Product documentation
Citrix DaaS™
View PDF

(Partner administrators) Manage multitenant DaaS deployments

September 19, 2025
Contributed by: 
C

This article describes how Citrix Service Providers (Partners) set up and manage multitenant DaaS environments in Citrix Cloud.

For more information about requirements for CSP partners, see Requirements.

Note:

To set up a single-tenant DaaS deployment and manage this customer’s DaaS resources, follow the standard process described in the DaaS get-started guide.

Step 1: Add a customer

Follow this procedure to onboard a multitenant ​​customer​ that shares Org ID as the partner. The steps also apply to onboard a single-tenant that shares Org ID as the partner.

  1. Sign in to Citrix Cloud with your Citrix Service Provider™ (CSP) credentials. Select My Customers in the upper left menu.

  2. From the My Customers Dashboard, select the Cloud-tenant tab, click Add customer, and then choose Onboard a customer.

  3. Complete the required fields and click ​​Add.​​​​​

    Add or invite tenants

Note:

Adding the customer creates a customer cloud account and automatically adds you (partner administrator) as a Full access administrator of that tenant.

To Connect a single-tenant customer with an existing stand-alone Org ID and cloud account, follow these steps:

  1. From the My Customers Dashboard, select the Cloud-tenant tab, click Add customer, and then choose Invite a customer.

  2. Connect with an existing Citrix Cloud customer by sending the Citrix Cloud URL to the customer. For more information, see Create connections with customers. The customer must add you as a Full access administrator to their account. See Add administrators to a Citrix Cloud account for more information.

Step 2: Add Citrix® multitenant DaaS to a customer

  1. Sign in to Citrix Cloud with your CSP credentials. Select My Customers in the upper left menu.

  2. From ​​​My​​​ Customer​​​s​ dashboard, go to the ​Cloud-tenant​ tab, ​select the customer​, and ​​in the ​​lower ​Details ​panel of ​the ​selected ​customer, click Add​ ​​Citrix DaaS​.

    Add service

  3. ​​​Click ​Add​ to confirm​​.

    Select service

Tip:

If the partner administrator cannot perform Add DaaS for a new tenant, verify that the following requirements are met:

  • The signed-in administrator has Full access permissions in the tenant’s Citrix Cloud account.
  • The Citrix Service Provider account has the required multitenant Citrix DaaS entitlement.

After you complete this procedure, the customer is onboarded to your Citrix DaaS subscription.

When the onboarding completes, a new customer scope is created automatically in Citrix DaaS. The scope is visible in the Studio display. This scope is unique to that customer. You can rename the scope, but you cannot delete it.

Use this scope to tailor access for other administrators. For example, let’s say you have 10 customers and two administrators. Using the unique scope, you can restrict one administrator’s access to only three of the customers. The other administrator can access one of those three customers, plus two other customers. For details, see Control administrator access to customers.

Step 3: Set up a resource location

A resource location holds the machines that deliver apps and desktops for your customers, and infrastructure components such as Citrix Cloud Connectors. For details, see Connect to Citrix Cloud.

In multitenant DaaS deployments, tenants are separated by resource locations and their associated domains. Although each tenant has its own cloud account, all tenant resource locations and their cloud connectors must be deployed and managed from the CSP’s partner account. For more information about detailed architecture and deployment options, see Citrix Service Provider DaaS Reference Architecture.

Step 4: Federate domains

Federated domains enable customer users to use credentials from a domain attached to your resource location designated to the tenant customer to sign in to their workspace. This behaviour allows you to provide dedicated workspaces to your customers that customer users can access using a custom workspace URL defined in the tenant account (for example, customer.cloud.com), while the resource location is still on your Citrix Cloud account. You can provide dedicated workspaces alongside the shared workspace that customers can access using your CSP workspace URL (for example, csppartner.cloud.com).

To enable customers to access their dedicated workspace, add them to the appropriate domains that you manage. After configuring the workspace through Workspace Configuration, customers’ users can sign in to their workspace and access the apps and desktops that you’ve made available.

