Struggling to keep up with security across multiple organizations? Multi-tenant management in Microsoft Defender XDR streamlines your workflow, giving you a single pane of glass for all your tenants. This translates to faster threat detection, improved response times, and a more efficient security posture for your entire organization.
Table of Contents
Prerequisites
| Requirement | Description |
|---|---|
| Microsoft Defender XDR prerequisites | Verify you meet the Microsoft Defender XDR prerequisites |
| Multi-tenant access | To view and manage the data you have access to in multi-tenant management, you need to ensure you have the necessary access. For each tenant you want to view and manage, you need to have either: – Granular delegated admin privileges (GDAP) – Microsoft Entra B2B authentication To learn more about how to synchronize multiple B2B users across tenants, see Configure cross-tenant synchronization. |
| Permissions | Users must be assigned the correct roles and permissions at the individual tenant level, in order to view and manage the associated data in multi-tenant management. To learn more, see: – Manage access to Microsoft Defender XDR with Microsoft Entra global roles – Custom roles in role-based access control for Microsoft Defender XDR To learn how to grant permissions for multiple users at scale, see What is entitlement management. |
Note! I will not cover granular delegated admin privileges (GDAP) in this post
Benefits of Multi-Tenant Management in Microsoft Defender XDR
| Feature | Description |
|---|---|
| Centralized Incident Management | SOC analysts can investigate incidents across all managed tenants from a single view, eliminating the need to switch between tenants. |
| Streamlined Threat Hunting | Security teams can leverage advanced hunting capabilities with KQL queries to proactively search for threats across multiple tenants. |
| Multi-Customer Management (for Partners) | MSSPs gain visibility into security incidents, alerts, and threat hunting activities for all their customers from a unified console. |
Capabilities of Multi-Tenant Management
| Capability | Description |
|---|---|
| Incidents & Alerts > Incidents | Manage security incidents originating from all connected tenants. |
| Incidents & Alerts > Alerts | Manage security alerts originating from all connected tenants. |
| Hunting > Advanced Hunting | Proactively hunt for intrusions and breaches across all connected tenants simultaneously. |
| Hunting > Custom Detection Rules | View and manage custom detection rules across all connected tenants. |
| Assets > Devices > Tenants | Explore device counts across various categories (device type, value, onboarding status, risk status) for all tenants and individual tenant levels. |
| Endpoints > Vulnerability Management > Dashboard | Provides aggregated vulnerability management data across all connected tenants for both security administrators and operations teams. |
| Endpoints > Vulnerability Management > Tenants | Explore vulnerability management details (exposed devices, security recommendations, weaknesses, critical CVEs) for all tenants and individual tenant levels. |
| Configuration > Settings | Lists all tenants you have access to. Use this page to view and manage your tenants. |
How to setup
Microsoft Entra B2B uses SAML and OIDC for a secure “federated identity” system. Basically, your partners sign in with their own work credentials, eliminating the need for you to create and manage extra accounts in your system.
First you need B2B users in your tenant. You can use Cross-tenant sync or normal guest users.
Invite B2B Guest users
Invite the users to your tenant and add roles.
Cross-tenant access
See here for the official material from Learn
And here for my previous deep-dive when it was still in Preview
Cross-tenant sync
If you aren’t familiar with Cross-tenant sync, you can learn on it from my previous posts.
External IdP
Or you could use an External IdP for your users and let them login with that. See more here on that.
Back to MTO
Once the B2B stuff is in place, open https://mto.security.microsoft.com and select add tenants
Once you choose the tenants, you will that they were successfully added.
And if you don’t have errors in permissions or missing licenses, you will be informed
Now you can see the incidents from the other tenants.
And you can and Assignments, once you have it enabled.
Open System -> Settings -> Defender XDR -> Multi-tenant content source.
Custom detection rules
And you can see inside Advanced hunting all the tenants and can filter to one you choose. You can also once you create you Custom rule from here.
You can create a Custom detection rule under Advanced hunting. Just remember that Queries that use the join operator are currently not supported in multi-tenant management advanced hunting.
And finalize the rule.
Assignments
And add the Custom rule to Assignments
And the tenants you want to add to it.
Finish the assignment and Select sync all authorized tenants to sync those Rules across.
You can see the status and, who created it with last sync time.
And when you go to the other tenant, you will see rules there ad who created them.
See here for the official Learn article
Closure
That was multi-tenant management, an excellent feature that can use today! Microsoft is really making an effort to make unification for all you Defenders.
MTO and Sentinel workspace attachment can really give a good overview and directly from the familiar Defender portal.
Just, just great!
RSS - Posts