Introduction
Hoxhunt supports creating customer accounts (Hoxhunt Customer Organizations) for one email tenant / email environment or multiple email tenants / email environments. By email tenant or email environment, we mean an Office 365 Organization or Gmail Organization which is a sandboxed environment for you and your assets. The Tenant is the container for items of your Organization such as users, domains, subscriptions etc.
Hoxhunt standard setup
Hoxhunt's standard supported customer account structure is:
One Hoxhunt Customer Organization = One email tenant / one SCIM integration / one SSO integration
Within the email tenant, you may have multiple domains, and Hoxhunt supports including all relevant domains in the training. You will also be able to customize the training related context, such as logos, brand names, addresses, language choices, etc on a domain level.
Special situations: Multiple email tenants
When required, Hoxhunt can also support multiple email tenants. These cases usually come up when:
- A merger or acquisition happens. In those cases, if you plan to merge the email tenants, we recommend implementing Hoxhunt after the merger as outlined below in option A.
- Your organization has practical reasons for keeping the email tenants separate such as local regulations or separate entities. In these cases, we recommend going with option B or C below. Please note that technical implementation is done on an email tenant level, so you will need to complete the implementation steps in each tenant you want to include.
A. Merge additional email tenant into your email tenant and include all users in one Hoxhunt Customer Organization
Description
If possible, we recommend merging the users from the acquired company into the same email environment as the existing Hoxhunt Customer Organization.
Implementation required
Minimal, the new domain/s can simply be added to Hoxhunt per your request and users added through SCIM / CSV upload.
Cost
No additional fee
Technical setup
All users will be included in one Hoxhunt Customer Organization and all your existing settings will remain as they are for your organization.
Special: Receive Connector and Configuring Gmail API Delivery can only be implemented for one Hoxhunt Organization at a time, and can therefore only be enabled for one email tenant. The Receive Connector is used to bypass mail filtering systems and ensuring that Hoxhunt emails can be sent to your employees, while the Gmail API delivery bypasses the normal mail delivery and inserts the email in the recipients inbox through the Gmail API. When the existing Hoxhunt Customer Organization has one of these features enabled, you cannot add another email environment to the same Hoxhunt Customer Organization, and must use option C as outlined below instead.
Limitations
None, the new users are fully integrated into your existing Hoxhunt Customer Organization.
B. Add users as Microsoft B2B Guest Accounts to your Azure AD and include all users in one Hoxhunt Customer Organization
Description
If it is not possible for you to merge the email environments and you want to have one Hoxhunt Customer Organization, you could consider using Microsoft B2B Guest Accounts (read more here), as that would allow using your existing SCIM and SSO integration for user management. If you do, you can enable SSO and SCIM if the following requirements are met:
-
You need to use Mail as main attribute in SCIM and SSO. This is because Microsoft B2B Guest Accounts have # character in their UPN, which will cause errors in our system.
-
You need to add the Microsoft B2B Guest Accounts to Hoxhunt
-
The user logs in using the Microsoft B2B Guest Accounts email address
-
Authentication is done against the user's home tenant
If you cannot use Microsoft B2B Guest Accounts and you have employees in separate SSO setups, you will need to turn SSO off and have your employees log into Hoxhunt using Magic Links instead. Hoxhunt requires authentication in multiple interfaces, so your employees will need to either have access to SSO or Magic Links to use the training.
Implementation required
You would need to do the technical implementation for the new email tenant (mail delivery, allowlisting VPNs, proxies etc and distributing the Hoxhunt button). You can use your existing SSO and SCIM configuration.
Hoxhunt Microsoft Technical Implementation Overview
Hoxhunt for Google Workspace Technical Implementation Overview
Cost
Technical implementation fee, please ask your Hoxhunt contact for more information.
Technical setup
All users will be included in one Hoxhunt Customer Organization and all your existing settings will remain as they are for your organization.
Special: Receive Connector and Configuring Gmail API Delivery can only be implemented for one Hoxhunt Organization at a time, and can therefore only be enabled for one email tenant. The Receive Connector is used to bypass mail filtering systems and ensuring that Hoxhunt emails can be sent to your employees, while the Gmail API delivery bypasses the normal mail delivery and inserts the email in the recipients inbox through the Gmail API. When the existing Hoxhunt Customer Organization has one of these features enabled, you cannot add another email environment to the same Hoxhunt Customer Organization, and must use option C as outlined below instead.
Limitations
None, the new users are fully integrated into your existing Hoxhunt Customer Organization.
C. Add the additional email tenant as its own Hoxhunt Customer Organizations
Description
If options A and B are not possible, the newly acquired company can also be setup as a separate Hoxhunt Customer Organization.
