Is it wise to have three separate Azure tenants for Test, Prod, and Pre-Prod + Domain name security concern?

Question

Is it wise to have three separate Azure tenants for Test, Prod, and Pre-Prod + Domain name security concern?

Ilman Hamzatov 0

Hello everyone,

I’m looking for insights on whether it’s truly necessary or beneficial to set up separate Azure tenants for different environments such as Test, Pre-Production, and Production. I’d like to understand the real value this brings—especially from the perspectives of security, management complexity, and cost.

Security Concerns:

There’s a belief that using a shared or public-facing tenant poses security risks, especially when resources are technically accessible over the internet. However, with the proper security controls in place—such as Conditional Access, Multi-Factor Authentication (MFA), and Private Endpoints—does separating environments into different tenants really offer enhanced protection?

Would it not be more efficient and secure to use Subscriptions and Management Groups within a single tenant to logically isolate and govern environments?

Cost & Management Overhead:

What are the practical implications of maintaining multiple Azure tenants? I’m curious about any extra costs, administrative burden, or licensing complexities involved. Are there any significant trade-offs in governance, identity management, or automation between a multi-tenant vs. single-tenant setup?

Tenant Naming and Security:

Another question I have is about the tenant domain name (e.g., something.onmicrosoft.com). If the domain name is clearly identifiable, does that introduce any meaningful security risk—assuming that best practices like MFA, Conditional Access policies, and role-based access control are already in place?

I’d really appreciate hearing about your experiences, thoughts, or any best practices you’ve seen work well in similar scenarios.

Thanks in advance!

1 answer

Your answer

Answer 1

Hi @Ilman Hamzatov ,

Thank you for reaching out to Microsoft Q&A.

I understand that the IT department is advocating for the setup of three separate Azure tenants, and here are my thoughts on the proposed environments:

Yes, the public tenant does expose resources to the internet, which allows for user flexibility. However, you can enhance the security of a public tenant by configuring Conditional Access, Multi-Factor Authentication (MFA), and Private Endpoints.

While implementing policies at the subscription or management group level to isolate environments is a good approach, I suggest using only two tenants: a Test Tenant and a Production Tenant. This is because enabling certain policies might affect the entire Production environment, so having multiple tenants can provide a safer option.

Regarding costs and management, you could use a pay-as-you-go subscription model to avoid additional expenses. For licensing, the Test Tenant could take advantage of a 30-day free trial with a P2 license.

Lastly, the domain name itself does not pose any significant risk if proper precautions are in place. For instance, with a domain like companyname.onmicrosoft.com, users must pass an access token to access resources. Access tokens are security tokens designed for authorization, allowing authenticated users to access specific resources.

For additional information regarding access token: Access tokens in the Microsoft identity platform - Microsoft identity platform | Microsoft Learn

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click **Accept Answer** and **Yes** for was this answer helpful. And, if you have any further query do let us know.

Regards,

Goutam Pratti

Share via

Is it wise to have three separate Azure tenants for Test, Prod, and Pre-Prod + Domain name security concern?

1 answer

Your answer