As Office 365 becomes more mature, and more organisations look to evaluate the feasibility of moving to the cloud, so the potential complexity of these scenarios increases. One of the questions I am facing more often is ‘Do we use a single tenant or multiple tenants for our organisation?’
This question is asked for a number of reasons, the organisation may be divided into different operating companies, or there may be geographical dispersal. The answer is going to depend on the specific circumstances for each organisation, however I have found it useful to create a high-level view of the pros and cons of each approach, to use when discussing this.
The list below covers the functional and technical aspects, but doesn’t take into account any commercial considerations, as these are also going to vary for each organisation. This is a starting point, to discuss the limitations and decide how relevant each one is to an organisation before making a decision.
- Single SMTP domain name support. For example, if all users need a company.com primary email address, there is no easy way to provide this without all users existing in the same tenant, or via a complex mail routing mechanism
- Single point of control and management. The implementation of Role Based Access Control (RBAC) allows for flexible controls to be put in place to manage licensing, users, and services. This provides a simple management experience for centralised or follow-the-sun models.
- Branding. Controls for portal pages, SharePoint sites and email disclaimers is unified
- Centralised Policies. As all users will be considered ‘internal’, they will be more easily managed by one set of policies.
- Tenant location. The tenant is located in a data centre in a single location (US, Europe etc.). This is fine where the largest (or only) set of users exist in a specific area. However, for globally distributed organisations, the user experience of services which rely on low-latency connectivity such as Skype for Business can suffer
- Administration. Role Management is very cumbersome and complex to implement, where management needs to be segregated. Global administrators still maintain control of all users
- Directory synchronisation. A single directory can be easily synchronised into Office 365. Adding multiple directories is possible, even where no trusts exist, but this becomes a much more complex process technically and logistically, such as with conflicting attributes
- Administration autonomy. The distribution provides autonomy and control of the Office 365 portal and services
- Data sovereignty. Companies or sectors may have specific requirements to ensure data remains resident in certain geographies
- Tenant location. Performance of some applications will be better due to the datacentre location being closer to the users
- Administration simplicity. There will be less complexity in managing admin roles on a large scale, managing licenses is much easier and based specifically on the way each company operates
- No single SMTP domain name. Sharing a namespace and consolidated company domain is very complicated to the point of being considered not possible
- Mailbox moves. If users move between locations, then moving their data and identity becomes a much more complex process.
- External Users. For many of the supporting Office 365 services, such as Skype for Business, Yammer and Groups, users from different tenants will be considered ‘external’ which will therefore be subject to policies which limit their functionality or levels of collaboration
- Global policies. Implementing global security and compliance policies can be difficult to achieve across multiple tenants and admin groups
- Centralised licencing. Multiple locations to manage licensing can have limitations if only a single Microsoft licensing agreement exists.