Introduction
Hoxhunt supports creating customer accounts (Hoxhunt Organizations) for one email tenant or multiple email tenants.
(Email tenant = Microsoft 365 tenant or Google Workspace tenant)
Standard Hoxhunt setup
Hoxhunt's standard supported customer account structure is:
1 email tenant = 1 Hoxhunt Organization
In this type of setup you can:
- have Hoxhunt users from multiple email domains (within the same email tenant)
- customize phishing training context for each email domain
- forward reported threats to one or multiple SOC mailboxes
- upload all reported emails to your Hoxhunt Organization
- set up automated user provisioning (SCIM) from your tenant to Hoxhunt
- set up SSO with your tenant
- set up other integrations and automations
Hoxhunt also supports multiple email tenants within a single Hoxhunt Organization.
Out of the box, it's possible to:
- provision users from multiple tenants to a single Hoxhunt Organization
- set up multiple SSO providers that reside in separate tenants
- deliver Hoxhunt training emails via domain-specific email routes to separate email tenants
- have unified data reporting in Insights and via Cloud Export.
However, you cannot:
- Submit emails to Defender if the reporting user is in a different tenant than your SecOps Mailbox configured in Hoxhunt's Defender settings
- define separate threat forward addresses per the reporting user's email domain natively in Hoxhunt (however, workaround exists)
- have all integrations and automations to work fully
Advanced Hoxhunt setups
Separate Hoxhunt Organizations for each email tenant
Some customers with separate email tenants prefer to have a distinct Hoxhunt Organizations for each of their email tenants. This approach allows every email tenant to act fully sovereign and independent of each other.
Interconnected but separate Hoxhunt Organizations
For customers who wish to supervise their separate Hoxhunt Organizations while keeping them still logically separated, Hoxhunt offers a feature called Hoxhunt Multi-tenancy.
In a Hoxhunt Multi-tenancy setup, there are multiple Hoxhunt Organizations. Each Organization has their own configuration, set of users, reports and content. One Organization is designated as the Owner Organization and rest of the Organizations are designated as Managed Organizations. Owner Organization can then have special Multi-tenant Admin users who have administrative access across the Organizations (Admin Portal and Insights only). These access roles are controlled by a special Owner user.
Also, some restrictions apply:
- Owners can only access Threat Feed and Response of their own Hoxhunt Organization
- Hoxhunt Response doesn’t currently support Hoxhunt Multi-tenancy. Using Response in this setup requires each organization to implement and manage Response separately.
Related article: Hoxhunt Multi-tenancy
Merge and split scenarios
You might need to re-visit your Hoxhunt setup in certain situations. These cases include:
SCENARIO A: A merger or acquisition happens. You'd like to have the separate email tenant's users into Hoxhunt as soon as possible and to be part of your existing Hoxhunt Organization.
NOTE: If you plan to merge the separate email tenants soon, we recommend implementing Hoxhunt after the merger is complete.
SCENARIO B: A merger or acquisition happens. Your organization won't merge the separate email tenants for the time being but might in the future.
SCENARIO C: A merger or acquisition happens. Your organization has practical reasons for keeping the email tenants permanently separate such as local regulations or separate entities.
SCENARIO D: Part of your company is split into a subsidiary or separate company.
See details of some of the scenarios below for understanding how different approaches may affect Hoxhunt's functionality. If in doubt, please reach out to your Customer Success Manager or Hoxhunt Support (support@hoxhunt.com).
SCENARIO A: Merge additional email tenant into your email tenant and include all users in one Hoxhunt Organization
Pre-task
Migrate users from the acquired company into the same email environment as the existing Hoxhunt Organization.
Implementation required
Minimal, the new domain/s can simply be added to Hoxhunt per your request and users added to Hoxhunt through SCIM provisioning or CSV upload.
Cost
No additional fee.
Technical setup
All users will be included in a single Hoxhunt Organization and all your existing settings will remain as they are.
If migrated users switch using your primary email domain, the users will also adhere to the training settings of your primary email domain.
If the migrated user retain their original email domain, you can define some context-specific training settings for them.
Limitations
None.
