Microsoft Tenant Governance: Introduction and Configuration

Introduction

Governance of Microsoft 365 tenants has become a critical priority for enterprises operating with multiple Microsoft Entra environments. Recently launched in preview, Tenant Governance aims to provide a comprehensive solution for discovering, managing and maintaining relationships between tenants.

With the general availability of Unified Tenant Configuration Management (UTCM) APIs now accessible via the /v1.0 endpoint of Microsoft Graph, Microsoft provides a robust mechanism for administering and standardizing cross-tenant configurations.

What is Microsoft Tenant Governance?

Tenant Governance solves emerging issues related to multi-tenant management such as:

• Test or development environments created virally.
• Regulatory obligations requiring multiple tenants.
• Acquisitions or mergers causing disparities in subscription management.

Tenant Governance introduces several key features:

• Tenant Discovery: Identify and audit tenants associated with your organization.
• Governance Relationships: Establish and manage unilateral connections between tenants, with defined permission levels.
• Standardization and Compliance (baselines): Through UTCM configurations, monitor deviations and automatically apply security settings.
• Secure Tenant Creation: Centralize billing and immediately establish governance relationships.

Types of Governance Relationships

Connections between tenants are represented by the Governance Relationship object. These relationships are unidirectional, with a governing tenant and a governed tenant. Their implementation relies on the following steps:

• Define a governance policy or permissions template.
• Apply the principle of least privilege to minimize risks.

Steps to Create a Governance Relationship

Depending on existing links between tenants (common billing or pre-existing relationships), two flows are possible:

1POST https://graph.microsoft.com/beta/directory/tenantGovernance/governanceInvitations
2 
3{
4  "governingTenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
5}

1POST https://graph.microsoft.com/beta/directory/tenantGovernance/governanceRequests
2 
3{
4  "governedTenantId": "8fbddb8a-eb45-4305-b659-9e9af5a3d501",
5  "governancePolicyTemplate@odata.bind": "https://graph.microsoft.com/beta/directory/tenantGovernance/governancePolicyTemplates/default"
6}

1PATCH https://graph.microsoft.com/beta/directory/tenantGovernance/governanceRequests/f84c59bf-504c-4949-9fdd-45d366ec53cd
2 
3{
4  "status":"accepted"
5}

Once validated, the associated permissions are applied, allowing the governing tenant to monitor and configure the governed tenant.

Monitoring and Deviation Detection

With Unified Tenant Configuration Management (UTCM), you can configure drift monitors to detect any deviation from configured policies. Features include:

• Automatic deviation detection.
• Email notification to administrators.
• Automatic application of predefined baselines (future version).

Upcoming Features

Microsoft plans to extend Tenant Governance to:

• Secure Creation Process: Enhanced control from the creation of new tenants.
• Discovery of Linked Tenants: Automated methods to reveal connections based on billing or Azure history.
• UTCM Interface Improvement: More intuitive configurations for administrators.

For more information on detailed configurations, consult the official documentation and our next article on tenant discovery processes.