Tenant Isolation in Microsoft Office 365

I have often wondered how Microsoft have architected their cloud solutions to ensure that there is no cross-talk between tenants (be that accidental or malicious) and hey presto a document from Microsoft has surfaced which outlines exactly that.

In summary it talks about Azure AD being stored in partitions and these partitions being replicated in part down to product specific directories like Exchange Online, SharePoint Online, Skype for Business Online.  I’ve yet to find out if conversely some parts of the directory are also replicated to an overarching directory so that authentication is directed to the right place (think about portal.office.com seemingly able to authenticate any tenant and it knows the customizations to apply when you type in your logon name)

I’d also heard about Red team and Blue team but never paid much attention to the fact that they are Microsoft’s own ‘hacking’ and ‘defender’ teams that constantly try to breach security surrounding Microsoft Cloud (not at customer tenants of course, only Microsoft’s own tenants)  The aim for the Red team being to get into a tenant, and the blue team needs to seem them and prevent them.  They have periodic debriefs to talk about what was and was not detected and improvements made where needed to prevent that vector in future.

Anyway the document is a fantastic read and has helped me to understand the underlying architecture a lot better

Here is a link to the document from Microsoft http://aka.ms/Office365TI

 

Twan van Beers

Twan is a senior consultant with over 20 years of experience. He has a wide range of skills including Messaging, Active Directory, SQL, Networking and Firewalls. Twan loves to write scripts and get deep and dirty into debugging code, in order to understand and resolve the most complex of problems.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search