this post was submitted on 07 Aug 2023
13 points (78.3% liked)
Sysadmin
7664 readers
5 users here now
A community dedicated to the profession of IT Systems Administration
No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
He said 15 VM's running for clients. Now you would want to secure these clients from each other, restrict east to west movement. Adding them all on the same domain introduces security risk, reducing them risk and hiding clients from one and other in the same domain would take lots of effort. So just don't put yourself in that situation and use multiple domains one domain for each client.
Lol you can absolutely control E/W movement without needing multiple domains..
Worst case you use a red forest as the admin forest, but with an environment that small there are plenty of other things you can do without making it that complicated while providing similar protection.
Then you start getting things like Azure AD Sync etc. It's best practice one domain per client. Not trying to make one domain work for multiple different clients.
You don't need anything from Azure to do that. Authentication policy and silos are what enforces multi tenancy east west boundaries (among many, many other layers outside of the scope of this conversation).
But it looks like I misread what the "client" context was initially. So that's my bad. That does muddy the waters and would depend on what the agreements are between the companies and OP have. But this isn't a technical constraint rather a business and legal decision.