Add a customer to a domain

  1. Sign in to Citrix Cloud with your CSP credentials. Select ​Identity and Access Management in the upper left menu.
  2. On the Domains tab, locate the relevant domain for the customer, and select Manage Federated Domain from the domain’s ellipsis menu.

  3. On the Manage Federated Domain card, under the Available customers column, select the customer you want to add to the domain, and click the plus sign next to the customer name. The selected customer now appears in the Federated customers column. Repeat to add other customers. When you’re done, select Apply.

    Add to domain 1

    Add to domain 2

Remove a customer from a domain

When you remove a customer from a domain that you manage, the customer’s users can no longer access their workspaces using credentials from your domain.

  1. From the Citrix Cloud menu, select Identity and Access Management, then select Domains.
  2. Locate the domain that you want to manage and select the ellipsis button. Select Manage Federated Domain.
  3. From the list of federated customers, locate or search for the customers you want to remove and select the X button. Select Remove all to remove all the customers in the list from the domain. The selected customers move to the list of available customers.
  4. Select Apply.
  5. Review the customers that you selected and select Remove Customers.

Step 5: Set up catalogs and groups to deliver apps and desktops

Note:

To manage DaaS for a tenant customer as a partner administrator, you must switch to the CSP’s cloud account. To do so, click the account name in the upper-right menu and click Change customer.

A catalog is a group of identical virtual machines. When you create a catalog, an image is used (with other settings) as a template for creating the machines. For details, see Create machine catalogs.

A delivery group is a collection of machines selected from one or more machine catalogs. The delivery group specifies which users can use those machines, plus the applications or desktops available to those users. For details, see Create delivery groups.

Application groups let you manage collections of applications. You can create application groups for applications shared across different delivery groups or used by a subset of users within delivery groups. For details, see Create application groups.

When configuring groups, be sure that:

  • The delivery group’s scope is a subset of the machine catalog’s scope. For example, assume the catalog’s scope is A and B. The delivery group’s scope can be either A or B, or A and B.
  • The application group’s scope is a subset of the delivery group’s scope. For example, assume the delivery groups associated with an application group have scope A and B. The application group’s scope can be either A or B, or A and B.
  • For security considerations in a multitenant deployment, it is recommended to separate all the preceding objects by specific tenant scopes.

Step 6: Control administrator access to customers

You can control administrator access to customers by using the unique scope that was created when you added Citrix DaaS to the customer. You can configure access when you add an administrator or later.

To learn about restricting access using roles and scopes in Citrix DaaS, see Delegated administration.

Add a partner administrator with restricted access

  1. Sign in to Citrix Cloud with your CSP credentials and select your partner account from the available accounts list.
  2. Select Identity and Access Management in the upper left menu.
  3. On the Administrators tab, select Add Administrators From, and then select Citrix Identity.
  4. Type the email address of the person that you’re adding as an administrator, and then select Invite.
  5. Configure the appropriate access permissions for the administrator. Citrix recommends selecting Custom access, unless you want the administrator to have management control of Citrix Cloud and all subscribed services.
  6. After selecting Custom access, select one or more role and scope pairs for Citrix DaaS, as needed. Be sure to enable only entries that contain the unique scope that was created for the customer.
  7. When you’re done selecting role and scope pairs, select Send Invite.

When the administrator accepts the invitation, they have the access that you assigned.

Edit delegated administration permissions for administrators

  1. Sign in to Citrix Cloud with your CSP credentials and select your partner account from the available accounts list.
  2. Select Identity and Access Management in the upper left menu.
  3. On the Administrators tab, select Edit Access from the ellipsis menu for the administrator.
  4. Select and clear role and scope pairs for Citrix DaaS, as needed. Be sure to enable only entries that contain the unique scope that was created for the customer.
  5. Select Save.

