Threats keep accelerating in speed, scale, and sophistication. Microsoft is tracking a sharp rise in daily attacks and password-spray attempts, which is exactly why software development companies need a Zero Trust foundation that assumes breach and limits blast radius by default. The session’s companion deck lays out a crisp, do-first list for software development companies that build and operate multi-tenant apps. I have folded those specifics into this updated post.
Start from identity and tenancy
If your multi-tenant SaaS lives on Microsoft Entra ID, treat the app’s home tenant like production infrastructure, not a convenience sandbox. Create a dedicated “app tenant” that is locked down, automated, and free of day-to-day human use. Avoid hosting customer-facing multi-tenant app registrations in your corporate tenant where guests, everyday collaboration tools, and broader policies compete with your need for strict controls.
Two resources to get your footing fast are the Zero Trust Workshop and the Entra Security guidance. They frame the exact checks below and help you sequence work across identity, device, data, and workload layers.
The essential checks most software development companies miss
Global admin and subscription access. Global Administrators should not have standing access to Azure subscriptions. Require just-in-time elevation so high-impact operations create signals, slow attacker velocity, and route through observable control points.
App creation and lifecycle. Do not allow anyone to create applications or service principals. Restrict that right to a small, audited group, then continuously prune inactive apps, especially those with high Microsoft Graph privileges. Attackers hide behind service principals and abandoned migrations more often than you think.
Redirect URIs. Keep reply URLs tight. Only use domains you control. Remove localhost and abandoned cloud sites to cut off token interception and code hijacking paths.
Secrets and certificates. Prefer managed identity. If you must use credentials, do not use client secrets. If you must use certificates, keep expirations short and rotate regularly so any compromise has a short half-life.
First-party service apps. Ensure Microsoft service applications in your tenant do not have customer-added credentials. Threat actors try to attach their own keys to first-party principals to inherit trusted access.
Privileged identities. Keep admin accounts cloud-only to prevent an on-prem compromise from laddering into Entra, and register phishing-resistant methods for every privileged user. Keys or platform authenticators beat OTP fatigue every day of the week.
How to roll this out without stalling the roadmap
Adopt the workshop mindset. Run a lightweight Zero Trust assessment, pick the items above that are both high-impact and feasible in your environment, and bake them into your next few sprints. Treat security debt like product debt so you always reserve capacity for it. If you are modernizing a legacy app, use that cutover to move the registration to a dedicated app tenant, switch to managed identity, and clean your redirect URIs. The guidance below is what your team will reference as you go.
Resources to take the next step
- Zero Trust Workshop: aka.ms/ztworkshop
- Entra Security guidance: aka.ms/entra/security
If you only do one thing this week, carve out time to separate your app tenant from your corporate tenant, then enforce just-in-time privilege. Those two moves alone shrink your blast radius and make intrusions noisier and easier to catch.
Microsoft