A quick look into a rapidly developing field; how to do multi-tenant management in Defender and Sentinel, when the Unified XDR & Sentinel is portal is in use.
The shift from Azure Lighthouse to Entra B2B for daily ops makes a lot of sence given the unified portal changes. I'm curious about the licensing implications you mentioned with B2B Members vs Guests. For MSSPs managing dozens of tenants, that could add up quick. The cross-tenant sync approach seems cleaner than managing PowerShell scripts for joiner/leavers, but do you find most clients are comfortable with the permissions requird for that setup?
B2B Members need to be licensed in the same way other normal users are. So if you have P2 features such as Identity Protection in use, B2B Members need P2 licenses etc.
The alternative is to use B2B Guest and then have some other way to handle features not accessible with guest accounts, such as a lighthouse or a tenant local admin user.
About cross-tenant sync, of course the customer has to OK that as an architecture decision. But a security MSSP will anyway usually have pretty wide permissions to do things and the customer has to OK that, so I don't think the B2B provisioning method would often be the biggest issue in that regard.
Updated for mention of workspace() operator in the permissions bit.
The shift from Azure Lighthouse to Entra B2B for daily ops makes a lot of sence given the unified portal changes. I'm curious about the licensing implications you mentioned with B2B Members vs Guests. For MSSPs managing dozens of tenants, that could add up quick. The cross-tenant sync approach seems cleaner than managing PowerShell scripts for joiner/leavers, but do you find most clients are comfortable with the permissions requird for that setup?
B2B Members need to be licensed in the same way other normal users are. So if you have P2 features such as Identity Protection in use, B2B Members need P2 licenses etc.
The alternative is to use B2B Guest and then have some other way to handle features not accessible with guest accounts, such as a lighthouse or a tenant local admin user.
About cross-tenant sync, of course the customer has to OK that as an architecture decision. But a security MSSP will anyway usually have pretty wide permissions to do things and the customer has to OK that, so I don't think the B2B provisioning method would often be the biggest issue in that regard.