Multi-tenant endpoint security policies distribution is now in Public Preview

We’re excited to announce a key milestone in Defender’s multi-tenant management journey—Microsoft Defender for Endpoint security policies can now be distributed across multiple tenants from the Defender multi-tenant portal. This capability empowers security teams to manage policies at scale, ensuring consistency and saving valuable time.

What is content distribution?

Content distribution is a powerful Defender feature that enables scalable management of content across tenants. With this capability, you can create content distribution profiles in the multi-tenant portal that allow you to seamlessly replicate existing content—such as custom detection rules and now, endpoint security policies—from a source tenant to designated target tenants. Once distributed, the content runs on the target tenant, enabling centralized control with localized execution.

How it works

• • Security policies are now a selectable content type when creating a distribution profile.
  • Simply choose existing policies from your home tenant and add them to the distribution profile. You can also decide which Microsoft Entra group(s) will be applied as scope. Policy targeting will be based on the Entra device groups that exist in every tenant, and you select the relevant groups for each tenant.
  • Upon completion, policies are automatically distributed to the selected tenants and are applied on the targeted machines.

Distributed policies also appear in a hierarchical view, with the original policy serving as the parent. You can find the policies that were distributed from the tenant under the original policy. This appears on the endpoint security policies page within multi-tenant management.

The last distribution status for the original policy reflects the overall status of its distributed copies, and the tenants and tenant groups sections indicate the recipients of the policy.

At any time, you can update the policies, tenants, scope or any other settings, and sync to apply these changes.

This new capability enables consistency (maintaining uniform security posture across tenants), efficiency (eliminating manual duplication and reducing operational overhead), and scalability (easily expanding coverage as the tenant landscape grows).

FAQ

• What pre-requisites are required?
• Access to more than one tenant with Microsoft Defender for Endpoint, with delegated access via Azure B2B or GDAP (CSP Partners only), using the multi-tenant management capability.
• A subscription to Microsoft 365 E5 or Office E5.
• What permissions are needed to distribute MDE security policies?
• To access endpoint security policies, users require the security administrator role in each relevant tenant.
• To distribute content using multi-tenant management content distribution, the Security settings (manage) or Security Data Basic (read) permission is required. Both roles are assigned to the Security Administrator and Security Reader Microsoft Entra built-in roles by default.
• Can I update or expand distribution profiles later?
• Yes. You can add more content, include additional tenants, or modify scopes as needed.

Learn more

• For more information, see Content distribution in multitenant management. To get started, navigate to the Content distribution page.
• To learn more about Microsoft Defender's endpoint protection, check out our website and video.
• To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.