Unmanaged tenants create security blind spots. Learn how Microsoft Entra Tenant Governance helps you gain visibility and control.
Managing identity across multiple tenants is a growing challenge for organizations of all sizes. Mergers, acquisitions, and the rise of shadow IT often lead to a fragmented tenant landscape—creating security and compliance blind spots that attackers are quick to exploit. Even a single poorly secured tenant can put your entire organization at risk.
Many of these shadow tenants may lack critical controls like MFA, Conditional Access, or privileged role protections. Recent high-profile incidents have reinforced an important reality: attackers can move laterally from an unmanaged tenant into production environments, bypassing controls organizations assumed were in place.
Microsoft Entra Tenant Governance addresses this challenge by providing a centralized, risk-informed way to discover, govern, and continuously secure all related tenants—without relying on custom scripts or fragmented administrative models. From small tenant estates to large enterprises, Entra Tenant Governance enables least-privilege access, enforces configuration baselines, and maintains continuous visibility from a single control plane.
Why Tenant Governance Matters
Built on Microsoft’s own experience securing a large and complex tenant estate, Entra Tenant Governance is designed to make tenant relationships visible, governance enforceable, and security posture continuously verifiable—at scale. Tenant Governance provides a centralized model for managing tenants with different workloads, security requirements, and operational owners, enabling consistent governance across tenants without forcing a one-size-fits-all approach.
With Entra Tenant Governance, organizations can:
- Discover and inventory all related tenants, including production, non-production, and employee-created tenants.
- Establish governance relationships for least-privilege cross-tenant access.
- Monitor and enforce consistent tenant policies to maintain a strong security and compliance posture.
- Securely create new tenants with governance applied from day one.
So what does this look like in the real world? Let’s walk through four scenarios.
Real-World Scenarios
1. Discovering Related Tenants
An organization is trying to reduce tenant-to-tenant risk across a growing identity estate shaped by mergers, acquisitions, and shadow IT. The security team recognizes that effective mitigation starts with visibility, so they begin by identifying which other tenants are connected to their production tenant and what exposure those connections might create.
Microsoft Entra’s Related Tenants experience automatically generates a continuously updated list of tenants that have observable connections to the organization’s tenant. This is not intended to be a definitive ownership or organizational inventory, but a risk-informed discovery view designed to surface tenants that may warrant governance attention. The tenant governance service keeps this inventory current by detecting relationships based on discovery signals for B2B access, multi-tenant applications, and Microsoft billing. In practice, the organization finds that tenants requiring governance attention typically leave these discoverable “traces” in production environments, making it possible to identify and prioritize them without relying on a manual inventory.
Screenshot of related tenants discovery view.
Next, the organization uses the metrics associated with each discovery signal to triage. These metrics help determine which related tenants should be brought into governance and whether any existing relationships represent immediate security exposure that needs to be mitigated.
When the team drills into a specific related tenant, the experience consolidates signals into a single view that clarifies how the tenant is connected and what risks the relationship may introduce. For example, the organization may see users using B2B to access administrative experiences in the related tenant. The team may also see a Microsoft billing relationship indicating that a billing account in the organization’s tenant is paying for an Azure subscription in the other tenant. Together, these signals suggest the tenant should likely be governed as part of the organization’s tenant landscape. If the related tenant also hosts a multi-tenant app with access to the organization’s tenant data, that becomes a priority indicator. The team can then validate and strengthen security controls to reduce the risk of data exposure if the related tenant or its applications are not adequately secured.
Screenshot of related tenants discovery signals.
Learn more about related tenants.
2. Creating Tenant Governance Relationships
After identifying tenants that require governance, an organization needs reliable administrative access across those tenants to perform resource management and governance tasks. The identity team wants to avoid the overhead and risk of managing separate local admin accounts or managing permissions of B2B accounts in every tenant.
Using Microsoft Entra Tenant Governance, the organization establishes tenant governance relationships between its central governing tenant and each governed tenant. Each relationship is set up through a request and approval workflow that formalizes which tenant is governing and which is governed, and the degree of access that the governing tenant has to the governed tenant. This approach scales so that as the organization’s tenant landscape grows, the governing tenant can manage relationships with many governed tenants with different security, compliance, and organizational requirements.
Screenshot of governed tenants view.
Once relationships are established, the organization assigns least-privilege delegated administration by mapping security groups in the governing tenant to built-in Entra roles in each governed tenant. Administrators can then sign in from the governing tenant and manage resources in governed tenants across Microsoft administration experiences, without requiring a B2B guest account or a local user account in those tenants. This creates a more streamlined and consistent admin experience across environments.
