I have often wondered how Microsoft have architected their cloud solutions to ensure that there is no cross-talk between tenants (be that accidental or malicious) and hey presto a document from Microsoft has surfaced which outlines exactly that.
In summary it talks about Azure AD being stored in partitions and these partitions being replicated in part down to product specific directories like Exchange Online, SharePoint Online, Skype for Business Online. I’ve yet to find out if conversely some parts of the directory are also replicated to an overarching directory so that authentication is directed to the right place (think about portal.office.com seemingly able to authenticate any tenant and it knows the customizations to apply when you type in your logon name)
I’d also heard about Red team and Blue team but never paid much attention to the fact that they are Microsoft’s own ‘hacking’ and ‘defender’ teams that constantly try to breach security surrounding Microsoft Cloud (not at customer tenants of course, only Microsoft’s own tenants) The aim for the Red team being to get into a tenant, and the blue team needs to seem them and prevent them. They have periodic debriefs to talk about what was and was not detected and improvements made where needed to prevent that vector in future.
Anyway the document is a fantastic read and has helped me to understand the underlying architecture a lot better
Here is a link to the document from Microsoft http://aka.ms/Office365TI