Microsoft Entra Tenant Governance helps uncover shadow tenants

Introduction

As organizations expand through acquisitions, development projects, and partner collaboration, Microsoft tenant sprawl can quickly become a security blind spot. Microsoft Entra Tenant Governance aims to address that problem with a new related tenants discovery capability that helps admins find shadow tenants before they become an incident response issue.

This matters because tenants outside central IT oversight can still have trusted connections, app permissions, or shared billing ties to your environment. That creates risk even if those tenants were forgotten years ago.

What’s new

Microsoft highlighted the Related Tenants pillar in Entra Tenant Governance, now available in public preview. After enabling discovery in the Microsoft Entra admin center, organizations can identify connected tenants using signals such as:

• B2B collaboration relationships
• Multitenant application registrations
• Shared billing accounts

The process is designed to be simple:

1. Go to Tenant governance > Related tenants in the Entra admin center
2. Turn on discovery with a single click
3. Review surfaced tenants and the signals behind each relationship
4. Investigate unknown or unsanctioned tenants and take action

Microsoft says the inventory is continuously updated, so this is not just a one-time scan. New tenant relationships can surface automatically as your environment changes.

Why it matters for IT admins

For identity and security teams, the biggest benefit is visibility. Hidden tenants from acquisitions, proof-of-concept work, legacy testing, or partner activity may still expose your organization through user sign-ins, app consent, or cross-tenant access.

Microsoft recommends several response options for suspicious tenants:

• Confirm exposure by reviewing app permissions, admin consent, and affected users or workloads
• Block inbound and outbound sign-ins using cross-tenant access settings
• Contain app-based access by revoking permissions or removing service principals
• Apply tenant restrictions v2 through Global Secure Access and universal tenant restrictions
• Validate impact through sign-in and audit logs before deciding whether to onboard or isolate the tenant

Organizations can also expand discovery with additional telemetry, including Azure subscription billing data, Entra sign-in logs, Microsoft 365 activity, and audit logs.

Action items and next steps

Admins should consider the following next steps:

• Enable related tenants discovery in the Entra admin center or via the tenant governance API
• Review newly discovered tenants and classify them as trusted, unknown, or unsanctioned
• Use tenant quarantine workflows for risky tenants pending review
• Update tenant creation practices, since the legacy workforce tenant creation flow retires on August 15, 2026

For organizations focused on reducing identity attack surface, this preview gives a practical way to find hidden tenant relationships and bring them under governance before attackers do.