Implementation required
Requires full implementation in the new email tenant (mail delivery, allowlisting VPNs, proxies etc, distributing the Hoxhunt button, setting up SSO and SCIM)
Hoxhunt Microsoft Technical Implementation Overview
Hoxhunt for Google Workspace Technical Implementation Overview
Cost
Technical implementation fee might apply, please ask your Hoxhunt contact for more information.
Technical setup
You will be able to implement and configure Hoxhunt for each email tenant / environment with customized technical implementation for the new organization:
1. SSO (read more: Single sign-on (SSO) Overview)
2. Automated user provisioning (SCIM) (read more: User Management: Automatic user provisioning (SCIM) overview
3. All email delivery related configurations, such as Special: Receive Connector and Configuring Gmail API Delivery
4. Configure your own settings for how to manage reported real suspicious emails (read more: Admin Portal: Features tied to reporting real threats (phishing / spam)
This option closely resembles the standard setup for Hoxhunt Customer Organizations, which is why you can use most technical configuration options, with few limitations.
Limitations
1. Each email tenant must use unique domains, as one domain can only be used in one Hoxhunt Customer Organization at a time.
- Example: the domain brand.com is included in the Global Hoxhunt Customer Organization and the domain brand.fi is included in the Finnish Hoxhunt Customer Organization, separately from each other.
2. Each organization will have their own Admin Tools (Admin Portal and Insights Portal / Reporting). Admin access to the Admin Tools will only be allowed for users within the allowed domains. If you would like users cross domain to have access to other domain's Admin Tools, these users will need their own users in the allowed domain.
- Example: You would like a user with an email in the brand.com domain to have Admin Access to the Admin Tools for brand.fi domain, they would need have access to a brand.fi email address and be able to log into it to be able to then use SSO to log into the hoxhunt.fi Admin Tools within Hoxhunt.
3. Reporting is default provided on a Hoxhunt Customer Organization level, so you will not be able to automatically print global reports that include data from both brand.com and brand.fi.
-
Example: You would like a global report that includes data from both brand.com and brand.fi. You will be able to print pdf reports separately for the different Hoxhunt Organizations. You will also have access to download the reporting data in CSV, and you can create your own reports from there. However, you will not be able to print a pfd report or CSV that includes all the data in one place.
- Note: Some Hoxhunt licenses include access to our PowerBI integration, which you could use to create your own custom dashboards. Please ask your Hoxhunt contact for more information. You can read more here: PowerBI and CSV data export overview.
D. Add the additional email tenant into an existing Hoxhunt Customer Organization
Description
This option is different from the standard setup for Hoxhunt, which is why it comes with a few additional limitations. In this case, you would add the additional email tenant into your existing Hoxhunt Customer Organization.
Implementation required
Requires full implementation in the new email tenant (mail delivery, allowlisting VPNs, proxies etc, distributing the Hoxhunt button)
Hoxhunt Microsoft Technical Implementation Overview
Hoxhunt for Google Workspace Technical Implementation Overview
Cost
Technical implementation fee might apply, please ask your Hoxhunt contact for more information.
Benefits
1. You can set up separate SSO configurations for each email domain. You can even decide to have SSO disabled for some domains so they will utilize Magic Links instead.
2. You can provision users via SCIM from multiple tenants into a single Hoxhunt Customer Organization. Simply set up SCIM in each tenant by following the SCIM setup instructions provided in Hoxhunt Knowledge base.
3. Reporting is default provided on a Hoxhunt Customer Organization level, so you will be able to automatically print global reports that include data from both brand.com and brand.fi.
Example: You would like a global report that includes data from both brand.com and brand.fi. You will be able to automatically print pdf reports that include all your global data. You will also be able to download the data as a CSV and you can therefore create your own reports.
Limitations
If you do not have all the users across email tenants are included in the same iDP (such as Azure AD) or Microsoft B2B Guest Accounts (see options A and B above), then the following limitations apply:
1. Special: Receive Connector and Configuring Gmail API Delivery can only be implemented for one Hoxhunt Organization at a time, and can therefore only be enabled for one email tenant. The Receive Connector is used to bypass mail filtering systems and ensuring that Hoxhunt emails can be sent to your employees, while the Gmail API delivery bypasses the normal mail delivery and inserts the email in the recipients inbox through the Gmail API. When the existing Hoxhunt Customer Organization has one of these features enabled, you cannot add another email environment to the same Hoxhunt Customer Organization, and must use option C as outlined above instead.
2. Admin Portal: Features tied to reporting real threats (phishing / spam) can only be configured for one organization. This means that when you for example enable reported phishing emails to be forwarded to a designated inbox, this setting will apply to all email environments included in your Hoxhunt Customer Organization.
Questions?
Do you have any questions about support for multiple email tenants? Please don't hesitate to reach out to your Customer Success Manager, Onboarding Manager or our support team at support@hoxhunt.com.