What is a Tenant in Microsoft Entra ID?
An Entra ID tenant is the dedicated identity boundary your organization uses for Microsoft 365, Azure, and SaaS. Learn what it contains and why it's the cloud security boundary.
What is a Tenant in Microsoft Entra ID?
Definition
A Microsoft Entra ID tenant is a dedicated, isolated instance of Microsoft Entra ID that an organization receives when it signs up for a Microsoft cloud service (Microsoft 365, Azure, Dynamics 365, etc.).
A tenant is the organizational boundary for:
- Users and groups
- Devices
- Applications and service principals
- Roles and Conditional Access policies
- Subscriptions (Azure)
- Identity-related licenses
In simple terms:
A tenant is your organization's private box inside Microsoft's cloud — and your real cloud security boundary.
Why Tenants Matter
- The tenant is the scope for almost every Entra ID security control.
- Compromising a tenant typically means compromising all identity-protected resources within it.
- Cross-tenant relationships (B2B, federation, cross-tenant access settings) extend that boundary.
- Many companies have multiple tenants (test, prod, M&A leftovers) — each with its own risk profile.
What's Inside a Tenant
- Users (members, guests).
- Groups (security, M365, dynamic).
- Devices (registered, joined).
- Applications (App Registrations, Enterprise Applications / Service Principals, Managed Identities).
- Roles (Global Admin, role assignments).
- Conditional Access policies.
- Identity Protection signals.
- Audit and sign-in logs.
- Subscriptions and billing accounts (Azure).
- Domains (verified DNS domains).
Each tenant has a unique Tenant ID (GUID) and an initial *.onmicrosoft.com domain.
Tenant vs Directory vs Subscription
| Term | Meaning |
|---|---|
| Tenant | The organization-scoped Entra ID instance. |
| Directory | Often used synonymously with tenant in Microsoft docs. |
| Subscription | An Azure billing/resource container. Subscriptions are associated with a tenant. |
| Account | A user identity (cloud-only, synced, or guest). |
A tenant can hold many subscriptions; subscriptions can be moved between tenants.
Multi-Tenant Realities
Many organizations end up with multiple tenants:
- Production vs dev/test tenants.
- Acquisitions that retained their own tenants post-merger.
- Sandbox tenants for proofs of concept.
- Country/regional tenants for regulatory reasons.
Each tenant is a separate security domain. Cross-tenant access requires explicit configuration (B2B, cross-tenant access settings, multi-tenant apps).
Cross-Tenant Relationships
B2B Collaboration
Invite users from other tenants as guest users. The home tenant authenticates; the resource tenant authorizes. Guests appear in the directory but live in their home tenant.
Cross-Tenant Access Settings
Granular controls for B2B inbound/outbound, device trust, and MFA trust between tenants.
Multi-Tenant Applications
Apps published in one tenant and consumed by users in others (after admin consent in the consuming tenant).
Federation
External identity providers (other Entra tenants, Google, social) federated into your tenant.
Common Tenant Risks
- Multiple unmanaged tenants acquired through mergers.
- Sandbox tenants with weak security used for production data.
- Cross-tenant access configured too permissively.
- Multi-tenant app consent abuse.
- B2B guest sprawl — long-forgotten guests with elevated rights.
- Federation trust misconfigurations.
- Subscription movement without proper governance.
Real-World Examples
1. Forgotten Sandbox Tenant
A 2018 PoC tenant was set up for testing. It still has a few admin accounts with weak MFA and access to an Azure subscription that holds a small but production-relevant database. No one monitors it.
2. Acquisition Tenant
After a merger, both tenants run side by side. One has tighter Conditional Access; the other doesn't. Attackers compromise the weaker one, then leverage cross-tenant access to reach shared resources.
3. Permissive B2B
A partner's account is invited as a guest with broad permissions. The partner is later compromised; their identity grants access to your tenant.
4. Multi-Tenant App Abuse
A user consents to an attacker's multi-tenant OAuth app with Mail.ReadWrite.All. The app reads mailboxes across the tenant until detected.
Tenant Hardening Best Practices
- Inventory all tenants your organization owns.
- Apply consistent baselines (Conditional Access, MFA, role hygiene) across every tenant.
- Restrict cross-tenant access to required scenarios.
- Disable user consent to high-risk scopes; require admin consent.
- Review B2B guests quarterly; remove stale ones.
- Monitor subscription movement between tenants.
- Use Microsoft Entra Multi-Tenant Organization (MTO) features to manage related tenants.
- Decommission unused tenants intentionally.
- Tag tenants by purpose and risk.
- Apply Tier 0 controls to each tenant's Global Admins.
- Centralize logging across tenants where possible.
Tenant Security Checklist
- All organization tenants inventoried with owners?
- Consistent baselines (Conditional Access, MFA, roles) across tenants?
- Cross-tenant access settings reviewed?
- B2B guest reviews scheduled?
- User consent locked down for high-risk scopes?
- Multi-tenant app review process?
- Subscription transfer governance?
- Sandbox / test tenants kept clear of production data?
- Tenant-level logs in SIEM?
How Forestall Helps
Forestall enumerates and analyzes Entra ID tenants:
- Identifies privileged identities, apps, and paths within each tenant.
- Surfaces cross-tenant relationships and risks.
- Highlights B2B guests with elevated reach.
- Tracks subscription-tenant relationships.
- Computes attack paths that cross tenant boundaries.
Frequently Asked Questions
Can a user belong to multiple tenants?
Yes — a user has a "home" tenant and can be a guest in many others. Each presence has its own permissions.
Can I merge tenants?
Microsoft has launched Multi-Tenant Organization features that bring tenants under unified governance. Full merge is complex; most organizations consolidate gradually.
Is the tenant the same as the Microsoft 365 organization?
Effectively yes — a Microsoft 365 organization is backed by an Entra ID tenant.
What's the difference between Entra ID and Entra ID B2C?
Entra ID is for workforce/business identities; Entra ID B2C is for customer-facing identities (separate tenant type).
Can I delete a tenant?
Yes, after removing all licenses, subscriptions, and users — but plan carefully; it's destructive and irreversible.
Conclusion
The Microsoft Entra ID tenant is your organization's true cloud identity boundary. Knowing how many you have, who owns each, and what flows between them is the foundation of cloud identity security. Apply consistent controls everywhere, restrict cross-tenant relationships, decommission what you don't need, and treat each tenant's privileged roles as Tier 0 — and your cloud identity perimeter holds even as Microsoft, M&A, and your own teams add complexity over time.
Map every privileged path inside your tenant.
Forestall analyzes Entra ID tenants to surface paths to Global Admin and risky cross-tenant relationships.