Office 365: Deciding Between Single and Multiple Tenants
This post aims to describe the pros and cons of single or multi-tenant approaches in Microsoft's Office 365 email and productivity suite and presents recommendations on the approach to take.
The scenario is when there are multiple business organizations (separate Active Directory Forests) wishing to collaboration with one another and they need to decide whether to coexist in ONE Office 365 tenant or split out to MULTIPLE tenants and leverage the federation and external sharing capabilities to get by.
This blog post does not consider commercial or licensing implications, only technical and functional, however there are financial considerations where licensing would have to be pooled in a shared tenant and cost split between organisations.
This is however, by no means an official exhaustive list but some high level points to consider.
Moving to One Office 365 Tenant
From a high level technical standpoint, if a business chooses to move to one Office 365 tenant, they still need to do the following:
- Directory Synchronization across all 3 forests to Office 365
- Microsoft Identity Manager to synchronize objects across on-premises Active Directories (to maintain GAL Sync for Exchange On-Premise environments)
- ADFS (SSO) across all 3 forests
- AD remediation across all 3 forests
- Network capacity and planning (firewalls, proxies, bandwidth calculations) across all 3 forests
- They need to configure multiple hybrid relationships across all 3 forests (minimum of Exchange 2013 is mandatory)
The other considerations with 'multi-forest' to one Office 365 tenant is:
- Yes they will have a single identity but when they log on to O365, each organization will need to have a separate logon eg. user@companyA.com, user@companyB.com, etc (whilst Office 365 is joined to their individual On-Premise Active Directories)
- If they want to send email from one unified email address eg. com , they can do this but as per the bullet point above, the email address won’t match their logon and their logon will be different across organizations.
- If they want to send from a unified address (eg. com) but also have the option to send from their local company email address, eg. CompanyA.com, they will need to configure additional Shared Mailboxes to send from these other email addresses. A workaround could also be implemented using security groups but this adds complexity.
- If the business wants autonomy with permissions, so each organization manages their own users based on workload, a more complex permissions framework will need to be implemented. Also, ‘Global Tenant Administrator’ has ‘god’ permissions - should each organization have this right?
- Are all their procedures and requirements aligned? What happens if there is a difference of opinion? For example, do they have one SharePoint Intranet or multiple? If they have one, what do they call it and who administers it? Who has the say of what goes in it and will it meet everyone’s requirements? This also extends to deciding on the tenant name.
- Do they have the operational and procedural efficiency and maturity to be successful in cohabiting as one organization? This is a joint project and they will only migrate as the slowest organization to move.
- What happens if one organization wants to break out of the partnership for whatever reason? A sizable piece of work is required to ‘offboard’ their data out of the tenant and for ‘cleanup’
NB: If a business has made a decision to go down the single tenant route, it should be for the right reasons such as specific user requirements and strategic direction rather than perceived simplicity.
Moving to Multiple Office 365 Tenants
An example of this scenario is below:
If a business decides to map a single organization (single Active Directory) to a single Office 365 tenant, they will need to do the following:
- Directory Synchronization across all 3 forests (one to one mapping)
- ADFS (SSO) across all 3 forests
- Microsoft Identity Manager to synchronize objects across on-premises Active Directories (to maintain GAL Sync for Exchange On-Premise environments)
- AD remediation across all 3 forests
- Network capacity and planning (firewalls, proxies, bandwidth calculations) across all 3 forests
- Exchange Hybrid – minimum of Exchange 2010
Also, they will have the following:
- Each organization can migrate at their own pace
- They have complete autonomy and can make their own decisions. Decisions can be made quicker
- The move to Office 365 will be potentially quicker (for example, avoiding complexities of security compared with the other option)
- If they want a global GAL, they can still have this through MIM
- They still have collaboration across the organizations:
- They can share calendars across organizations
- They have can share documents and SharePoint sites using the people picker across organizations
- They can have a Yammer External network to collaboration across organizations (or 'Flexternal' capabilities)
- Skype 4 Business can federate across organizations (tenants)
The other considerations with the multiple tenant approach is:
- Each tenant will be administered separately. However, permission in one tenant can be mirrored in other tenants
- Three Office 365 tenants cannot share the same SMTP email address eg. com
- EDiscovery searches are limited to within a tenant
- Delve is limited to one Office 365 tenant (currently)
- Delegation access to calendars and mailboxes cannot be achieved across tenants
- It's not possible to book a meeting room/resources across tenants
- Only external Out of Office replies function across Office 365 tenants. Internal Out of Office replies function within the tenant.
- External people cannot be pre-authorized on SharePoint content; they need to follow the invitation workflow on a case-by-case basis through the email invitation. External will also need to be enabled.
- SharePoint Search and Term Store are bound to a single tenant
- Skype presence is available in email and Skype clients across tenants. However, Skype presence is not available in other applications such as SharePoint for remote users.
- Office 365 Video cannot be shared externally. However, this is on the roadmap and will be available shortly.
- ‘Office 365 Groups’, a new collaboration feature in Office 365, is currently only available with members in one tenant.
Comments
- Anonymous
May 24, 2016
Thank you for writing such a clear and concise article on this subject. There is much to be desired in terms of documentation and guidance for Office 365 tenant architecture and feature support, so more information like this would be fantastic. - Anonymous
June 01, 2016
Better wording / clarification of wording would be helpful - as its a bit unclear. "EDiscovery searches are limited to one 365 tenant" should read "EDiscovery searches are limited to within a tenant" ????- Anonymous
June 01, 2016
Thanks for your comment. You would be correct in your interpretation
- Anonymous
- Anonymous
August 08, 2016
"If they want to send from a unified address (eg. com) but also have the option to send from their local company email address, eg. CompanyA.com, they will need to configure additional Shared Mailboxes to send from these other email addresses."OK. So if our users ONLY need to send from their primary company address (i.e. CompanyA.com for user1 CompanyB.com for user 2 etc.) Is that do-able within a single tenant? - Anonymous
September 30, 2016
Wouldn't it be possible to use Mailflow Rules with Exchange Edge Server to create a SMTP-Relay function so all three tenants could send and recieve Mails with the same SMTP-address? - Anonymous
October 18, 2016
Trying to make a decision regarding going to separate tenants for city government that have two different domains and business functions.