Intune Cross-Tenant Management
Nerdio Manager's Intune Cross-Tenant Management feature allows administrators to add and manage multiple additional Intune tenants within a single Nerdio Manager instance. This provides a simplified management experience when administering large or complex Intune environments, especially in multi-organizational scenarios - for example, following Merger and Acquisition (M&A) events, or where multiple child organizations are managed by a parent organization.
By configuring a Service Principal and Enterprise Application registration in the secondary tenants, you can perform Intune and Windows 365 management on the secondary tenants via the Nerdio Manager instance running in the primary tenant.
The vast majority of management functions that are available in single-tenant Nerdio Manager deployments are also available in multi-tenant scenarios, with complete feature parity planned for future releases.
Availability
This feature is in Public Preview.
The feature is available in the following Nerdio Manager plans:
AVD Core |
* |
AVD Premium |
|
| Windows 365 | * |
| Unified Endpoint Management | * |
*The feature is fully functional in all subscriptions; however, initial setup makes use of AVD Premium Nerdio Manager features for Entra ID-based tenant linking. Subscribers to other plans will need to perform advanced configuration in the Azure CLI.
Limitations and known issues
The Preview version of this feature contains the following limitations:
Issue/limitation |
Impact |
Mitigation/planned fix |
|---|---|---|
Automatic assignment of Nerdio Manager permissions in the secondary tenant is not supported. |
You need to create a Service Principal in the secondary tenant and manually assign the permissions for the required Intune functions. |
|
Intune User Operating Mode is not supported for secondary tenants. |
Nerdio Manager must be configured to operate in application context mode. |
Support for user context mode is planned for a future release. Important: When support for user context mode is added, migration of secondary tenants from application context to user context will not be available for Core subscribers who have manually provisioned the Nerdio Manager Service Principal in the secondary tenant via the Azure CLI . |
Policy propagation across tenants is not currently supported. |
You need to assign Intune policies to each tenant individually in Nerdio Manager. |
|
The Intune Insights feature is not supported for secondary tenants. |
The data dashboards and reports associated with Intune Insights are currently available for the primary managed tenant only. |
A number of reports can be viewed under Reports in the Intune portal, though the detailed visualizations associated with Nerdio Manager Insights are not currently available for secondary tenants. |
Intune Service Accounts can't be linked to secondary tenants. |
A small number of operations, such as the viewing of BitLocker keys, can't be performed on the secondary tenant within Nerdio Manager. |
Perform these operations directly via the Intune portal. |
Signing Intune scripts via Nerdio Manager is unavailable for secondary tenants. |
Self-signing of scripts in Nerdio Manager is available for primary tenants only. |
Use native PowerShell methods to sign scripts for the secondary tenants. |
AVD to Windows 365 migration is not supported for secondary tenants or cross-tenant scenarios. |
Migration of AVD hosts to Windows 365 Cloud PCs can currently be automated for the primary tenant only. |
Migration in the secondary tenants requires manual instantiation of a Windows 365 Cloud PC and migration of user accounts using the Microsoft Graph API. |
Role-based access control (RBAC) and permissions
Intune Cross-Tenant Management requires configuration in both Microsoft Azure/Entra and Nerdio Manager. The following sections outline the minimum access levels required.
Note: Configuration can be performed by a single administrator across the different platforms and tenants, or by a number of different administrators. The steps to which each role applies are outlined below.
Nerdio Manager roles
The Admin role is required to enable and configure Intune Cross-Tenant Management in Nerdio Manager.
Nerdio Manager access levels
Following the Principle of Least Privilege (PoLP), you can define a custom role to enable and configure Intune Cross-Tenant Management in Nerdio Manager. Full Access in the Intune module is required.
Azure built-in roles
Following the Principle of Least Privilege (PoLP), configuring the necessary permissions to enable Intune Cross-Tenant Management in the secondary tenant(s) requires the following Azure built-in roles.
Important: An administrative account with these roles is required to create an app registration and configure the necessary permissions in each secondary tenant to be added to Nerdio Manager.
Role |
Description |
Purpose |
|---|---|---|
Create and manage app registrations |
An administrator assigned this role is required to create a Service Principal for the Nerdio Manager app service in each secondary tenant. This access is required to add or remove secondary tenant(s) only; it is not required for ongoing management. |
|
Role Based Access Control Administrator or User Access Administrator |
Manage access to Azure resources |
An administrator assigned this role is required to to grant the necessary access to the Nerdio Manager app service in each secondary tenant. This access is required whenever an Intune-managed function is added or removed for the tenant. |
Additional permissions
The Service Principal for the Nerdio Manager app service in each secondary tenant requires the permission LicenseAssignment.Read.All, in addition to the required Intune permissions for the functions to be managed.
Procedures
The following procedure guides you through configuring and managing Intune Cross-Tenant Management:
Deployment considerations
Scaling considerations
While Intune Cross-Tenant Management is in Preview, we recommend that you add secondary tenants one by one and closely monitor Nerdio Manager performance before adding further tenants.
Please raise a support ticket to report any adverse impact on performance.
Help and support
Useful links
Multitenant organizations documentation | Microsoft Learn
Contact us
Contact our Sales team for more information about this feature.
Raise a support ticket about this feature.
Comments (0 comments)