SCENARIO B: Add the additional email tenant into an existing Hoxhunt Organization
Description
You can also add additional email tenants into your existing Hoxhunt Organization with some limitations. This may become relevant if you have acquired a company but cannot fully merge it to your parent company just yet. This approach allows you to later on merge the separate email tenants and keep using a single Hoxhunt Organization.
Implementation required
Requires implementation for the new email tenant (mail delivery allowlisting, Hoxhunt button deployment, technical testing, SSO, SCIM, etc.)
Hoxhunt Microsoft Technical Implementation Overview
Hoxhunt for Google Workspace Technical Implementation Overview
Cost
Technical implementation fee might apply, please ask your Hoxhunt contact for more information.
Benefits
1. You can set up separate SSO configurations for each email domain. You can even decide to have SSO disabled for some domains so they will utilize Magic Links instead.
2. You can provision users via SCIM from multiple tenants into a single Hoxhunt Customer Organization. Simply set up SCIM in each tenant by following the SCIM setup instructions provided in Hoxhunt Knowledge base.
3. Hoxhunt's email delivery routing can be configured per email domain. Please contact Hoxhunt Support if you need to configure this.
4. Data reporting is by default provided on a Hoxhunt Organization level, so you will be able to automatically print global reports that include data from both brand.com and brand.fi.
Limitations
You cannot have Microsoft-based tenant and Google Workspace-based tenant configured in a single Hoxhunt Organization.
Features tied to reporting real threats (phishing / spam) can only be configured for the whole organization, not per email domain or per email tenant. This means that when you for example enable reported phishing emails to be forwarded to a designated inbox, this setting will apply to all email environments included in your Hoxhunt Customer Organization.
You cannot submit emails to Defender if the reporting user is in a different tenant than your SecOps Mailbox configured in Hoxhunt's Defender settings.
SCENARIO C: Add the additional email tenant as its own Hoxhunt Customer Organizations
Description
If scenarios A or B are not applicable, the newly acquired company can also be setup as a completely separate Hoxhunt Organization.
Implementation required
Requires full implementation in the new email tenant (mail delivery, allowlisting VPNs, proxies etc, distributing the Hoxhunt button, setting up SSO and SCIM)
Hoxhunt Microsoft Technical Implementation Overview
Hoxhunt for Google Workspace Technical Implementation Overview
Cost
Technical implementation fee might apply, please ask your Hoxhunt contact for more information.
Technical setup
You will be able to implement and configure Hoxhunt for each email tenant / environment with customized technical implementation for the new organization:
1. SSO (read more: Single sign-on (SSO) Overview)
2. Automated user provisioning (SCIM) (read more: User Management: Automatic user provisioning (SCIM) overview
3. All email delivery related configurations, such as Special: Receive Connector and Configuring Gmail API Delivery
4. Configure your own settings for how to manage reported real suspicious emails (read more: Admin Portal: Features tied to reporting real threats (phishing / spam)
This option closely resembles the standard setup for Hoxhunt Customer Organizations, which is why you can use most technical configuration options, with few limitations.
Limitations
1. Each email tenant must use unique email domains, as one domain can only be used in one Hoxhunt Organization at a time.
2. Each organization will have their own Admin Tools (Admin Portal Insights, Response, Threat Feed).
3. Reporting is default provided on a Hoxhunt Customer Organization level, so you will not be able to automatically print global reports that include data from both brand.com and brand.fi.
Note: Some Hoxhunt licenses include access to our PowerBI integration (Cloud Export), which you could use to create your own custom dashboards. Please ask your Hoxhunt contact for more information. You can read more here: PowerBI and CSV data export overview.
SCENARIO D: Email tenant is split into multiple email tenants and both want to continue using Hoxhunt
You might face a situation where your company is de-merging and the new separate Organization wants to continue using Hoxhunt.
In this situation, you need to split your Hoxhunt Organization to separate Hoxhunt Organizations.
Limitations
No data can be transferred between two Hoxhunt Organizations. Therefore, user's training history nor reporting history cannot be migrated.
Questions?
Do you have any questions about support for multiple email tenants? Please don't hesitate to reach out to your Customer Success Manager, Onboarding Manager or our support team at support@hoxhunt.com.