New content types supported in multi-tenant content distribution

Onboard new tenants and maintain a consistent security baseline

We’re excited to announce a set of new content types that are now supported by the multi-tenant content distribution capability in the Defender portal: You can now distribute analytics rules, automation rules, workbooks, and alert tuning built in rules.

What is content distribution?

Content distribution is a powerful multi-tenant feature that enables scalable management of security content across tenants. With this capability, you can create content distribution profiles in the multi-tenant portal that allow you to seamlessly replicate existing content—such as custom detection rules and endpoint security policies—from a source tenant to designated target tenants. Once distributed, the content runs on the target tenant, enabling centralized control with localized execution. This allows you to onboard new tenants quickly and maintain a consistent security baseline across tenants.

New supported content types

With this release, we add support for several new content types:

• Analytics rules (Sentinel)
• Automation rules (Sentinel)
• Workbooks (Sentinel)
• Alert tuning rules (built-in rules)

Soon, we will introduce more content types, including URBAC roles.

How it works

• Navigate to ‘Content Distribution’ in Defender’s multi-tenant management portal
• Create a new distribution profile or select an existing distribution profile
• In the ‘Content selection’ step, select one of the new content types to distribute

 

 

• After choosing the content types, select the actual content that you want to distribute. For example, select analytics rules that you want to distribute to other tenants
• Use the filters to select which tenant (and workspace) to take the content from

 

 

• Choose at least one workspace that you want to distribute the content to. You can select up to 100 workspaces per tenant.

 

 

• Save the distribution profile and the content will be synced to your target tenants
• Review the sync result in your distribution profile

Good to know

• Automation rules that trigger a playbook cannot currently be distributed
• Alert tuning rules are currently limited to distributing built-in rules, this will be expanded to custom rules later

Learn more

For more information, see Content distribution in multitenant management.

To get started, navigate to Content distribution.

FAQ

• What pre-requisites are required?
• Access to more than one tenant, with delegated access via Azure B2B, using multi-tenant management
• A subscription to Microsoft 365 E5 or Office E5
• What permissions are needed to distribute?
• Each content type requires you to have permission to create that content type on the target tenant. For example, to create Analytics Rules, you require ‘Sentinel Contributor’ permissions.
• To distribute content using multi-tenant management content distribution, the Security settings (manage) or Security Data Basic (read) permission is required. Both roles are assigned to the Security Administrator and Security Reader Microsoft Entra built-in roles by default.
• Can I update or expand distribution profiles later?
• Yes. You can add more content, include additional tenants, or modify scopes as needed.