Second tenant for authentication only

[agrob]

Good Day

We have at the moment two tenants
1. Prod Tenant (With all our Entra ID User, M365 etc)
2. Backup Tenant (at the moment with the VBA Appliance)

We have now onboarded our Prod Tenant to VDC (new Customer). Initial Login with Veeam Account. Configured M365 Backup -> works well
I want to add now other personal accounts for admin purposes. But i would not use Accounts from our Prod MS Tenant for those accounts.
Is it possible to add another tenant (our backup tenant) just for authentication? My plan would be that we use Accounts from the Backup tenant to authenticate against VDC and for Admin Work. Would this work? if yes, does it consume licences if we do not backup anything from the backup tenant? Or what is best practice here? I would like to separate Prod and Backup as much as possible.

Thanks

[micoolpaul]

Hi,

We support 1x IdP per VDC Organisation to ensure consistency of access. For example if you wanted your access to VDC to enforce Conditional Access Policies restricting IP addresses or requiring MFA prompts, if we supported a second IdP then this would be able to define its own policies and provide an inconsistent security posture.

You do have a couple of options however:
1. You can add the required users as Guest accounts to your current primary Entra ID so you can enforce such things upon them.
2. We can replace your Prod tenant being used as IdP with your Backup Tenant. It doesn't impact self-service if we do this by the way.

It sounds like you'd just like to swap your IdP from prod to your backup tenant so Option 2 likely makes the most sense, but let me know your thoughts!

Michael

[agrob]

Hi Michael

The goal is to not use our production Tenant as IdP. Its like do not domain join your on prem backup server. if the prod tentant would be compromoised, this would affect also the VDC Backup if this tenant is used as IdP. So i would add our backup tenant, and then jus use as IdP. No Backups would be taken from ressources in this tenant


So yes, then Option 2 would work.
- What must i do to accomplish this?
- does if affect the licenses (usage etc)?

Thanks

[micoolpaul]

Hi,


Thank you I thought that’s what you were asking.

All you need to do is raise a support case and this can be swapped over.

You’ll need to provide them with:
Your existing .onmicrosoft.com tenant name, a new org administrator UPN and the .onmicrosoft.com domain of the new IdP.

Thanks,
Michael

[agrob]

Hi Michael

Thank you for your feedback.

So i have to add the Backup Tenant and then contact support, right?
Does it affect somehow the license usage?

Thanks
André

[micoolpaul]

Hi,

No you sure need to add the backup tenant unless you wish to also protect it, and so unless you choose to back it up you won’t need to utilise additional licensing.

[agrob]

Thanks, i've opened a case (07974759) for this so that support can guide me trough the process. I'll let you know the result.

[agrob]

Hello

Got the following feedback from support

[....
Currently, Veeam Data Cloud for Microsoft 365 is designed so that only users from the management (onboarded) tenant can be added as admins or used for authentication. Cross-tenant authentication using a second tenant as IdP is not supported.

There is not a supported workaround to add users from a different (non-onboarded) tenant as admins or IdP for authentication purposes. This is by design and cannot be changed through configuration or support intervention.

If you want to use accounts from your backup tenant for authentication, you would need to onboard that tenant as the management tenant in VDC. However, this would mean you cannot protect data from the production tenant under the same VDC instance, as each VDC instance is tied to a single management tenant.

If your goal is to avoid using production tenant accounts for security reasons, the only supported method is to create dedicated admin accounts within the production tenant (with limited permissions if desired) and use those for VDC access.
....]

Is there any possibility to add this as a Feature Request for the next version? I'm a bit surprised that Veeam, which usually has a high focus of security, did not already had a focus on this. Only use the prod tenant as authentication to the backup data is a more or less big security risk in my opinion, even if we use an prod tenant account with minimal rights. as soon as the prod tenant account is compromised, accessing to backup data with accounts from this tenant is an easy step and should be avoided.

Thanks

[micoolpaul]

Hi,

I’m sorry but support have misinformed you here.

You can only have 1x IdP as the management layer, but it does not need to be a protected workload. I have other customers doing this. You need to have the IdP swapped over from your current one as we don’t support multiple IdPs.

Please share your support case

[agrob]

Hi,

Thank you for your reply

My Case is #07974759

Best Regards

[micoolpaul]

Thank you, I've reached out internally to the support engineer regarding this ticket.

[agrob]

thanks

[agrob]

Hi Michael

Just got an E-Mail from support that they would like me to send more information for a Feature Request for this Topic. I can provide those informations but i'm i thought it would be already possible...? Do you have an further information about that?

Best Regards

[micoolpaul]

Hi Andre,

I believe there's wires crossed internally on this ticket as that is another engineer that has replied in the ticket. I did speak to the engineer originally allocated to the ticket and provide some next steps for them.

I'll ensure the ticket is updated internally as it appears that this second engineer was responding only specifically to your feature request email, rather than on actioning your request.

Thanks,
Michael