Centralized access administration also improves control. The organization can view, audit, and manage administrative access in one place, and keep permissions aligned to job changes by updating group membership in the governing tenant.
Screenshot of tenant governance policy template details.
Learn more about tenant governance relationships.
Administrators of Microsoft Defender and Sentinel are also able to leverage delegated access in the Defender multi-tenant management experience. To learn more about this, read the Defender blog post.
3. Tenant Configuration Management
An organization has established administrative access to the tenants it governs, and the next priority is keeping those tenants aligned with security and compliance requirements over time. The challenge is consistency. Settings often drift as admins make changes, new policies are introduced, or service configurations evolve. The identity and security teams need a repeatable way to define what “good” looks like across different tenants in its estate, and to detect when a tenant deviates.
With Microsoft Entra tenant configuration management, the organization defines a configuration baseline that represents the desired state of tenant resources. The baseline is expressed in a standard .json format and can cover more than 200 resource types across Microsoft services, including items like Conditional Access policies in Entra and transport rules in Exchange, as well as supported resources in Intune, Defender, Purview, and Teams. The organization can use different configuration baselines depending on the workloads and requirements in a particular tenant.
Screenshot of tenant configuration baseline view.
To accelerate adoption, the organization uses configuration snapshots to capture settings from a known-good tenant and uses that output as a starting point for the baseline, rather than authoring everything from scratch.
Screenshot of tenant configuration monitors.
The organization then sets up configuration monitors that run automatically on a schedule and validate the actual state of resources against the baseline. The results provide recent run summaries, and a configuration drift report highlights where configurations differ from the desired state so teams can prioritize remediation.
Screenshot of tenant configuration drift report.
To match operational ownership, the organization creates up to 30 monitors and commonly aligns them by service, such as one monitor for Entra and another for Exchange. Each monitor can include as many resources as the organization is licensed to monitor.
Organizations that are currently leveraging the open-source Microsoft365DSC solution can easily migrate to Entra tenant configuration management. The Entra solution offers several improvements over the open-source project, is fully supported by Microsoft, and is the recommended approach for organizations looking to manage their tenants’ configuration with declarative code.
Learn more about configuration management. To see the full list of resource types that are supported for tenant configuration management, see our documentation: Entra, Exchange, Intune, Defender and Purview, and Teams.
4. Secure Tenant Creation
Now that the organization has discovered its related tenants and brought them under governance, the next priority is ensuring that any new tenants created in the future follow the same governed pattern from day one. The organization still needs flexibility to support real business needs, so the identity team designs a controlled process that allows only approved users, in the engineering group, to create add-on tenants for testing new capabilities in a test environment.
With Microsoft Entra Tenant Governance secure tenant creation, the organization can enable this delegated creation model while helping ensure governance from the start. When an approved user creates a new tenant, it is configured to be well-governed from day one. The new tenant is created with a built-in tenant governance relationship to the organization’s governing tenant, ensuring the governing tenant has the cross-tenant administrative access needed to apply governance and perform ongoing management without delay.
Newly created tenants are also linked to the organization’s Microsoft billing account at creation time. This provides proof of commercial ownership and reduces operational risk. If administrative access to the tenant is lost, the billing linkage helps streamline tenant recovery, so the environment does not become orphaned.
Screenshot of secure tenant creation process.
Learn more about secure tenant creation.
Licensing and Availability
Microsoft Entra Tenant Governance capabilities are available in Entra ID P1 (also included in Microsoft 365 E3), Entra ID P2 (also included in Microsoft 365 E5), and Microsoft Entra ID Governance (also included in Entra Suite and Microsoft 365 E7). See the Microsoft Entra licensing page for more details.
Tenant configuration management APIs are generally available. Other tenant governance experiences are in public preview. Support is provided 24/7 by Microsoft Customer Support, according to your support contract. These new capabilities are now rolling out, with deployment expected to complete over the next few days.
How to Get Started
To get started, read our Tenant Governance documentation to learn more about these features and how they enable you to address important security and compliance scenarios.
High-quality tenant governance tooling and operational processes are foundational for organizations to achieve their security and compliance objectives. We’re eager to get your feedback on these new Entra capabilities that empower you to achieve your goals – feel free to drop a note below in the comments section of this article.
-Joseph Dadzie
Vice President, Product Management
Additional Resources
- Microsoft Entra tenant governance documentation
- Microsoft Entra innovations announced at RSAC 2026
- Secure agentic AI end-to-end
Learn More About Microsoft Entra
Prevent identity attacks, ensure least-privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft