Multi-tenant management in Microsoft Defender

Struggling to keep up with security across multiple organizations? Multi-tenant management in Microsoft Defender XDR streamlines your workflow, giving you a single pane of glass for all your tenants. This translates to faster threat detection, improved response times, and a more efficient security posture for your entire organization.


Microsoft Defender XDR prerequisitesVerify you meet the Microsoft Defender XDR prerequisites
Multi-tenant accessTo view and manage the data you have access to in multi-tenant management, you need to ensure you have the necessary access. For each tenant you want to view and manage, you need to have either:

– Granular delegated admin privileges (GDAP)
– Microsoft Entra B2B authentication

To learn more about how to synchronize multiple B2B users across tenants, see Configure cross-tenant synchronization.
PermissionsUsers must be assigned the correct roles and permissions at the individual tenant level, in order to view and manage the associated data in multi-tenant management. To learn more, see:

– Manage access to Microsoft Defender XDR with Microsoft Entra global roles
– Custom roles in role-based access control for Microsoft Defender XDR

To learn how to grant permissions for multiple users at scale, see What is entitlement management.

Note! I will not cover granular delegated admin privileges (GDAP) in this post

Benefits of Multi-Tenant Management in Microsoft Defender XDR

Centralized Incident ManagementSOC analysts can investigate incidents across all managed tenants from a single view, eliminating the need to switch between tenants.
Streamlined Threat HuntingSecurity teams can leverage advanced hunting capabilities with KQL queries to proactively search for threats across multiple tenants.
Multi-Customer Management (for Partners)MSSPs gain visibility into security incidents, alerts, and threat hunting activities for all their customers from a unified console.

Capabilities of Multi-Tenant Management

Incidents & Alerts > IncidentsManage security incidents originating from all connected tenants.
Incidents & Alerts > AlertsManage security alerts originating from all connected tenants.
Hunting > Advanced HuntingProactively hunt for intrusions and breaches across all connected tenants simultaneously.
Hunting > Custom Detection RulesView and manage custom detection rules across all connected tenants.
Assets > Devices > TenantsExplore device counts across various categories (device type, value, onboarding status, risk status) for all tenants and individual tenant levels.
Endpoints > Vulnerability Management > DashboardProvides aggregated vulnerability management data across all connected tenants for both security administrators and operations teams.
Endpoints > Vulnerability Management > TenantsExplore vulnerability management details (exposed devices, security recommendations, weaknesses, critical CVEs) for all tenants and individual tenant levels.
Configuration > SettingsLists all tenants you have access to. Use this page to view and manage your tenants.

How to setup

Microsoft Entra B2B uses SAML and OIDC for a secure “federated identity” system. Basically, your partners sign in with their own work credentials, eliminating the need for you to create and manage extra accounts in your system.

First you need B2B users in your tenant. You can use Cross-tenant sync or normal guest users.

Invite B2B Guest users

Invite the users to your tenant and add roles.

Cross-tenant access

See here for the official material from Learn

And here for my previous deep-dive when it was still in Preview

Cross-tenant sync

If you aren’t familiar with Cross-tenant sync, you can learn on it from my previous posts.

External IdP

Or you could use an External IdP for your users and let them login with that. See more here on that.

Back to MTO

Once the B2B stuff is in place, open and select add tenants

Once you choose the tenants, you will that they were successfully added.

And if you don’t have errors in permissions or missing licenses, you will be informed

Now you can see the incidents from the other tenants.

And you can and Assignments, once you have it enabled.

Open System -> Settings -> Defender XDR -> Multi-tenant content source.

Custom detection rules

And you can see inside Advanced hunting all the tenants and can filter to one you choose. You can also once you create you Custom rule from here.

You can create a Custom detection rule under Advanced hunting. Just remember that Queries that use the join operator are currently not supported in multi-tenant management advanced hunting.

And finalize the rule.


And add the Custom rule to Assignments

And the tenants you want to add to it.

Finish the assignment and Select sync all authorized tenants to sync those Rules across.

You can see the status and, who created it with last sync time.

And when you go to the other tenant, you will see rules there ad who created them.

See here for the official Learn article


That was multi-tenant management, an excellent feature that can use today! Microsoft is really making an effort to make unification for all you Defenders.

MTO and Sentinel workspace attachment can really give a good overview and directly from the familiar Defender portal.

Just, just great!

Author: Harri Jaakkonen