Introduction
Microsoft Entra Tenant Governance is a robust solution that enables you to monitor multi-tenant environment configurations and detect drift. Whether you're managing a single tenant or multiple tenants, this feature proves essential for maintaining compliance and efficient management. In this article, we'll explore the key available features, required roles, and best practices to get the most out of this solution.
Comparison of Microsoft Entra Features
To understand the capabilities offered by Microsoft Entra Tenant Governance, let's examine how P1, P2, and ID Governance editions differ in terms of features.
| Feature | Microsoft Entra P1 | Microsoft Entra P2 | Microsoft Entra ID Governance |
|---|---|---|---|
| Multi-tenant configuration monitoring and drift reporting | ✅ Up to 30 monitors, up to 800 resources per tenant per day | ✅ Up to 30 monitors, up to 800 resources per tenant per day | ✅ Up to 30 monitors, up to 800 resources per tenant per day |
| Configuration snapshots for a single tenant | ✅ Up to 20,000 resources per tenant per month, up to 12 active jobs | ✅ Up to 20,000 resources per tenant per month, up to 12 active jobs | ✅ Up to 20,000 resources per tenant per month, up to 12 active jobs |
| Discovery of linked tenants (B2B, multi-tenant applications, shared billing) | — | — | ✅ |
| Governance relationship with cross-tenant GDAP | ✅ | ✅ | ✅ |
| Governance relationship with custom application injection | — | — | ✅ |
| Creation of new tenants with governance relationship | ✅ | ✅ | ✅ |
Setting Up Tenant Governance
To get started with Microsoft Entra Tenant Governance, it's important to understand that some features are automatic, while others require manual action. Here are the main points to keep in mind:
Good to know
Automatic discovery of linked tenants happens without any intervention on your part. This is a key feature of Microsoft Entra ID Governance.
Steps to Configure Tenant Governance
Obtain tenant governance administrator rights
To configure governance in both governing and governed tenants, you must hold the Tenant Governance Administrator role. This role is essential for sending and accepting governance requests.
Send governance requests
Use the role to send governance requests, including those involving global administrator permissions. Note that you don't need to be a Global Administrator of the governed tenant to accept such requests.
Supervise configurations and drift
Use the baselines and monitors features to monitor resources and ensure continuous tracking. If this topic interests you, check out our article on unified management of tenant configurations.
Best Practices
- Only request governance relationships with tenants under your management. This is particularly relevant for MSPs administering multiple environments.
- Treat the Tenant Governance Administrator role with the same level of vigilance as a Global Administrator role.
Conclusion
Microsoft Entra Tenant Governance offers a powerful approach to managing multi-tenant configurations and preventing drift. By following best practices and leveraging the key features of different Entra subscriptions, IT administrators can ensure efficient management and enhanced security.
Tip
For complex tenants, take advantage of the snapshots feature to maintain a detailed history of configurations and anticipate potential issues.
