Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Respond to threats across tenants more effectively with Microsoft Defender XDR multi-tenant support
Published Sep 18 2023 09:00 AM 16.1K Views

UPDATE: Effective February 20th, 2024, the new multi-tenant management experience in Microsoft Defender XDR (formerly Microsoft 365 Defender) has been made generally available (GA).


Multi-tenant environments add an additional layer of complexity to today’s ever-evolving threat landscape. Whether organizations have grown through acquisition, or have strategically implemented multi-tenant setups, navigating across multiple environments is no small task. Mundane and repetitive tasks require security operations center (SOC) teams to log in and out of each customer environment individually. This not only consumes valuable time but also reduces the overall efficiency of the SOC teams. To improve efficiency and stay ahead of modern attacks, SOC teams need an efficient yet comprehensive security solution that delivers a unified and connected experience to boost their security operations.

Microsoft 365 Defender is an industry-leading XDR platform that delivers unified investigation and response experience and provides native protection across endpoints, identities, email, collaboration tools, cloud apps, and data.

Today we are excited to expand our current public preview for multi-tenant environments in Microsoft 365 Defender, which provides large organizations with the much-needed visibility and ease of use across their distributed environments. This addition marks the first wave of improvements, with a focus on global SOC investigation flows, including a consolidated view of incidents across tenants, device inventory, vulnerability management, the ability to perform advanced hunting across data in multiple tenants, and more.


Multi-customer management for partners

The new multi-tenant capabilities in Microsoft 365 Defender are also useful for Managed Security Service Provider (MSSP) partners supporting enterprises. They can now gain visibility into security incidents, alerts, and threat hunting across multiple customers through a single pane of glass, and help them efficiently run their SOC.

For small and medium business focused managed service provider (MSP) partners who need a full set of capabilities to manage customers spanning security, identity, management, and Microsoft 365 applications in a unified experience, we continue to recommend using Microsoft 365 Lighthouse. Microsoft 365 Lighthouse is a unified portal available to Cloud Solution Provider (CSP) partners that includes a broader set of capabilities, optimized MSP partners, particularly those using our Microsoft 365 Business Premium and Defender for Business. It includes a multi-tenant view of Defender for Business incidents and alerts, vulnerability management and exposure scores, as well as security baselines with configuration drift analysis across multi-tenants spanning span identity, Intune, and more. The Lighthouse and multi-tenant organization (MTO) support comparison FAQ lists the capabilities of both platforms in detail.


As we build out Microsoft 365 Defender multi-tenant capabilities, we will share more on the combined roadmap for Microsoft 365 Lighthouse and MTO.


A centralized place to manage incidents across tenants

Whether it’s searching for the most critical high-severity incidents scattered throughout a large organization or monitoring sanitation efforts across the board, the new multi-tenant management experience provides SOC analysts with all the information in one place to efficiently perform incident investigation and remediation across multiple tenants at scale. No need to log in and out of each individual tenant.

Figure 1: The unified incidents queue, which includes the "tenant name" dimensionFigure 1: The unified incidents queue, which includes the "tenant name" dimension


SOC analysts can easily access the new multi-tenant management experience right from the Microsoft 365 Defender portal to manage different tenants in the same experience using the tenant switcher as shown in Figure 2. The tenant switcher allows SOC analysts to seamlessly switch between single-tenant and multi-tenant management experiences.

Figure 2: The new tenant switcher allows SOC teams to easily access multiple tenants in the same experienceFigure 2: The new tenant switcher allows SOC teams to easily access multiple tenants in the same experience


To gain access to multiple tenants with the same user, two options are available:

  1. Using Azure AD B2B collaboration: This option allows users to invite external guests to their tenant, allowing these guests to access resources and collaborate on projects. While this method offers a convenient way of accessing multiple tenants, it requires the creation of discrete guest accounts for each tenant.
  2. Using the new Granular Delegated Admin Privileges (GDAP) capabilities for CSPs: GDAP is a new feature specifically designed for Microsoft CSPs. It provides them with the least privileged access following the Zero Trust cybersecurity protocol and lets them configure granular and time-bound access to their customers' workloads in production and sandbox environments.

Streamline your threat hunting

Microsoft 365 Defender equips SOC teams with powerful guided and advanced hunting capabilities to proactively hunt for threats across all workloads and uncover potential blind spots in an organization's environment to prevent undetected attacks.


Now with multi-tenancy support, SOC analysts can easily craft KQL queries and customize detections across multiple tenants in a connected and seamless experience. Combined with our guided hunting experience that provides step-by-step assistance, the multi-tenancy support delivers accessible, efficient, and flexible threat hunting experience.​

Figure 3: Advanced hunting showing results from multiple tenantsFigure 3: Advanced hunting showing results from multiple tenants


The new multi-tenant management experience in Microsoft 365 Defender delivers the flexibility and scalability needed to help SOC teams stay ahead of modern attacks with speed and efficiency. It streamlines incident management and threat hunting across multiple tenants and provides SOC teams with a new approach to efficiently perform security operations across multiple tenants to eliminate the need for constant logins and context switching. The multi-tenant management experience helps organizations improve operational adaptiveness and agility, streamline security operations, centralize administration controls, and make it easier for all tenants in an organization to maintain their uniqueness while respecting organizational requirements.


Learn more:





Version history
Last update:
‎Feb 21 2024 01:09 PM
Updated by: