Advice needed: Multitenant organization issues
Hey peeps, a client of mine is asking for an optimal solution to their sub-optimal organization structure. I want to see if there’s something more I can do here or if we are stuck with our environment the way it is. It’s such a strange ask that it will take a few paragraphs to describe, so bear with me.
Client has a central corporate entity, but the “branch” entities operate separately and have a fair amount of self-governance.
This central corporate entity has a Microsoft365 tenant and that’s what everyone’s email matches, including branch members. Let’s call it corp.onmicrosoft.com with a verified domain of corp.com. So, everyone at corporate and the branches have addresses/UPNs of @corp.com.
Before my time, one of the self-governing branches chose to setup a Sharepoint site specific to their branch. They put all the files on a separate 365 tenant of corp-ny.onmicrosoft.com with verified domain corp-ny.com. There are a couple of identities on that 365 tenant, but since everyone uses their corp.com email, they access the Sharepoint data from their primary corporate identities as GUESTS of the branch’s tenant. So the branch tenant has 3 members and 100+ guests.
We perform IT for just the BRANCH, not the corporate structure. Since corporate IT is not interested in changing infrastructure at this time, we would like to convert all the guest identities on the branch tenant to members and we can then leverage technologies like Intune & CA and move them off of their on-premise AD server that is not doing AD Connect. I have a quick script that will do all of that – convert, license, set some properties for all 100 members. Seems okay! After the change, members will have their corporate identity for email, and the branch identity for Sharepoint and Windows login.
We’ve identified a problem, however, with notifications. When you comment on a file in Sharepoint, a notification is generated for anyone that participates in that file. The notification is sent from the commenter’s identity. Currently, that means notifications come from @corp.com . However, after the change those notifications will come from corp-ny.com. This domain does NOT have an MX record associated with it 🙁 and we think this will lead to a LOT of confusion if people try to reply directly to the emails. It might also have the potential(?) to fail email spoofing checks or be flagged as suspicious by email servers. Additionally, the notifications would be sent to their branch identities, which I assume would not deliver. Even if it did deliver and we added an MX record, it would be in an inbox that’s not checked by the team.
My question is:
Can I mask the notification email to be from “email address removed for privacy reasons” for all of the notifications? Or,
Can I “spoof” the emails so that they appear to be sent from the corporate identity?
Secondly,
What’s the best way to deal with notifications headed to the wrong inbox? Can a transport rule redirect these emails to their corporate emails?
Hey peeps, a client of mine is asking for an optimal solution to their sub-optimal organization structure. I want to see if there’s something more I can do here or if we are stuck with our environment the way it is. It’s such a strange ask that it will take a few paragraphs to describe, so bear with me. Client has a central corporate entity, but the “branch” entities operate separately and have a fair amount of self-governance. This central corporate entity has a Microsoft365 tenant and that’s what everyone’s email matches, including branch members. Let’s call it corp.onmicrosoft.com with a verified domain of corp.com. So, everyone at corporate and the branches have addresses/UPNs of @corp.com. Before my time, one of the self-governing branches chose to setup a Sharepoint site specific to their branch. They put all the files on a separate 365 tenant of corp-ny.onmicrosoft.com with verified domain corp-ny.com. There are a couple of identities on that 365 tenant, but since everyone uses their corp.com email, they access the Sharepoint data from their primary corporate identities as GUESTS of the branch’s tenant. So the branch tenant has 3 members and 100+ guests. We perform IT for just the BRANCH, not the corporate structure. Since corporate IT is not interested in changing infrastructure at this time, we would like to convert all the guest identities on the branch tenant to members and we can then leverage technologies like Intune & CA and move them off of their on-premise AD server that is not doing AD Connect. I have a quick script that will do all of that – convert, license, set some properties for all 100 members. Seems okay! After the change, members will have their corporate identity for email, and the branch identity for Sharepoint and Windows login. We’ve identified a problem, however, with notifications. When you comment on a file in Sharepoint, a notification is generated for anyone that participates in that file. The notification is sent from the commenter’s identity. Currently, that means notifications come from @corp.com . However, after the change those notifications will come from corp-ny.com. This domain does NOT have an MX record associated with it 🙁 and we think this will lead to a LOT of confusion if people try to reply directly to the emails. It might also have the potential(?) to fail email spoofing checks or be flagged as suspicious by email servers. Additionally, the notifications would be sent to their branch identities, which I assume would not deliver. Even if it did deliver and we added an MX record, it would be in an inbox that’s not checked by the team. My question is:Can I mask the notification email to be from “email address removed for privacy reasons” for all of the notifications? Or,Can I “spoof” the emails so that they appear to be sent from the corporate identity? Secondly,What’s the best way to deal with notifications headed to the wrong inbox? Can a transport rule redirect these emails to their corporate emails? Read More
