Note: This article applies to SaaS Identity Panel Suite, with a dedicated tier hosting subscription.
Service Panel supports a wide range of delegated administration and self-service models. One way to achieve additional functionality in this area is to configure multi-tenant access.
In a typical deployment scenario, Identity Panel suite is joined to the organization's Azure AD tenant and only allows logins from that single directory. In some cases it may be desirable to allow logins from additional directories. Example scenarios include:
- An organization with multiple Azure tenants, e.g. for different business units
- There may be a requirement to delegate identity management cross-domain for a temporary period, such as when performing a large merger/acquisition
- An organization may want to delegate account management activities being performed by a partner organization
In the above scenarios it is possible to configure the Identity Panel Suite to accept logins from any of a whitelist of permitted Azure AD directories. When users from those directories login to the dedicated Service Panel URL, they will be able to SSO using the account from their home directory, but when logged in will bind to the target organization's tenant configuration, and will receive content and security roles configured from the host tenant.
Identity Panel suite allows creation of custom security roles that are bound to the delegated organization's tenant, using group ids from the foreign organization.