Secure all tenants and their resources (Secure Future Initiative)

Pillar name: Protect tenants and isolate production systems
Pattern name: Secure all tenants and their resources

To reduce the security risks of untracked tenants and lack of visbility, Microsoft has implemented the Secure all tenants and their resources pattern. This ensures comprehensive governance and security across all tenants, aligning with Zero Trust principles.

Context and problem

The first step in tenant security is discovery. Without a complete inventory, security and governance cannot succeed. Many organizations lack visibility into active, legacy, and shadow tenants, leaving untracked environments vulnerable to exploitation.

Microsoft has invested heavily in identifying and cataloging all tenants across its environments. This includes production, productivity/test, and ephemeral tenants. Without robust discovery and lifecycle governance, even seemingly low-risk tenants can become shadow infrastructure—unmonitored, unpatched, and exploitable as pivot points for attackers.

Key risks include:

Lateral movement from non-production into production tenants.
Stale or inactive tenants with no security baselines or lifecycle controls.
Shared secrets and misconfigurations enabling credential reuse across tenants.

Solution

As part of the Secure Future Initiative (SFI), Microsoft implemented the secure all tenants and their resources objective by enforcing tenant baselines, governing lifecycle management, and standardizing protections across its cloud environments.

Standardized security logging library: Ensures consistent data capture across services, reducing observability gaps.
Centralized log collection: Specialized investigator accounts provide unified access to cross-service logs, simplifying correlation and speeding up investigations.
Extended log retention: Audit logs retained for up to two years across Microsoft services, to enable forensic investigation of long-term attack patterns.
Advanced detection analytics: Integration of machine learning and AI-powered models improves detection of complex attack techniques and reduces false positives.
Expanded customer logging: Microsoft increased standard audit log retention for Microsoft 365 customers to 180 days, with options for longer retention.

Microsoft's approach includes:

Security baselines: Preconfigured tenant security templates to ensure consistency and accelerate hardening.
Tenant classification and lifecycle governance: Categorizing tenants by purpose (production, productivity, auxiliary, ephemeral) and applying default controls accordingly.
Conditional Access enforcement: Governing authentication and authorization at scale, including ephemeral tenants and unmanaged accounts.
Secure Admin Workstations (SAWs): Hardware-isolated devices separating privileged from productivity access.
Monitoring and analytics: Centralized security data via audit logs, Microsoft Secure Score, and Defender integration.
Secret management and credential isolation: Preventing shared secrets between tenants and enforcing phishing-resistant MFA.
Lateral movement prevention: Prevented lateral movement by isolating production vs. non-production tenants.
Legacy and inactive tenants: Decommissioned legacy and inactive tenants via lifecycle audits.
Posture visibility: Improved posture visibility with Secure Score across the tenant fleet.
Tenant sprawl: Reduced tenant sprawl and enforced strict controls on new tenant creation.

These steps ensure all tenants—regardless of purpose or origin—are visible, governed, and protected in line with Zero Trust principles.

Guidance

Organizations can adopt a similar pattern using the following actionable practices:

Use case	Recommended action	Resource
Baseline security controls	Apply Microsoft security defaults across all tenants, then extend with Microsoft 365 Lighthouse baselines for enterprise-scale hardening.	Configure Security Defaults for Microsoft Entra ID Overview of using Microsoft 365 Lighthouse baselines to deploy standard tenant configurations Architecture strategies for establishing a security baseline
Conditional Access	Deploy baseline Conditional Access (CA) policies: block legacy authentication, require MFA for all users, and enforce device compliance for privileged roles. Expand with risk-based and location-aware policies.	Conditional Access policy templates – Microsoft Entra ID Plan your Microsoft Entra Conditional Access deployment Best practices to secure with Microsoft Entra ID
Privileged access management	Use Privileged Identity Management (PIM) for just-in-time (JIT) and just-enough-access (JEA) to minimize standing admin privileges.	Plan a Privileged Identity Management deployment Activate Microsoft Entra roles in PIM – Microsoft Entra ID Governance
Tenant isolation	Separate production and non-production tenants. Eliminate shared admin accounts and app registrations across environments. Apply distinct Conditional Access baselines per tenant type.	Resource isolation with multiple tenants to secure with Microsoft Entra ID Restrict cross-tenant inbound and outbound access – Power Platform
Monitoring and threat detection	Combine Microsoft Defender for Identity (on-premises AD signals) with Microsoft Entra ID Protection (cloud-based risk signals). Centralize monitoring to detect lateral movement, token theft, and abnormal sign-in behavior.	Microsoft Defender for Identity deployment overview What is Microsoft Entra ID Protection? What are risk detections? – Microsoft Entra ID Protection

Benefits

Standardized hardening: Security baselines ensure all tenants meet minimum protection thresholds.
Reduced attack surface: Legacy, shadow, and unused tenants are systematically retired.
Improved governance: Central inventory and classification support continuous compliance and oversight.
Controlled access: Conditional Access, role-based access control (RBAC), and multifactor authentication (MFA) protect identities and limit external sharing risks.
Enhanced detection and response: Integrated security data and logs provide visibility across all tenants.

Trade-offs

Implementing this approach requires:

Establishing centralized ownership of tenant lifecycle policies.
Investment in automation (default policy application, expiration workflows).
Possible re-architecture of access models (e.g., separating prod/non-prod). SAW adoption introduces initial device complexity and cost.
Training and enforcement needed to eliminate shadow tenants and credential reuse.

Key success factors

To track success, measure the following:

Percentage of tenants with enforced security baselines
Number of legacy or shadow tenants decommissioned
Coverage of centralized inventory and compliance reporting
Percentage of identities with MFA enabled
Secure Score improvement across Microsoft Secure Score metrics
Volume of blocked legacy authentication attempts or unauthorized sharing events

Summary

Securing all tenants and their resources is foundational to Microsoft's SFI pillars: Secure by Design, Secure by Default, and Secure Operations.

With baseline policies, lifecycle governance, and continuous oversight, organizations can reduce risk, enforce consistent protections, and prevent shadow infrastructure from undermining security. At scale, this ensures every identity, access point, and tenant is secured by design.

Feedback

Was this page helpful?

Last updated on 2025-10-06