View DaaS administrators and their assigned roles and scopes

  1. Sign in to your Citrix Cloud partner account with your CSP credentials.
  2. Select the DaaS tile in the upper left menu.
  3. Select Administrators in the left pane.

Information is available on three tabs:

  • The Administrators tab lists the administrators that have been created, plus their roles and scopes.
  • The Roles tab lists all roles. To view role details, select the role in the middle pane. The lower portion of that pane lists the object types and associated permissions for the role. Select the Administrators tab in the lower pane to display a list of administrators who currently have this role.
  • The Scopes tab lists all the scopes, including the scopes generated for customers of Citrix partners.

Export administrator activities for auditing

In a multitenant Citrix DaaS environment, multiple tenant customers share a DaaS instance. Each tenant has its own scoped administrative access. Gaining visibility into roles and scopes helps ensure secure delegation and simplifies auditing.

All tenant-level administrator roles defined in tenant accounts are automatically synced to the Administrators dashboard in the partner’s Studio console. A partner administrator with Full access can export the data as a CSV file for reporting and analysis.

admin log

For more auditing, the administrator activity history can also be exported from the Logging node in Studio.

Step 7: Configure workspaces

A customer can have its own workspace with a unique customer.cloud.com URL defined in the customer’s cloud account. This workspace is where the customer’s users access their published apps and desktops. Alternatively, the CSP might share its partner branded workspace URL with various tenant customers.

To view or configure a partner shared workspace URLs:

  1. Sign in to your Citrix Cloud partner account with your CSP credentials.
  2. Select Workspace configuration from the upper left menu.

You can change access and authentication to a workspace. You can also customize the workspace appearance and preferences. For details, see the following articles:

To view or configure a tenant customer’s workspace URL:

  1. Sign in to the tenant customer’s Citrix Cloud account.

  2. Go to Workspace Configuration.

Note:

  • For any authentication method used in the tenant account, the partner administrator must first enable the same method in the parent CSP account under Identity and Access Management before it can be configured in the tenant account.
  • In scenarios where Citrix Federated Authentication Service (FAS) is deployed to process SSO for users in a multitenant environment, see the FAS multitenant support documentation for more information.

Monitor a customer’s service

In a CSP environment, the Monitor dashboard functions the same as in a non-CSP environment, but displays multiple tenant scopes under the same DaaS instance. For more information, see Monitor for details.

By default, the Monitor dashboard displays data for all tenant customers. To view information for a specific tenant, select the tenant scope from the All tenants drop-down list in the upper-right corner.

Keep in mind that the ability of a partner administrator to see Monitor displays for a customer is controlled by the full administrator’s configured access. The access must include a role and scope pair that includes the customer’s unique scope.

If you used built-in roles to configure access: The built-in roles control whether the administrator can see the Studio displays. If you select only role and customer-scope pairs that don’t include Monitor node visibility, that administrator cannot see the Monitor node for any selected customers. For example, if you give an administrator Read Only Administrator,customerABC access, that partner administrators cannot see the Monitor node for customerABC, because read only administrators cannot access Monitor displays.

Remove the DaaS service from a customer

Prerequisites:

  • Ensure that your customer scope is not linked to any Citrix DaaS objects. If they are linked, you cannot remove the service. To unlink scopes, go to Studio > Administrators > Scopes and edit the scope.
  • To know your customer scope and manage it, see Create and manage scope.

To remove the DaaS service from a customer:

  1. Sign in to your Citrix Cloud partner account with ​​​​partner admin​​ credentials​ with ​Full access permissions on the customer.

  2. In the My Customers dashboard, ​go to the ​Multi-tenant tab, locate the customer, ​click the Ellipsis menu (…) next to the customer, and select Remove ​​Citrix DaaS​​​​.

    Remove a service dots menu

    The following dialog box appears.

    Remove a service dots menu

  3. Click Remove to remove the service.

    Remove a service time taken

(Partner administrators) Manage multitenant DaaS deployments
September 19, 2025
Contributed by: 
C
September 19, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.