How To Manage Multiple Microsoft Office 365 Tenants For MSP’s
MSP’s have to manage multiple Microsoft Office 365 accounts daily. Multiple engineers need admin level access at multiple times throughout the day.
How Can We Manage Multiple Accounts More Efficiently and More Securely?
Right now I imagine you crate a global administrator on each tenant and use a password management tool such as IT Glue so that engineers can access the credentials.
Engineers have to open an incognito window, login then manage the account. If you are doing your job properly you will also have MFA enabled which can be a nightmare because how do you allow MFA for multiple engineers?
Do you have one single mobile phone with the MFA app on it which is shared around the office?
Maybe you have MFA calling an office number but what about out of hours?
One solution is to use something like this Twilio SMS to Teams MFA setup. This works really well but is not the most efficient method and you may not use Teams or Slack so you cant implement something like this.
One Solution to Efficient and Secure Management
If you are a Microsoft partner then from your tenant each global admin has access to the partner section from the app menu.
Click on the Partner Menu.
From the partner menu you have access to the Customers Section
From the Customers section you will see a list of clients for which you have delegated administrator access to.
Click on a Client.
From here you can access all services associated to the client such as Azure AD, Office 365 and Exchange Online.
Click on the Devices section you can configure and apply AutoPilot profiles to laptop and desktop devices. Don’t know what AutoPilot is yet? Well its awesome and we are going to see more and more use of it to Automatically deploy a standard setup to a device including specific software and configuration settings. (Think Group Policy but for Microsoft 365)
Clicking on Users and licenses you can see a list of the clients in the tenant and create new users if required.
Going back to the service management section you can click directly into the clients tenant by clicking ‘Office 365’.
The system has automatically logged your account into the clients tenant as you. You now have global admin rights to the tenant and you didn’t have to enter any of the clients credentials to get access!
Using your partner status and delegated administrator rights to your clients tenants is a great way to manage them more efficiently and more securely.
- You don’t have to go hunting for the clients tenant credentials. You can access them from your own admin account.
- You don’t expose your clients admin credentials on devices they are accessed from (Keyloggers etc).
- Access is secure if you use your own global admin account using the new passwordless MFA technology. There are no credentials to expose and requires a fingerprint on your mobile device.