Previously, a natural tension existed between commercial organizations operating out of Microsoft’s commercial side with their enclaves or business units operating within the government cloud. Historically, this means somewhat limited collaborative experience, especially given isolated government enclaves. But after much patience, these silos are coming down. Now, you can connect Commercial Office 365 tenants to GCC high tenants in cross-cloud collaboration. This should translate to greater productivity and better communication, among other benefits.
Unfortunately, configuring cross-cloud collaboration can have significant security and compliance impacts. For instance, improperly connecting tenants could lead to data exfiltration, an expanded threat surface, and failed assessments. As such, ensure that you have a well-planned governance and security strategy prior to connecting Commercial Office 365 to GCC High.
To start off, cross-cloud tenant collaboration is essentially a tale of two tenants, both of whom desire communication between the two entities. Unfortunately, until this feature rolled out, this was nearly impossible to do. However, moving forward, it’s become increasingly straightforward to create a relationship between the different tenants.
Here’s a detailed walkthrough of cross-cloud tenant collaboration for better collaboration across your hybrid environment.
Pricing of Cross-Cloud Collaboration
Before jumping into how to connect Commercial Office 365 to GCC High, it is paramount that we look at pricing. To begin, let’s examine the old pricing model. The latter was based on total licensing that includes Azure AD Premium Plan 1 and Plan 2. Further, it was a 1:5 billing model whereby you required just one tenant license for five external identities.
This has since shifted to the Monthly Active Users (MAU) billing model. The latter is particularly useful in a situation where you count on having unique guest users with authentication activity within a calendar month. For this model, the first 50,000 MAUs per month are free for both Premium P1 and Premium P2.
What You Need to Begin Cross-Cloud Collaboration
The first step in connecting Commercial Office 365 to GCC High is to know the Azure AD roles in both tenants. Recommended roles to keep an eye out for are those of the security administrator and global administrator.
The other thing you’ll need is tenant support. It’s crucial to mention that this link is public, meaning you do not have to log in. You simply need to plug your tenant name into the URL. Then, you should see whether your business has support or not.
Enabling Cross-Tenant Access: Commercial
Note that the general assumption is that you know how to go to Azure Directory and that you understand that there is a setting on there known as External Identities and, under it, cross-tenant access settings.
When you go on the commercial end, you’re going to see Microsoft Azure Government and Microsoft Azure China, both unchecked. Once you check either of these, this should then take you to the government side of things where again you will check Microsoft Azure Commercial. It is important to note that different from the Commercial end, Microsoft China will not be listed in GCC High.
The first validation you’ll be conducting is whether you can send a guest request from Azure in Commercial to a GCC High user. In the event that you are unable to do this, it simply means that while cross-tenant collaboration is enabled, it might not be configured correctly.
Azure AD
To solve this, you’ll need to do more. Specifically, for you to run this validation, there’s some Azure AD information that you must first gather. Collect both the Tenant ID and Primary Domain from each tenant side. Note that while this appears relatively straightforward with fewer demands on information to be collected, there are T2T interactions that will require rules to be imposed.
Now, you should be ready to connect the tenants. Note that it doesn’t matter whether you connect from the GCC High end or the Commercial end. The significant step here is adding the organization.
GCC High
At this point, you’ve been successful with the first validation meaning you can successfully send a request from the commercial side to the GCC High side. You should hence move on to validation number two, which involves getting the GCC High user to accept the invitation with the intention of having the GCC High user access a Commercial team site and post a message.
To achieve this, you should have already had Cross Tenant Collaboration enabled, had GCC High point to the Commercial Tenant, and vice versa. Once all these are done, tell Cross Tenant Collaboration you want users or groups to access applications.
From the commercial end, you’ll need to enable External Application Access. Essentially, you’ll be configuring the tenant restrictions that Commercial has with GCC High. Similarly, you want to enable External Application access from the GCC High tenant side. You should notice that on the interface, before enacting any changes, everything is restricted. In retrospect, this is a good thing as it is in line with a Zero Trust policy. You should successfully have GCC High user access to the Commercial tenant side at this point.
Now that you can send a request from Azure in Commercial to a GCC High user and have the GCC High user accept any invitations, you can further validate whether a GCC High user has access to a Commercial team site and whether they can successfully post a message.
Teams
On the Commercial tenant side, a Teams owner should add the GCC High user to the team. Henceforth, they should be able to send messages through the Team web client. Overall, the GCC High user should now have access to all resources found on the Commercial tenant side.
Cross-Tenant Collaboration: Other Considerations
As you embark on connecting Commercial Office 365 to GCC High, consider working with multiple tenants. The latter means that you have two or more tenants and is different from working with a multi-tenant. With multiple tenants, you’ve got to now consider the management, logging, and licensing. These could add lots of overhead and pain. This is, of course, dependent on whether you are working on a long-term or short-term project, as you could probably have the flexibility to meet the overheads with the latter.
To address the security challenge, it would be best that you target specific people within the GCC High tenant ecosystem who can connect to other tenants, both on the GCC High end and commercial end. You could probably base these permissions on the different roles, for instance, only allowing global administrators to access other GCC High tenants. Further, it is best to keep in mind that documentation is your friend. It keeps track of external tenants, their Azure AD tenant IDs, and the intent and results of a configuration. Finally, there’s already an excellent configuration with Azure Log Analytics. Thus, so long as you have Azure AD Directory where the diagnostic settings are pushing to Log Analytics, you can configure it such that every time there are Cross Tenant Collaboration changes, you are notified.
PowerShell
There are a few additional considerations to be made when testing with non-production tenants. Specifically, you want to capture all manual steps, which reiterates the importance of documentation. Additionally, you should consider PowerShell automation which steps in place of tedious, repetitive manual steps.
In Commercial, decide on more stringent controls on an external partner, vendor, or business with explicit guidelines. You should consider taking over a T2T interaction and decide the tenets of the relationship with more configurations during cross-tenant configuration.
Overall cross tenant collaboration opens the doors for organizations that have all their users and resources in GCC High to collaborate with Commercial tenants. Further, for organizations with two tenants, both GCC High and Commercial, it allows one enclave of the business to collaborate with another without the red tape that previously existed.
Office 365 Cross-Cloud Collaboration
Connecting Commercial Office 365 tenants to GCC High tenants requires an adequate understanding of Microsoft’s strategy for secure and flexible collaboration across highly regulated and commercial organizations. This is particularly true given that if not configured properly, your CUI could travel outside of your controlled environment. Besides, improper cross-training of individuals who do not typically work with sensitive information adds uncertainty risks. This might then require that you consider if you can allow Commercial users to access GCC High.
Learn More About Cross-Cloud Collaboration
In retrospect, cross-tenant collaboration doesn’t have to be intimidating. With testing, documentation, automation, and alerts, it could be relatively manageable.
At Agile IT, we pride ourselves on our expertise in this subject. In fact, we’ve already started connecting Office 365 tenants to GCC High tenants. We can help you determine the best practice approach to improve your organizational collaboration without compromising CMMC compliance. Schedule a call today to get started.