Managed Red Tenant
Administrative users and their devices are prime targets for attackers. Cybercriminals exploit lateral movement to identify vulnerabilities in your infrastructure and compromise administrative endpoints. With Managed Red Tenant, you establish a robust and scalable environment that provides optimal protection for your privileged identities and access.
Protection Against Lateral Movement and Privilege Escalation
Ransomware attackers target highly privileged users and endpoints to cause maximum damage and demand ransom. Exploiting vulnerabilities within the infrastructure, they infiltrate administrative endpoints and move laterally through the organization. In many companies, users with extensive privileges work on unsecured devices, leaving the door wide open for attackers. By utilizing separate administrative devices and a dedicated admin infrastructure ("Red Tenant"), the risk of ransomware attacks can be significantly reduced.

Maximum Protection for Administrative Access
The Managed Red Tenant combines our extensive experience in managed services with proven blueprints in the areas of workplace, Azure, and security.
The result: An isolated, fully cloud-based environment that effectively protects administrative users and endpoints – even in target environments with multiple Microsoft Entra tenants and Active Directory domains.
Our solution relies on native, cloud-based identity and security features from Microsoft and strictly adheres to Zero Trust principles.
Managed PAW for critical roles and a scalable cloud solution for all admins
Securing administrative clients is essential for an effective security strategy when it comes to privileged access. Regular devices should not be used for this purpose. We enforce strict policies to ensure the security and compliance of these endpoints. Based on the Microsoft Enterprise Access Model (EAM), we separate and evaluate privileged permissions according to defined administrative levels – forming the foundation for the use of an admin workstation.
- For highly critical roles with Control Plane access, such as the Global Administrator, we implement the "Clean Keyboard" approach by using a Privileged Admin Workstation (PAW) with dedicated hardware.
- For additional administrative roles, such as managing workloads in Microsoft Azure, we provide a scalable solution through Virtual Access Workstations (VAW). These are built on a secure and customized Azure Virtual Desktop (AVD) infrastructure within the Red Tenant.
Key Components of Managed Red Tenant
Microsoft Entra Internet Access functioning as an identity-centric Secure Web Gateway (SWG), has been implemented to block public internet access and restrict connectivity to privileged interfaces and the authorized company’s tenant environments only. Additional features, such as Universal Conditional Access Evaluation (CAE), enable near real-time access blocking.
Microsoft Entra Private Access serves as an identity-centric Zero Trust Network Access (ZTNA) solution and is the core of our approach to providing secure and private access to VAWs. Its integration into our solution adds an extra layer of protection for privileged sessions on AVD-based endpoints by enforcing Conditional Access on the accessing client before establishing connectivity to the VAW. Securing access and applying Zero Trust principle to manage private or on-premises resources is another use cases where we take benefit of Private Access.