This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 90%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hello all,
I have two existing tenants:
Let say work@tenantA and admin@tenantB.
Our tenantB is our Cloud Service Provider tenant containing our customer infrastructure access, so is highly sensisive.
Both tenants have their own AAD, name, AAD Connect, nothing is linked, no trust.
All our devices are registered in TenantA and managed for access our company data and such. Conditional Access is in place in this TenantA with MFA requirement and other stuffs.
I need to secure TenantB to require both MFA/Passwordless AND a compliant device
We don't want a second device, and especially no VDI as they would be onprem and defeating the public cloud meaning :D
How can I onboard my device on both tenant without the Hybrid device join (https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join) because this is not what we need as accounts need to be split and not synch from the same AD/Forest.
I'm working on it for a week without a solution, is this even possible?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Adrien Maugard, Thanks for posting in Q&A. From Intune side, it is not recommended to enroll the same device into two different Intune tenants. It will cause issues like policy receiving and etc. I think you still need to consider managing these devices in one tenant.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello Crystal,
Thanks for the answer, unfortunately we cannot do such a thing as we will not link our production tenant to our management tenant at any time in the futur (for compliance matters)
However is this possible to use Intune in TenantA to push a Certificate to the computer, and consume this certificate on TenantB as "proof of compliance" with Intune?
If yes, is there a way to delete the certificate as soon as the computer is no longuer compliant?
@Adrien Maugard, Thanks for the reply. For your question, I am afraid I didn't hear such method before to do this.
I have the same question - I also have defined the external access trust with compliance and device state from tenant A, but it seems this is not catching up correctly
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 16%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOJ%3C/text%3E%3C/svg%3E)
İ have same questinons? Solution?
We are setting MTO now, but it's still not working as expected as the MTO synched account seems not to work within the CSP portal
In Microsoft Intune, multitenant organization capabilities aren't yet supported.
Hi Crystal, it seems there is something missing in Entra ID - Cross-tenant access settings. When you define a trust between two AAD-s, you can choose to trust compliant device from tenant A. If you do, this should work even when using that device to login to your tenant B account. Unfortunately, it seems that device info is missing from tenant A in the sign-in logs on tenant B. If this was fixed, you would be able to keep up with the best practises from Microsoft with a clear separation of your work and CSP tenant.
@Jakob Nøtseth, For the thing missing in Microsoft Entra ID, I am not sure. You can open case with Microsoft Entra ID to get help.
https://learn.microsoft.com/en-us/entra/fundamentals/how-to-get-support#open-a-support-request