Entra ID

Microsoft Entra Tenant Governance Finds Shadow Tenants

3 min read

Summary

Microsoft Entra Tenant Governance now helps organizations discover shadow tenants connected through B2B collaboration, multitenant apps, and shared billing signals. The new related tenants capability gives IT teams continuous visibility into hidden tenant sprawl so they can assess risk, quarantine unsanctioned tenants, and tighten identity governance.

Need help with Entra ID?Talk to an Expert

Microsoft Entra Tenant Governance helps uncover shadow tenants

Introduction

As organizations expand through acquisitions, development projects, and partner collaboration, Microsoft tenant sprawl can quickly become a security blind spot. Microsoft Entra Tenant Governance aims to address that problem with a new related tenants discovery capability that helps admins find shadow tenants before they become an incident response issue.

This matters because tenants outside central IT oversight can still have trusted connections, app permissions, or shared billing ties to your environment. That creates risk even if those tenants were forgotten years ago.

What’s new

Microsoft highlighted the Related Tenants pillar in Entra Tenant Governance, now available in public preview. After enabling discovery in the Microsoft Entra admin center, organizations can identify connected tenants using signals such as:

  • B2B collaboration relationships
  • Multitenant application registrations
  • Shared billing accounts

The process is designed to be simple:

  1. Go to Tenant governance > Related tenants in the Entra admin center
  2. Turn on discovery with a single click
  3. Review surfaced tenants and the signals behind each relationship
  4. Investigate unknown or unsanctioned tenants and take action

Microsoft says the inventory is continuously updated, so this is not just a one-time scan. New tenant relationships can surface automatically as your environment changes.

Why it matters for IT admins

For identity and security teams, the biggest benefit is visibility. Hidden tenants from acquisitions, proof-of-concept work, legacy testing, or partner activity may still expose your organization through user sign-ins, app consent, or cross-tenant access.

Microsoft recommends several response options for suspicious tenants:

  • Confirm exposure by reviewing app permissions, admin consent, and affected users or workloads
  • Block inbound and outbound sign-ins using cross-tenant access settings
  • Contain app-based access by revoking permissions or removing service principals
  • Apply tenant restrictions v2 through Global Secure Access and universal tenant restrictions
  • Validate impact through sign-in and audit logs before deciding whether to onboard or isolate the tenant

Organizations can also expand discovery with additional telemetry, including Azure subscription billing data, Entra sign-in logs, Microsoft 365 activity, and audit logs.

Action items and next steps

Admins should consider the following next steps:

  • Enable related tenants discovery in the Entra admin center or via the tenant governance API
  • Review newly discovered tenants and classify them as trusted, unknown, or unsanctioned
  • Use tenant quarantine workflows for risky tenants pending review
  • Update tenant creation practices, since the legacy workforce tenant creation flow retires on August 15, 2026

For organizations focused on reducing identity attack surface, this preview gives a practical way to find hidden tenant relationships and bring them under governance before attackers do.

Need help with Entra ID?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Microsoft EntraEntra IDtenant governanceshadow tenantsidentity security

Related Posts

Entra ID

Microsoft Entra Agent ID Adds AI Agent Governance

Microsoft has announced general availability of agent identity governance capabilities in Microsoft Entra as part of Microsoft Agent 365. The update helps organizations govern AI agents with dedicated identities, named sponsors, access packages, and lifecycle workflows to reduce overprivileged access and improve accountability.

Entra ID

Microsoft Purview and Entra Add Real-Time AI DLP

Microsoft has announced a public preview that extends data protection to the network layer using Microsoft Purview and Microsoft Entra. The integration helps organizations detect and block sensitive data moving to unmanaged SaaS, personal cloud storage, and generative AI apps in real time, reducing data leakage risk before exposure occurs.

Entra ID

Entra PIM Custom Extensions Preview for Role Activation

Microsoft has introduced preview support for custom extensions in Microsoft Entra Privileged Identity Management, allowing organizations to call a REST API during role activation to enforce business-specific rules. This helps IT teams automate checks such as ticket validation, HR status, compliance gates, and on-call logic while improving auditability and reducing manual approval gaps.

Entra ID

Microsoft Entra Backup and Recovery GA Now Available

Microsoft Entra Backup and Recovery is now generally available for customers with Entra ID P1 or P2, bringing built-in recovery for critical identity objects across workforce tenants. The release extends retention from 5 to 7 days and adds more flexibility for snapshots, difference reports, and recovery jobs, helping IT teams respond faster to accidental or malicious changes.

Entra ID

Microsoft Entra AI Security Webinar Series Announced

Microsoft has launched a three-part Microsoft Entra and Purview webinar series focused on securing AI at scale. The sessions cover identity, access, data protection, browser and network controls, and governance for AI agents, giving IT teams practical guidance for safer AI adoption.

Entra ID

Azure AD B2C Migration Tools Now Available

Microsoft has released generally available migration tools and guidance to help Azure AD B2C customers move to Microsoft Entra External ID. With Azure AD B2C no longer receiving new features, these new options give IT teams a clearer path to modernize customer identity while reducing migration risk.