You can export and monitor over 200 tenant configuration settings across six Microsoft 365 workloads – ensuring your tenant is secure and in the desired state.
In our previous post, we introduced Microsoft Entra Tenant Governance and how it helps organizations secure and manage multi-tenant environments at scale. Today, we’re excited to announce that the Tenant Configuration Management (TCM) APIs are now generally available, providing the foundation for managing configuration at scale with greater consistency and control.
Before we dive deeper, let’s clarify the distinction:
- Microsoft Entra Tenant Governance is the product experience. It delivers a centralized control plane for visibility, policy enforcement, and governance across tenant configurations.
- The TCM APIs are the underlying Microsoft Graph API that powers Tenant Governance’s configuration management capabilities. It enables organizations to programmatically define, export, monitor, and manage configurations across services.
Why this matters
As organizations grow, configuration complexity increases across identity, security, and productivity workloads. Over time, even well-configured environments can drift due to incremental changes, operational overhead, and lack of centralized control.
The challenge isn’t just setting configurations correctly. It’s maintaining that state continuously.
The TCM API addresses this by enabling a shift from reactive configuration management to a declarative and continuous model, where desired state is defined and automatically validated over time. This helps organizations reduce risk, improve compliance, and simplify operations.
Core concepts of the TCM API
At its core, the TCM API brings configuration-as-code to Microsoft Entra. It introduces a model built around four connected concepts: snapshots, baselines, monitors, and configuration drifts:
- Snapshot: Captures the current state of tenant configurations at a point in time. This is often the starting point, helping organizations understand what’s deployed today or to establish a “known good” reference.
- Baseline: Represents the desired configuration state. Instead of manually checking settings across portals, organizations can define what compliant configuration looks like in a structured, repeatable way.
- Monitor: Continuously compares the live environment against that baseline. Any deviation is surfaced as configuration drift, giving teams clear insight into where their environment no longer aligns with expectations.
- Configuration drifts: Represents the delta between the desired configuration state and the current configuration state.
Together, these concepts create a closed loop: capture current state, define desired state, and continuously monitor alignment between the two.
A scalable model for configuration management
What makes the TCM API powerful is not just visibility, but repeatability and scale. Because everything is exposed through Microsoft Graph, configuration management can now be:
- Integrated into automation workflows
- Connected to existing security and compliance systems
- Applied consistently across multiple tenants and services
This introduces a true configuration-as-code approach, where tenant settings are no longer static or manually enforced, but programmatically defined and continuously evaluated.
How this fits into Tenant Governance
The TCM API is the foundation that enables many of the capabilities within Microsoft Entra Tenant Governance.
While the API provides raw access to configuration data and state comparison, Tenant Governance builds on top of it to deliver a unified experience for administrators. This includes surfacing insights, highlighting drift, and enabling governance actions without requiring customers to build their own tooling.
In the near future, Tenant Governance will provide a single pane of glass for managing multiple tenants centrally, powered by the TCM API. This relationship is key:
- Customers can rely on Tenant Governance for an out-of-the-box solution.
- Partners and advanced organizations can use the TCM API directly to build custom workflows, integrations, or managed services.
Final thoughts
Tenant configuration is no longer a one-time activity. It is an ongoing process that directly impacts security, compliance, and operational consistency.
With the general availability of the TCM API, organizations now have a scalable way to define, monitor, and enforce configuration across their environments. Whether used directly or through Microsoft Entra Tenant Governance, it enables a more proactive and automated approach to managing tenant configuration.
-Aditya Mukund
Additional resources
- Overview of the Tenant Configuration Management APIs in Microsoft Graph - Microsoft Graph | Microso…
- Set up authentication for Tenant Configuration Management APIs - Microsoft Graph | Microsoft Learn
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
- Microsoft Entra News and Insights | Microsoft Security Blog
- Microsoft Entra blog | Tech Community
- Microsoft Entra documentation | Microsoft Learn
- Microsoft Entra discussions | Microsoft Community
Microsoft