Nuvolex Blog

Multitenant Access Best Practices

As a former IT administrator inside of an MSP that was tasked with managing across multiple customer tenants, there always was that task of having multiple sessions open across multiple browsers and jumping between them.  Constantly tabbing between login screens and password managers, having to double and triple check to make sure you’re in the right tenant before saving a change was always incredibly annoying and open to administrator error.  If you’re an experienced IT administrator like I was, you learn to deal with this.  If you’re an MSP relying on L1 Service Desk administrators inside your organization to handle customer ongoing administration, concurrently managing a large customer base can be a lot bigger of a challenge than what L1 administrators are generally equipped to handle.  As an MSPs customer base and number of SaaS applications they’re consuming continues to grow, multitenant management complexity increases and that’s the point when some of these IT Service Desks turn into Call Centers, regularly escalating service requests to senior IT for remediation.

Interestingly, this pain was the initial motivation to develop the Nuvolex ManageX platform.

One of the major pain points we initially wanted to address was ensuring that L1 Service Desk staff not only had easy access to customer tenants, but also access them in a much more efficient and secure manner, ensuring that all IT administrator access was properly delegated and auditable.

Access and Delegation

Many of my MSP’s clients were remotely managed and had very little need for any onsite visits outside of hardware related activities (new laptop, install a printer…). These were your typical SMBs throughout Silicon Valley, ranging from restaurants, medical offices, law offices, machine shops, technology companies and startups.  We even had a few enterprises that hired us for specific scopes of work. Most of our day-to-day administration was centered around administering user accounts and their applications, as well as the occasional all-hands-on-deck fire drill that we all go through.

Since accessing customer environments and devices was at the core of our day-to-day activity, we needed to ensure that the L1 administrators on our Service Desk were not only able to get in and out of a tenant quickly, but also securely, with their own account access that had appropriate access privileges. We weren’t at all interested in handing out L1 administrators Global Administrator login credentials for obvious reasons. The administrative scope we had set for the L1 team was limited to resetting passwords, managing groups, onboarding/offboarding users, assigning permissions, making changes to mailboxes and other resources, plus a few other common administrative tasks. The L1 weren’t going to change firewall or spam filter configurations, they weren’t changing DNS settings, they weren’t configuring malware policies or running any auditing reports.  That being the case, why would we give them the ability to do such things by providing them a Global Administrator login?

Securing IT Administrators

Now that our L1 administrators had been given administrator access, we needed to secure their privileged accounts. To do this, we implemented password managers with each administrator’s password randomized. This allowed us to set a complex password scheme which helps prevent administrators from storing the password for future use.  Some password managers also supported the ability to automatically rotate common passwords to further cut down on administrators being aware of the current password.  Not only did this reduce potential misuse of an administrator’s privileged account, but this helped institutionalize how login details were recorded, stored, and handled.

Along with password management was Multifactor Authentication (MFA) for all privileged accounts. Administrators on our team needed to sign into secured services and resources using MFA where possible. In the past 2 years, MFA has come a long way, due its overall effectiveness in securing user logins.  Combining the use of a password manager and enforcing MFA sign in on any application our L1 Service Desk administrators were logging into ensured that the privileged accounts used by our team were well secured.

Auditing Administrators

Due to the compliance requirements of our customers, and the overall need to be more secure as an MSP, auditability was a very important piece that took us a lot of effort to get right. Each administrator who needed privileged access got their own account. At no time were there any privileged accounts shared between administrators. Using this approach, each administrator account came with their own audit trail. This definitely added complexity of having to audit several accounts rather than just one or two.  To assist with this, we used a combination of tools to audit their activity – from built in tools in Microsoft 365, to third party tools that audit Active Directory activity.

I know what you’re thinking, with more privileged accounts, the higher the likelihood of a privileged account getting compromised. Therefore, securing our logins with MFA and rotating passwords was a critical step. We weren’t going to trade off the risk of an account compromise over auditability and vice versa.  Auditing, privileged account management and secure access were all equally important security goals not only for our MSP, but for our end customers.

Where Nuvolex Helps

The Nuvolex ManageX platform greatly helped with solving each of these three areas for multitenant access and security. Through the ManageX platform’s robust Role Based Access Controls, each L1 administrator on our team had their own login and set of access credentials to our customers, users, and what administrative activities they were specifically permitted to perform. The ManageX platform gave us the flexibility to choose which teams had direct access to the Microsoft portals and Active Directory, since many of the common day to day administrative tasks could be done from the platform. L1 Service Desk lived exclusively on the ManageX platform without having any direct access to any customer tenants.  They weren’t given privileges that were beyond the scope of your traditional Service Desk administrators.  In addition, all administrator activity was automatically tracked and audited, requiring no extra steps or setup. The ability to easily view all administrator activities across our entire customer base at the click of button was very comforting and ensuring.

In Summary…

After years of discussions with hundreds of MSPs from across the globe, we realize that every MSP has their own unique way of delivering managed services.  Whether it’s how they manage their customers, control their administrators, provide access to customer data, there’s not really one “best in breed” approach that all MSPs should follow.  What we believe we’ve created with the ManageX platform is truly a best practices approach for managing an MSP’s customers and the cloud services they’re consuming, starting with all things Microsoft Cloud.  We’ve taken the best ideas we’ve discovered on IT administrator service efficiency and end customer data security and bundled all of these ideas into an intuitive, out-of-the-box cloud management platform for Microsoft 365, Azure and beyond.  Give it a try!

Share this post