennants.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Heinrich Metel

Currently you can only use one Azure AD Account per ZTNA Instance. So if there is no relationship between those accounts, we cannot use the other accounts.

BTW: I am not sure, if the approach of using one Central Account for all Companies is even the right approach for this construct. If they are separate instances and companies, mixing data between in one tenant within Central could be problematic (from a legal / data privacy perspective).

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Heinrich Metel over 1 year ago in reply to LuCar Toni

I think "cross tenant" and federation (B2B) are in that case the same (https://learn.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-overview). I have problems to stay tuned with the Microsoft wording .

So, it should be possible?

To btw: the people are often jumping between the daughters, depending on the project. They have to see them all. It would be the hell to manage it. That's the demand from the customer. We're seeing meanwhile that construction often used. An seperate IT (daughter or so), maintaining the company mesh.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Heinrich Metel over 1 year ago in reply to LuCar Toni

I think "cross tenant" and federation (B2B) are in that case the same (https://learn.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-overview). I have problems to stay tuned with the Microsoft wording .

So, it should be possible?

To btw: the people are often jumping between the daughters, depending on the project. They have to see them all. It would be the hell to manage it. That's the demand from the customer. We're seeing meanwhile that construction often used. An seperate IT (daughter or so), maintaining the company mesh.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 1 year ago in reply to Heinrich Metel

So - Essentially the question is: Can you get one app registration to be able to fetch the data of all azure account or not?

This is something, which needs to be reviewed by a Microsoft Architect. Because Sophos can only integrate one app registration per Central Account, the data needs to be accessible by this app registration.

Multi AAD support is currently not available.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel