Office 365 Single Tenant vs Multiple Tenants, what is the best option for you and why?
I recently was involved in a scenario with a customer that had to choose between having multiple Office 365 tenants or just a single tenant. This post will talk about some of the technical considerations that you will have to ask yourself if you are considering choosing between a single or a multi-tenant approach and the impacts that this decision has on the end user experience.
Introduction
The decision of going with multiple tenants for your organization should not be taken lightly since it has a LOT of implications for the end user experience. I will discuss the end user experience implications in a greater detail below but let me be clear: you should choose to use a single Office 365 tenant for your organization if you can.
Common Scenarios for Multiple Tenants
There are a few scenarios that organizations may feel that the best or even the only option is to go with multiple tenants. Here are some of the most common scenarios:
- Our organization is composed by several divisions worldwide and each division must have its data stored in different geographies
- We must provide complete autonomy of administrative control for each division within the organization
- We want to avoid network latency problems with Office 365 workloads (Ex: Exchange Online, SharePoint Online, Teams)
- One of your divisions may one day leave the organization and we want to ensure that if this happens, data is properly isolated
- The organization has multiple Office 365 licensing providers from different geographies
Going with multiple tenant is a possible way to solve the problems above but there are almost always alternative solutions. Recently, Multi-Geo capabilities were announced that allow organizations to split its data residency across different geographies without the need to have multiple tenants. To learn more about Multi-Geo Capabilities in Office 365, click here.
Important Technical Questions To Consider
Domains
One fairly common mistake that many organizations can make is to think that because they have multiple DNS domains, they need to have multiple Office 365 tenants. This is NOT true and you can have multiple domains in a single tenant (you can have up to 5000 domains in a single Office 365 tenant, more details here).
Identity
In Office 365, users will authenticate to every workload using their identity, typically in one of the following scenarios:
- An Azure Active Directory account synchronized with your local Active Directory environment (recommended scenario for most organizations)
- A Cloud Only Account (if your organization doesn’t have a local Active Directory or some users will only need to access Office 365 and Cloud resources)
Azure Active Directory
If you need to sync your local Azure Active Directory with Azure Active Directory, there are a few considerations you have to take into account:
- An Azure Active Directory tenant is associated to a single Office 365 tenant
- Each user is unique in Azure Active Directory and you cannot synchronize the same user into multiple tenants. This has a very important implication: each user is a member of a single tenant and is consider as a Guest user in any other tenant
- If you have multiple tenants, each DNS domain can only be registered in a single tenant
- If you have several local Active Directory forests and you want to sync all forests into a single tenant, you can only have one Azure AD Connect instance that will have to have access to all the local AD forests. To learn more about the Azure AD Connect supported topologies, click here
Tenant Migration
If you are in a case where there are already several tenants in your organization and you want to migrate users and Office 365 workloads into a single tenant, it is important to evaluate which workloads are already being used. The easiest migration path is if the only workload in use is email and the more workloads in use, the harder the migration will be.
If you still evaluating if you are going for a single tenant or multiple tenants, read on.
User Experience
One of the most important things to consider before deciding between a single or multiple tenants is the end user experience. Next, I will discuss in greater detail, what the end user experience will be like in each of the two scenarios.
Single Tenant
This is how the end user experience will look like if you go with a single Office 365 tenant:
- All users are treated as from the same company
- Single point of access for all collaboration (single Intranet Portal for collaboration), users will only have to access one URL, making it easier for users to find the information they are looking for
- Better user experience overall
- Seamless sharing experience
- Sharing Office 365 groups can be done directly from SharePoint
- SharePoint Search will returns results for all information in the organization that each user has access to and the new intelligent/modern search recommendations will have a full experience on all the organization’s content, making it easier for users to find the information they are looking for
- Term Store can be used across the whole organization
- Users will access their OneDrive for Business site from any location in the tenant
- Users will access their user profile from any location in the tenant
- Using services like Flow, PowerApps, PowerBI, Stream, and Forms will be much easier:
- PowerApps applications are all in one tenant and can be shared with all users in the organization without restrictions (Ex: Vacation Request App to allow all users in the organization to shedule their vacations)
- Flows can be used by all users in the organization
- Forms can be responded by all users in the organization
- Full Microsoft Teams Experience (no need to switch between tenants). This is how Microsoft Teams experience will look like with a single tenant:
- Users do not have to switch between tenants in Teams and can talk to everyone in their organization
- Users are notified of new conversations (or conversation replies) they have with anyone inside their organization
- Presence of users in Teams is consistent (there is only one tenant and users are always connected to the same tenant)
- You can talk to anyone in the organization in Teams and you can easily find anyone in the organization in the Teams search bar
- Full Experience in Office 365 Groups
- A single tenant already supports Multiple Geographies (for Exchange, OneDrive and SharePoint). To know more about Multi-Geo Capabilities in Office 365, click here
- Shared mailboxes may include users from different domains as all users are in the same tenant
- Sync offline any document library in any SharePoint site in the tenant using the same identity
- Office 365 App Launcher will appear for all users since they are always using the tenant they belong to
Multiple Tenants
This is how the end user experience will look like if you go with multiple Office 365 tenants:
- Users from other tenants are treated as Guests (limited user experience)
- Several points of access for collaboration (several Intranet Portals for collaboration), users will have to access several different URLs, making it harder for users to find the information they are looking for
- Delve is limited to one Office 365 tenant and users will not be able to collaborate using Delve with users from other tenants
- Shared mailboxes cannot include users from different tenants
- Across Office 365 tenants, external Out of Office replies will be used. The internal Out of Office replies will only work for users within the same tenant
- Guest users cannot be pre-authorized on SharePoint content; they need to follow the invitation workflow on a case-by-case basis through an email invitation. External Access will also need to be enabled in the tenant
- Adding external users to a Office 365 group must be done from Outlook Web App (confusing for users, since they have two places to share an Office 365 group: SharePoint for internal users, Outlook Web App for external users)
- SharePoint Search and Term Store are bound to a single tenant. Users will have to search in multiple tenants, making it harder for users to find the information they are looking for
- Microsoft Search does not work across tenants, and the new intelligent/modern search recommendations will not be nearly as helpful as they could be
- Users will only be able to access their OneDrive for Business site from the tenant they belong to
- Users will only be able to access their user profile from the tenant they belong to
- Trying to use the services like Flow, PowerApps, PowerBI, Stream, and Forms will be much harder:
- PowerApps only supports users from one tenant . For example, a Vacation Request App can only be used by users in one tenant (or the app should be installed in all tenants and data gathering for all organization would have to be merged)
- Flow can only be used by users in one tenant
- Forms can only be answered by users in the same tenant. If we want to share the form with other tenants, the form must be public which allows users from any organization or an anonymous user to respond
- Users can’t sync offline document libraries from multiple tenants using OneDrive for Business with the same identity (there is a user voice request to enable this feature)
- Limited Teams Experience (users from one tenant need to switch between tenants to talk with users from another tenant).
This is how Microsoft Teams experience will look like with multiple tenants:- Users have to switch between tenants in Teams to talk to people from another tenant
- Users are not notified of conversations of other tenants in which they are Guests when connected to another tenant (eg, the tenant to which they belong)
- Only when there is a direct mention to the team, users are notified of other tenant’s conversations in the upper right corner of Teams
- Users, when connected to another tenant as Guests, are only notified of their tenant’s conversations in the upper right corner of Teams
- The names of users when connected as Guests to other tenants appear with suffix “(Guest)”
- Presence of users in the Teams is not consistent, and the indication of presence is only correct in the tenant to which the user belongs to. Example:
- User as Guest appears as Offline
- User in the tenant that belongs to appears as Busy
- By default, it is only possible to talk with people of the same tenant at the same time. If we want to talk to people from other tenants, we have the following possibilities:
- We have to switch tenants in Teams and we can no longer talk to people in our tenant
- We add the person as guest in our tenant in one of the teams to which we also belong
- There are several Teams features limitations for Guest users (see the table below)
- Limited Experience in Office 365 Groups (see table below)
- Office 365 App Launcher will only be displayed for users when they access the tenant they belong to. When they access other tenants, the App Launcher will not be displayed, making it a confusing experience for the user
Conclusion
The analysis above takes in consideration the current features in Office 365 and things may change in the future. Despite the changes that may occur in the future, the user experience with multiple tenants will always be limited in comparison with the end user experience with a single tenant.
If your organization needs to collaborate without barriers and have a richer collaboration experience, a single tenant scenario is your best option.
You may go for multiple tenants but in the way I see it, this should only be an option if technically there is no other option.
One of strongest arguments in favor of a multi tenant scenario is the case of organizations that are composed by multiple divisions or companies (ex: hotel chain with multiple hotel units) and one of the companies may leave the organization. Even in this case, the decision to go for multiple tenants should be carefully evaluated since the degree of separation that this solution imposes within the organization and the limitations in what regards to collaboration experience are very significant and should not be overlooked. No doubt that if, in the scenario above, a company leaves an organization that has a single Office 365 tenant, migrating users and Office 365 workloads will be harder but should this alone make organizations go for multiple tenants, sacrificing the collaboration experience? I would love to hear your thoughts on this subject and feel free to leave your opinion in the comments section of this post below.
Related Articles
If you want to convert your tenant’s root classic site into a modern SharePoint site, click here.
To learn why your business should migrate to SharePoint Online and Office 365, click here and here.
If you are new to SharePoint and Office 365 and want to learn all about it, take a look at these learning resources.
If you want to know all about the latest SharePoint and Office 365 announcements from SharePoint Conference 2019, click here and here.
If your organization is still not ready to go all in to SharePoint Online and Office 365, a hybrid scenario may be the best choice. SharePoint 2019 RTM was recently announced and if you to learn all about SharePoint 2019 and all its features, click here.
If you are a SharePoint administrator or a SharePoint developer who wants to learn more about how to install a SharePoint 2019 farm in an automated way using PowerShell, I invite you to click here and here.
If you want to learn how to upgrade a SharePoint 2013 farm to SharePoint 2019, click here and here.
If you want to learn all the steps and precautions necessary to successfully keep your SharePoint farm updated and be ready to start your move to the cloud, click here.
If you learn how to greatly speed up your SharePoint farm update process to ensure your SharePoint farm keeps updated and you stay one step closer to start your move to the cloud, click here.
If SharePoint 2019 is still not an option, you can learn more about how to install a SharePoint 2016 farm in an automated way using PowerShell, click here and here.
If you want to learn how to upgrade a SharePoint 2010 farm to SharePoint 2016, click here and here.
Happy SharePointing!
Thanks so much for this! I have a question. My company is part owner of another company that has it’s own tenant. This company must see my companies employee handbook, learning sites and more, but they only need reading rights. What are the best solution for this? We really don’t want to pay for double licensing for this other company.
Take a look at B2B and specially Azure AD B2B. Take a look at:
https://docs.microsoft.com/en-us/office365/enterprise/office-365-inter-tenant-collaboration
https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b
https://channel9.msdn.com/Series/Azure-AD-Identity/AzureADB2B
If I understand your scenario, the two companies are two separate companies and your company owns part of the second company. If your company was a holding company, holding the second company and the two companies were collaborating at all levels all the time as if they were from the same company, I would say for you to merge the two tenants and migrate both content and users into the holding company’s tenant.
Since I believe that is not the case, I would keep the two tenants and try to improve the collaboration experience between then and B2B and specially Azure AD B2B seems a good option although personally I haven’t tried it yet.
Hi Miguel,
Thanks for the nice write-up.
We are in high-ed industry. Students/faculties/staffs are considered as three different entities. We want to minimize the security risks to staff or faculty when students accounts are compromised. So naturally, it will be secure to have multi-tenants. In terms of security, do you have any thoughts on the pros and cons these two configurations: single versus multi-tenants?
Hello Y. Dong,
In terms of security, no doubt that having multiple tenants will be more secure since each tenant provides a degree of isolation (it is one of its primary goals in a multi-tenant: to provide each tenant with a level of isolation that ensures that despite all tenants that use Office 365 use the same platform, they have a security barrier that is the tenant itself).
In a single tenant scenario, there is still a lot you can do: security in Office 365 is a huge topic! If you want to take a sneak peek of its security features take a look at https://blogit.create.pt////miguelisidoro/2017/04/01/intelligent-security-in-office-365/. This post is 2 years old and a lot has happen since then. Take a look at https://blogit.create.pt////miguelisidoro/2018/11/21/whats-new-for-sharepoint-and-office-365-after-microsoft-ignite-2018/, https://blogit.create.pt////miguelisidoro/2019/06/05/whats-new-for-sharepoint-and-office-365-from-sharepoint-conference-2019-part-1/ and https://blogit.create.pt////miguelisidoro/2019/06/05/whats-new-for-sharepoint-and-office-365-from-sharepoint-conference-2019-part-2/ to see the most recent announcements around security which once again is a huge topic! Things like Data Loss Prevention (DLP), Office 365 Unified Labeling, Intune, Mobile Device and Application Management, Geo-based security policies (applying for instance multi-factor authentication if you are abroad or even if you are not connected from the office or home are easy measures you can apply) are a good start to start implementing security in Office 365, even with single tenant scenarios.
If you have a strong need to collaborate, go for single tenant and increase security using Office 365 security features. If security is the main concern and there is not a strong need for users from multiple tenants to collaborate, I believe going for multiple tenants is your best option.
Hope it helps,
Miguel Isidoro
thx for the article, black background is hard to read though 🙁
Hello Jeff, thanks for the feedback!
Hi, Thank for you Post.
I have the following scenario, we have a Holding. Every company of holding need to have own security in Exchange access, for example, a admin Company 1 can’t see emails of company user 2.
Whats alternatives there are?
Hello Guillermo,
Are you using only Exchange in Office 365 or are you using other workloads like SharePoint, OneDrive and Teams?
Do people in each company need to collaborate with people in the other companies as if they are from the same company or should each company be treated as a separate company? Going for single or multiple tenants depends on answering these questions.
Regarding your specific question, having separate tenants would be a better choice from a security standpoint since the isolation level provided by a tenant guarantees that an admin from one company (tenant) can’t access emails from other company (other tenant). Not sure if there is a way in a single tenant to restrict per domain (a single tenant can have multiple domains) which emails the admins can access.
Thanks
Miguel
Thank you for the nice write-up. Just like Y. Dong I am in the higher education sector. One of the main concerns for a one-tenant model comprising staff, faculty and student accounts is that students would be able to see things like teams availability status of faculty members.
We are having concerns that it will not be possible to implement fine-grained privacy policies to prevent students from seeing and connecting to users and services now reserved for staff and faculty if we are using one tenant. Do you have any thoughts on that? thanks.
Hello,
Your situation is indeed similar to Y. Dong’s and my thoughts have some things in common.
In terms of security, no doubt that having multiple tenants will be more secure since each tenant provides a degree of isolation (it is one of its primary goals in a multi-tenant: to provide each tenant with a level of isolation that ensures that despite all tenants that use Office 365 use the same platform, they have a security barrier that is the tenant itself).
About your concerns:
“students would be able to see things like teams availability status of faculty members” – If you mean that students will be able to see if a faculty member is online or busy in Microsoft Teams, that is true, students if they look for a user will be able to see any other user’s availability status. If you mean that students will be able to access the same teams where faculty members are in, if those teams are private, that is not a concern and students will not be able to connect to those teams unless a faculty member adds them (this is also possible even if they are in another tenant).
“We are having concerns that it will not be possible to implement fine-grained privacy policies to prevent students from seeing and connecting to users and services now reserved for staff and faculty if we are using one tenant” – SharePoint and Office 365 security ensures that users are only going to access information that they have access to (ex: information on a private team they belong to, a document that has been shared with them, etc). If a student is not part of a private Team that a faculty member is part of, they won’t have access to any of its information. Furthermore, the Team and the information within will not be discoverable if a student for example searches for it. Each user, wether it is a student or a faculty member will only have access to the information they have access to and security is possible to implement even in a single tenant. Finally, any student will be able to directly chat with a faculty member in Teams since they are in the same tenant.
The decision on a single or multiple tenants almost always should be taken according to the level of collaboration you want to have among your users and in this case, the several groups of users (staff, faculty and students).
If you have a strong need to collaborate among all these groups of users, you should evaluate the single tenant and increase security using Office 365 security features (it is a huge topic and there is a lot you can do in a single tenant scenario). If security is the main concern and there is not a strong need for users from these different groups to collaborate or you want to set more boundaries on how these different groups can collaborate, I believe going for multiple tenants could be your best option.
Hope it helps,
Miguel Isidoro
thanks a lot!
You are welcome! Hope it helps!
Hi Miguel,
Thanks for writing up the great article! We do have internal user and as well as external customers. Mainly we would like to use Office 365 for collaboration purpose only . Published and approved content from internal users should be available for the end customers. We are planning to have single tenant only and will manage security through O365 security features, however, is there any risk to enable external (B2B) users sharing in the internal tenant?
Customer is mainly focused to have multiple tenants one for internal user and another one for external user. Though, external users can be managed within internal tenant only through external (B2B) sharing feature. Do you have any thoughts around this? Customer is mainly concern about the internal content security.
Hello,
Thanks for the feedback.
Generally speaking, in terms of security, no doubt that having multiple tenants will be more secure since each tenant provides a degree of isolation (it is one of its primary goals in a multi-tenant: to provide each tenant with a level of isolation that ensures that despite all tenants that use Office 365 use the same platform, they have a security barrier that is the tenant itself).
About your scenario, both scenarios are possible and I believe one tenant would be a better choice. Some notes, all valid for a single tenant scenario:
– In Office 365, you can control which workloads allow external sharing one by one. First, you have to enable external sharing at the tenant level but you can choose only to allow external collaboration on SharePoint but not on OneDrive or Teams for instance
– In a one tenant scenario, it is much easier to share information with external users since you don’t have to maintain two tenants
– Users can only belong to one tenant. In a two tenant scenario, how would users of the internal tenant share information to the external tenant? Only with a second account using with a different identity. This would also increase licensing costs!
– In SharePoint specifically, it is possible to set at the site level, if external sharing is allowed or not, which allows disabling external sharing in sites with more sensitive information. Take a look at https://sharepointmaven.com/how-to-properly-configure-sharing-settings-in-the-sharepoint-admin-center/ for more details
– External users only have access to the teams that they have been shared with them and will not even be able to search for information they don’t have access to
– Although I wouldn’t recommend it, in a SharePoint site connected to a Office 365 group, it is possible to change sharing settings so that only owners can share information
– You can limit which domains you allow external collaboration
– There is a lot more you can do on security. For a quick review on security settings (2 year post but still valid for a overview), take a look at https://blogit.create.pt////miguelisidoro/2017/04/01/intelligent-security-in-office-365/. Another great security feature is Office 365 Labeling which allows you to apply labels to documents (and soon to entire sites) and apply policies to confidential information (ex: disallow external sharing, prevent printing, prevent download, prevent Print Screen, etc)
In summary, external users will not have access to and may not search internal content unless they information is explicitly shared with them.
Hope it helps,
Miguel Isidoro
Great article and glad I found it. I have a predicament. We have 3500 users from 100 companies in one tenant, and the new management wants to break it into 100 tenants so each company is separate to provide easier management.
What we are looking for is:
1) Each company have their own SharePoint site. Currently, with our existing company, the parent SharePoint is my company and each user needs to map to a level below to their own company sharepoint site. Is there a way that a person in company X will by default access company X sharepoint site and be oblivious of my company?
2) Companies are constantly being obtained and sold. They are looking for an easy way to offload any SPS and email simply when needed.
3) Some companies have shared partners. They are looking to have the partners be able to view multiple companies SharePoint documents without the need of multiple accounts. Partners need the ability to transverse any company they own.
4) Billing needs to be separated to easily bill each company for their users.
These users are PURE O365. There is no local on prem AD. They log on to their computer using their O365 account.
Hello Isaac,
Answering your questions:
1) There is no Out Of The Box solution to automatically redirect users to their own site in a single tenant scenario. This would require developing a custom solution, probably based on SharePoint Framework (SPFx) that could grab some user profile property and do the redirection based on some custom redirection rule. You can however set each users’s homepage in the browser to redirect to their SharePoint site.
2) This could simply be accomplished by having a separate site (separate site collection) for each company and delete/archive the data or move it to another destination if a company is sold.
3) In a multiple tenant scenario, a user only belongs to a single tenant. Partners would have to belong to a specific tenant and be guest users in any other tenants they need access to with the limited user experience described in this post. But collaboration is still possible, although more limited.
4) Billing is greatly simplified in a multiple tenant scenario but it is not impossible to manage in a single tenant scenario, although it gets a lot harder to manage.
If collaboration is key and users from different companies need to have strong collaboration, I would still recommend a single tenant. If not, multiple tenants can be a possibility since it simplifies billing.
Hope it helps.
Thanks,
Miguel
Hello, I’d like to use findtime (findtime.microsoft.com).
Have an Office 365 home license. If want to install findtime and enter the e-mail, it won’t work.
In the FAQ I find: that it needs a “multi-tenant mailbox hosted in Exchange Online”.
https://findtime.uservoice.com/knowledgebase/articles/842994-what-is-findtime-who-is-it-meant-for-and-what-ar#requirements
OK, where can I get this as a private/small business person?
Hello Hank,
I am not aware of that requirement. I use FindTime and the only thing I have is my Exchange Online mailbox in Office 365. My account is not a home license but a work account (in my case a Enterprise E3 license). Not sure if it can be used with Office 365 Home accounts. What error message do you ge?
Hi,
We have a single O365 tenant and are now in the process to split up our company into 2 or 3 business units.
Collaboration between business units stays important, also IT will be managed globally by 1 team for all business units.
You would say stick to single tenant, but all business units have their own geographically difference and product, and in the future selling a business unit would be a 50/50% chance of happening. Also more into detail even though you can use multiple domains in 1 single tenant for , for example Exchange online, I don’t see how this works for Sharepoint online or Teams. The sharepoint url always sticks to the tenant name, it is very likeley one of those business units will not be happy having our current tenant name shown in their sharepoint online url.
Any idea’s on this?
Thanks
Hello William,
If your business units belong to the same company, I would say to stick with a single tenant because of all benefits described in this blog post.
About different business units having its own geography, if data residency is your main concern, take a look at Multi-Geo Capabilities in Office 365 that allows organizations to split its data residency across different geographies without the need to have multiple tenants.
About the SharePoint URL, it is unique for each tenant, which means that all business units from the same company (and the same Ofice 365 tenant) will have the same SharePoint base URL but this is only a problem if business units are from different companies, not if they belong to the same company.
But if there is a big chance of business units to be sold, those business units would either:
– Be integrated in the buying company’s Office 365 tenant (meaning mailboxes, SharePoint content for this business units would have to be migrated from one tenant to the other)
– Be migrated to its own Office 365 tenant with a similar process as if they would be integrated in another company’s tenant
In summary, if business units will remain in the same company, I highly recommend sticking with the single tenant solution.
If business units will belong to different companies, I believe there will no other way than having multiple tenants and it makes sense since they are indeed different companies. In this case, take a look at Azure AD B2B. It will not be the same collaboration experience as if you were from the same company and tenants but it will greatly increase collaboration between different companies. Take a look at these resources:
https://docs.microsoft.com/pt-pt/azure/active-directory/b2b/o365-external-user
https://docs.microsoft.com/pt-pt/azure/active-directory/b2b/what-is-b2b
https://docs.microsoft.com/en-us/azure/active-directory/b2b/faq
https://www.youtube.com/watch?v=AhwrweCBdsc
Hope it helps,
Thanks
Nice post . thanks for detailed information .
My question is what is the best practice to maintain DEV, QA, Live kind of different environment process in sharepoint online
1. Single tenant with multiple site collection for each requirements/deprtment ? for example if legal team needs new site with some custom applications , is it remanded to go like this – Legal-DEV, Legal-QA, Legal-Live
2. multiple tenants for each environments so that we don’t have to create multiple site collection in live tenant
Tenant 1 – DEV (license for 10 developers)
Tenant 2 – QA (license for 40 users -QA team and few users)
Tenant 3 – Live (all company users)
Is there any best practice to maintain DEV , QA, Live deployment process in single tenant for intranet portal kind of scenario ?
Hello Ankit,
I usually go for option 1 since you can take advantage of the same tenant, the same users.
Option 2 is also possible but you have to duplicate some of your users in DEV and QA tenants since you cannot share Azure AD between different tenants:
– An Azure Active Directory tenant is associated to a single Office 365 tenant
– Each user is unique in Azure Active Directory and you cannot synchronize the same user into multiple tenants. This has a very important implication: each user is a member of a single tenant and is consider as a Guest user in any other tenant
– If you have multiple tenants, each DNS domain can only be registered in a single tenant
I would go for option 1.
Hope it helps,
Miguel
If we have a company that require two email addresses:
One tenant on GovCloud (tenant isolation) and one tenant on standard cloud.
Most users will be only standard cloud, but some will need to be on both. Do we have to purchase two MS365 license on each tenants for each user that needs to work on both?
Or is there are way share a single license and pay for an additional mailbox license?
Hello Robert,
My advice on that case would be to have those users in one of the tenants and share content from the other tenant with them as external users.
It is not the same user experience but it avoids duplicating licenses and no additional mailboxes are required.
The other option is two users (one for each tenant) but this complicates things since the same user has to use two different identities.
Take a look at Azure B2B that helps users from two tenants to collaborate (not the same user experience as single tenant but the best you can get probably).
Hope it helps,
Miguel
Hello,
Thank you for your article, it helps understanding the difficulties of managing multiple tenants. At the moment I work with a client who has grown over the years and had new wishes every few months, which sometimes made it difficult to find a solution with things that were implemented at that time by previously made wishes / choices .
Today, he manages 4 companies: X, Y, Z and W. But all companies are under one roof, with a different mix of employees who work for one or more of the companies and who also have their own e-mail address at one or more of the companies. Each company also has multiple shared mailboxes. There are also users who share OneDrive folders with other colleagues from the same and or another company. It sometimes happens that a user who does not work for X, but for Z, still wants to share files with X, etc. Also for To Do it is not possible to share lists between X, Y, Z and W. I had to create a separate outlook.com for each to allow shared lists… (thank you MS)
Would it be possible to manage one 365 and put all users under it with their different domains? Where some users would need an email address at more than one company.
User 1 – domain X, Y and Z
User 2 – domain X and W
User 3 – domain Z and W
and so on…
If you add multiple domains and create a user. This user has a primary domain and the other domains are also automatically created under this users mailbox. Is it possible to create separate mailboxes for one user for each domain?
As an extra feature … these users work and log in to a server in the cloud. There are locally shared folders. But also (identical) OneDrive files per account, taking up a lot of unnecessary space. The reason for this is that they are using specific custom software installed on this server. But not all users need to access this server, so the extra OneDrive each account has are files from the other users. Back to on-premise server and use onedrive at their pc locally?
Some tips for dealing with this case would be nice. 🙂
Many thanks in advance.
* I am not a native English speaker. So I hope my questions are clear.
Hello Steve,
A lot of questions, I will try to do my best!
1 – you can add several domains in the same tenant
2 – you can have user accounts associated with any of the domains you created (details at https://docs.microsoft.com/en-us/microsoft-365/admin/setup/add-domain?redirectSourcePath=%252fen-us%252farticle%252fAdd-multiple-domains-to-Office-365-2d2fa996-b760-411d-a5cc-190d63f13207&view=o365-worldwide). Each account in a specific domain is a different account and needs an appropriate license. Example: miguel@companyA.com, miguel@companyB.com, steve@companyB.com, steve@companyC.com, etc. In alternative, you can add alias to an account and have a single mailbox (see details at https://docs.microsoft.com/en-us/microsoft-365/admin/email/add-another-email-alias-for-a-user?view=o365-worldwide). In this approach, the username part of the alias must be different from the username itself and you can select any available domain (same domain of the user account or not). Example: account – miguel@companyA.com, valid aliases – miguelisidoro@companyA.com, miguelisidoro@companyB.com, invalid aliases – miguel@companyB.com, miguel@companyC.com
3 – About the shared folders, it depends if it is “personal” space or corporate information. If corporate, you should use SharePoint document libraries to store the information and share it with the users that are suppose to have access to that information. If it is a “personal” space, you could use OneDrive (Microsoft provides up until 5TB for each user regardless of the tenant).
Hope it helps
Miguel
Hi Miguel
We are a IT company and we have approx. 40 tenants we manage, we would like to tighten up on security by rolling out policy’s to all tenants as a way of standardizing things and we will then be able to know exactly what each tenant has and has not. Going into each tenant and doing this will take a lot of time so I was wondering if you knew of a software or a way that we can set a policy and push it to al our tenant’s ?
Thanks for your time
Harry
Hello,
Microsoft recently introduced multiple tenant management (details at https://docs.microsoft.com/en-us/microsoft-365/admin/multi-tenant/manage?view=o365-worldwide#:~:text=Multi%2Dtenant%20management%20offers%20a,quickly%20between%20tenants%20you%20manage.) but is still very limited, although useful.
However, for what you want, I would suggest for you to use PowerShell scripts based on a CSV file that has the configurations you want to apply.
The CSV file should contain all the necessary information (tenant URLs, site collection URLs if applicable, user names if applicable, etc).
For PowerShell, I recommend using PnP PowerShell (https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-pnp/sharepoint-pnp-cmdlets?view=sharepoint-ps).
Hope it helps
Miguel
I have a query. Assume we have an application hosted in Azure. My organization ‘X’ can implement SSO to access the application using AD.
I need to provide access to 3rd party vendors Y and Z to the same application Instance. Can we configure multiple ADs under single application instance? If yes, what would be the pros and Cons? What are the controls needs to be implemented apart from IP whitelisting.
Hello Gayathri,
Hello, not sure. Take a look at https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant.
Hope it helps!
Thanks
Miguel
Hi, my company is an education holding company and we current we have two tenants. All our brands except one are on one tenant while the other is on a free office 365 A1 .edu tenant. The edu tenant was created for multiple reasons, to give students an edu email address and to give more creditability to the organization in the education space. All faculty, staff, and students associated with the the edu school are on this free account. Below are some of my questions as I think through the best way to fix this and improve the user experience and knowing we have to keep the edu due to the reasons I mentioned above.
1. As we continue to grow and collaboration increases is there a way to move to one tenant and have the .edu as a domain?
2. Can we get a brand new tenant and get the edu pricing for the specific students since we are an education holding company?
3. Have our students use the edu to get the edu email address and have employees and staff use another to improve collaboration when developing courses, version control of documents, etc.
Any thoughts or ideas would be greatly appreciated.
Hello Jennifer,
1. Yes. You can move users and data between tenants using a 3rd party application (check the solutions at https://www.google.pt/search?q=office+365+move+between+two+tenants) and can have .edu as a domain. You can have up to 5000 domains in a single tenant!
2. I would say you can (not a licensing expert), please check licensing details for Education tenants.
3. If you have a single tenant, you can have students use the .edu domain and other users use other domains (you can have up to 5000 domains in a single tenant).
Hope this helps!
Miguel Isidoro
Wonderful Article. Thank you so much!!!
Hello Chintan,
Thank you for your feedback.
I am glad it helped!
Thanks
Miguel
Nice article. One point I don’t see mentioned is device management. We wanted to do a trial of Intune on just a couple of users and devices, but as far as I can tell Intune forces you to switch all users – all devices in the tenant to having intune as the MDM. We are already using the Office365 MDM so that is not practical. It seems you must use multiple tenants to have different (Microsoft) MDMs.
Hello Dave,
Thanks for the thoughts. Device management was not the focus of this post.
Thanks.
Miguel Isidoro
Hello from 2023. What I would have given to come across this a few months ago. Microsoft is great at “Death by Options”. We have recently been acquired and are merging the parent company into our org. I first started to set everything up into different tenants and it’s been a nightmare trying to get everyone synced.
Is there a way to setup two different billings for a single Office tenant? Google searches are not pointing me in the right direction.
Hello Brian,
I am glad that this post somehow helped you.
About your question, I believe you can’t. I found out that you can share billing with other tenants (https://learn.microsoft.com/en-us/microsoft-365/commerce/billing-and-payments/manage-multi-tenant-billing?view=o365-worldwide) but it is not what you need.
Thanks,
Miguel Isidoro
Greetings Miguel,
I have a question about ALIAS/Domain. We own two O365 tennants. The higher ups asked if in the main tennnat i could give an alias from the second tennat to the mailbox of the users the Main O365. From my experience we can only do that if we add the domain of the second tennat to the main Tenant. Since it is already resgistred in an O365 this won´t work. Am i Wrong? Or is there another way to do this?
The main O365 has 10 users and the other has 5 users.
Hello Jorge,
You are right. Why are using 2 tenants? Wouldn’t it be easier to have a single tenant?
Thanks,
Miguel