Tenant Governance in Microsoft Entra is here!

-

If you’ve been following the Microsoft Entra Community, you’re probably familiar with the monthly Engineering Connect letters on LinkedIn. In the most recent edition, one feature in particular caught my attention: Tenant Governance. Always on the lookout for new capabilities to test—and eager for better ways to manage both my production tenant and my cyber range tenant—I decided to dig in. I’m very glad I did. In this issue of my newsletter, I’m giving you a full deep dive into Tenant Governance and how it works.

What is Tenant Governance?

Tenant Governance is a preview feature in Microsoft Entra ID that helps you discover and manage related tenants based on shared signals between a parent tenant and external or child tenants. These signals include:

  • Sign‑ins

  • Multitenant application usage

  • Other telemetry that indicates interaction

When Entra detects that your tenant has interacted with another tenant, it can surface that tenant as “related” and allow you to request governance over it.

To govern a related tenant, the parent tenant sends a Request to govern. An administrator in the child tenant can review and approve or deny the request. Once approved, the child tenant becomes governed by the parent, giving you visibility and control—an effective way to uncover shadow IT and bring stray tenants into the light.

Discovering Related Tenants

When you wish to discover other tenants that have similar signals or relationships, the first thing that needs to be done is authorization. Once you give thisd authorization, Microsoft Entra will begin looking for similar tenants and any relationshops that exist between the parent tenant and the discovered tenants. Should tenants be discovered, they will appear in the "Related tenants" section of Tenant Governance:

From here, we can click into each tenant name and see additional properties such as discovery signals, governance relationships, and the details for said signals and relationships:

To request the ability to govern the tenant, we can do so by pressing the "Request to govern" button at the top, which will send the request to the child tenant. Once approved, the child tenant will appear in the "Governed Tenant" blade and managed there.

Exploring Governed Tenants

After one or more child tenants have been approved for governance, administrators can manage them directly from the Governed tenants blade. This provides a centralized view of all tenants under your control:

Tenant Monitors

One of the most powerful features in Tenant Governance is Tenant Monitors. These monitors regularly evaluate governed tenants for configuration drift—allowing you to detect issues before they become problems.

To create a monitor:

  1. Open the Tenant Monitors tab

  2. Select New Monitor

  3. Choose the permissions required for your JSON configuration

  4. Upload or paste your JSON definitions:

Based on the parameters in your JSON file, Entra continuously evaluates your governed tenants. If drift is detected, you can review the findings in the Monitor results tab:

What About Child Tenants?

If you want your tenant to be eligible for governance by another parent tenant, simply open Tenant governance settings and enable Invitation settings:

Once enabled, other tenants can send governance requests to you—allowing your tenant to function as a child tenant when appropriate.

Tying It All together

Tenant Governance introduces a new, powerful way to gain visibility into the tenants that exist and interact within your organization. It gives administrators a unified control plane, helps uncover shadow IT, and provides proactive monitoring through Tenant Monitors.

I highly recommend exploring this feature—it opens the door to better discovery, oversight, and multi‑tenant management.

Give it a try and let me know what you think.

Until next week, folks!


Comments

Post a Comment

Popular posts from this blog

Using Power Automate to Update Contact Information

-
 We've all been there- you have a large organization who has out-of-date contact information. What do you do? You could go around to each department and ask them nicely to update their information, or send out an org-wide email prompting people to do so. However, this is tedious and oftentimes a pointless task. By the time you update one department, you're running to fix another. What if you could put the power back in the department's hands to do so? This is a struggle I faced recently as I was trying to find was I could conjure up some updated contact information for each department. As I did my research, I found that I was not alone in this endeavour as it seems that many IT professionals would love to make this process a little bit less painful. With this in mind, I introduce to you my latest flow! This flow will allow you to encourage users to update their contact information, without the overhead that comes with manual effort. In addition to this, this flow utilizes t...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part One

-
Happy June folks! I come to you with another post, but this time I wanted to change it up and show you something else I have just finished working on. As a SysAdmin, one of the most common issues we run into is managing licenses. Working at a post-secondary institution makes this an even greater challenge, as you have both students, staff and faculty constantly coming as well as going. Managing to keep up with this constant change can introduce great administrative overhead which takes away time from important upkeep of other systems and initiatives. You may also notice this same issue in large corporations or in other government organizations. To help combat this, I wanted to create a flow that can do the following: Get the user and their licenses Determine their last sign-in and the date Conditional to determine if the user is past the "cutoff" date Remove the user from a group where the license is assigned The only problem with doing this is that Power Automate does not ha...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part Two

-
Hello again! Didn't I promise you that I'd be back to wrap this up? Well, here I am to give you the second tidbit of information that you need to get this started. If you haven't already, take a look at my previous post where I go into depth about creating a custom connector in Power Automate to retrieve the latest sign-in and also gather the user's licenses. Now that we have the custom connector ready, we can now get into the meat n' potatoes of this series. In this post, I will show you the flow that makes this possible and how you can use the custom connector you have created to tie it all together! Hope you enjoy. Understanding the Logic Before we can begin creating the flow, we should first understand how the flow will work. I designed this to flow to be triggered manually, but you may want to schedule it or use another trigger. The trigger will depend on your organization's policies, so please adjust accordingly. Once triggered, the flow will use the Entra...
Read more