Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Microsoft Defender portal is a unified security operations platform that brings together incident management, threat hunting, and workload management across multiple customer tenants. For a comprehensive overview of these capabilities and their benefits, see Microsoft Defender multitenant management.
This guide focuses on implementing tenant management for Managed Security Service Providers (MSSPs). It covers the entire process from initial setup and customer onboarding through advanced operational workflows for MSSPs.
Key Capabilities & Differentiators
Key features of the Microsoft Defender portal for MSSPs include:
Unified incident management: A single unified incidents queue includes data from Microsoft Sentinel, Microsoft Defender, and third-party sources. For more information, see Manage Security Operations across tenants
Cross-platform threat hunting: Unified hunting capabilities across security data, eliminates the need to switch between portals and allows analysts to easily locate the data they need across their entire customer base. For more information, see Advanced hunting.
Proactive attack disruption: Attack Disruption delivers proactive protection by stopping attacks in progress. It works on native Microsoft Defender technologies and across third-party environments, such as SAP, AWS, Proofpoint, and Okta. Microsoft Defender reduces dwell time and prevents lateral movement by automatically revoking compromised credentials, isolating malicious sessions, and neutralizing attacker footholds.
Attack path analysis and exposure visualization: Analyze attack paths and reduce exposure by visualizing how cyber attackers could exploit vulnerabilities to move laterally across exposed assets in customer environments. Get guided recommendations on reducing exposure and prioritize actions based on each exposure's potential impact. For more information, see Microsoft Security Exposure Management.
Enhanced detection accuracy: Detect and investigate quickly and accurately by combining the depth of signals Microsoft Defender with the flexibility of log sources from Microsoft Sentinel. This results in an improved signal-to-noise ratio and enhanced alert correlation.
AI-powered security operations: Take advantage of Microsoft Security Copilot for incident summaries and reports, guided investigation, autogenerated Microsoft Teams messages, code analysis, and more. For more information, see Get started with agentic AI.
Scalable multitenant management: Get aggregate views of your tenants' alerts, incidents, and assets, hunt over all your tenants' data, and maintain a consistent security baseline across your tenants using content management and distribution features for custom detection rules, endpoint security policies, analytics rules, automation rules, and more.
Continuous improvement insights: Receive tailored, post-incident recommendations on preventing similar or repeat cyberattacks, which tie directly into Microsoft Security Exposure Management initiatives to automatically improve readiness scores as actions are completed.
To build Security Operations on the Microsoft Defender Portal, read through the prerequisites, then follow these steps:
Step 1 - Prepare your environment: Prepare your MSSP environment and onboard your customers to a multitenant configuration
Step 2 - Content Management: Build security content once and deploy it across all customer tenants efficiently.
Step 3 - Multitenant Security Operations: Run daily incident response, threat hunting, and investigations across customer tenants.
Prerequisites
Transitioning customers to the Microsoft Defender portal involves migrating Microsoft Sentinel workspaces and ensuring continuity of security operations.
- See Connect Microsoft Sentinel to Microsoft Defender XDR for the technical migration process.
- Establish clear timelines and expectations with customers before beginning the transition
- Review the multitenant access requirements and ensure proper delegation is configured for each customer tenant
- Determine the optimal workspace configuration (primary vs. secondary) based on each customer's environment and compliance requirements
Step 1 - Prepare your environment
Set up access to multiple customer tenants
MSSPs can delegate access to customer tenants through several methods. Learn more about delegated access options so you can choose the approach that best fits your organization's needs and customer requirements.
Note
There are scenarios where MSSPs shouldn't use cross-workspace rules. For example, when the same rule applies to multiple individual workspaces, data doesn't need to be correlated together. For this scenario, MSSPs should push the same rule to whatever workspaces it applies to.
Advanced automation rule/playbook scenario
Some advanced scenarios using automation rules and playbooks might still require using Azure Lighthouse. For example, to protect the intellectual property of a playbook hosted in the partner tenant when the playbook needs to execute actions in the customer tenant. Another example is described in Automate threat response in Microsoft Sentinel with automation rules
Unified RBAC
When looking at using Unified RBAC in managing your Microsoft Defender for Office 365 customers, you must have Defender for Office 365 Plan 2 license. For more information, see:
Azure B2B
Azure B2B invited guests aren't supported by experiences that were previously under Microsoft Exchange Online RBAC. Since Defender for Office 365 Unified RBAC leans on Exchange Online Admin APIs, actions performed in Defender for Office 365 have limitations. B2B guest admins might get errors when attempting to perform certain actions, such as:
- Managing spam and phishing policies
- Managing TABL
- Can't release emails from quarantine
- Missing Threat Explorer in navigation pane
Manage entitlement
Entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.
Some typical entitlement management configurations are:
B2B Collaboration
- Invite external users as guests into your tenant
- Supports Conditional Access, MFA, and lifecycle management
- Ideal for partners, suppliers, and contractors needing app/resource access that can be governed
Cross-Tenant access settings
- Fine-grained control over inbound/outbound collaboration
- Trust MFA and device compliance claims across tenants
- Configure default or organization-specific policies
B2B Direct Connect
- Enables mutual trust between two Microsoft Entra tenants
- Seamless collaboration via Teams shared channels without adding guests
- Perfect for ongoing partnerships where users keep home credentials
Often, a combination of B2B Collaboration and Cross-Tenant access settings are the most relevant choices for an MSSP.
This picture shows the B2B collaboration guest representation in the customer tenant.
For sample role assignments for different SOC roles, see the Sample permission mappings of Microsoft Sentinel built-in roles to Microsoft Defender XDR Unified RBAC roles.
Step 2 - Manage content
Manage and distribute content
In Microsoft Sentinel, content refers to the building blocks that enable security operations. It includes analytics rules, data connectors, hunting queries, parsers, playbooks, watchlists, and workbooks. Microsoft Sentinel provides out-of-the-box content that you can use as-is or you can customize it. You can also create and distribute custom content to meet specific requirements. Effective content management and distribution ensure consistent security baselines, rapid threat response, and scalable operations across customer tenants.
MSSPs working in the Microsoft Defender portal have several tools for managing and distributing security content at scale:
| Option | Best for | Technical details | Key capabilities | Learn more |
|---|---|---|---|---|
| Native multitenant content distribution | Quick deployment of standard content across many tenants | Uses Defender portal's built-in multitenant management. Ideal for OOB content or lightly customized content. |
|
Content distribution in multitenant management |
| Microsoft Sentinel repositories (content as code) | Structured DevOps processes and moderate customization needs | Enables advanced governance and lifecycle management. Quick configuration and reduction in human error. |
|
Manage content as code with Microsoft Sentinel repositories (public preview) |
| Custom CI/CD pipelines | Maximum customization and automation across tenants | Built using Azure DevOps or GitHub Actions. Requires custom scripts and configuration files. Current method for advanced content types. |
|
Customize repository deployments (public preview) |
Tip
We recommend a hybrid approach, combining native multitenant management content distribution capabilities for immediate deployment needs with CI/CD workflows for custom content development, testing, and advanced automation scenarios.
Common repository architecture patterns for MSSPs
A key consideration with multi-customer CI/CD pipelines is choosing the best structure to serve all clients. While there’s no universal approach, here are three patterns we recommend considering:
Pattern 1: Central repository for generic content, customer-specific repositories for tailored content
One central repository for common content deployed to all customers
Individual repositories for customer-specific customizations
Each customer workspace connects to both repositories
Optimal for MSSPs with balanced common and tailored content needs
Pattern 2: Single repository with custom folders
All content in one repository
Folder structure based on shared data sources - for example, Entra ID Analytics - or customer names
Deployment pipelines customized per customer connection
Requires more initial setup but simplifies repository management
Pattern 3: One repository per customer
Complete content separation across customers
Full customization flexibility for each customer
Best for customers with unique content requirements
Higher management overhead but maximum isolation
To customize your CI/CD pipelines, use configuration files in each repository branch to prioritize deployment of high-priority content, exclude content you don’t want to deploy, and map parameter files to their corresponding content files. For more information, see Customize your connection configuration.
For more information about how to use Azure DevOps in multitenant scenarios, see Use Azure DevOps to manage Microsoft Sentinel for MSSPs and multitenant Environments.
Shared content management considerations
When MSSPs and customers both manage content, conflicts can occur, especially if you're using both content-as-code and the portal for content management. Updates in your content-as-code repositories overwrite any changes made to that content through the portal.
To prevent such conflicts, we recommend:
- Centralized management only - Restrict permissions so only MSSP users can create and update content.
- Shared management with clear markers - Prefix MSSP-managed items with a naming convention. This allows local updates but reduces errors.
Step 3 - Multitenant Security Operations
Manage security operations across tenants
The Microsoft Defender portal provides all relevant information so you don't have to switch to another portal or page. Its unified incident queue and the ability to correlate events and alerts can reveal a larger, potentially more comprehensive attack, providing a complete attack story. It also lets you view the detection source and product names, and apply and share filters for these, making incident and alert triaging more efficient.
Manage incidents and alerts
Incident triage: Triaging incidents is a core activity in a SOC, starting with the Investigation and response section in the Defender portal. The Microsoft Sentinel incident and alert integration with Defender consolidates all relevant information in one place, eliminating the need to switch between portals or pages. This streamlined workflow might require some analyst retraining and updates to existing SOC processes.
For more information, see Update incident triage processes for the Defender portal.
Alert correlation and incident merging: Defender's correlation engine merges incidents when it recognizes common elements between alerts in separate incidents. When a new alert meets correlation criteria, Defender aggregates and correlates it with other related alerts from all detection sources into a new incident. The unified incident queue reveals a more comprehensive attack, making analysts more efficient and providing a complete attack story.
In multi-workspace scenarios, only alerts from a primary workspace are correlated with Microsoft Defender data. There are also scenarios where incidents can't be merged.
For more information, see Understand how alerts are correlated and incidents are merged in the Defender portal.
Multitenant organization: You can view and manage incidents, alerts, and cases across customer tenants in a unified queue. Each analyst can set up their multitenant view with the tenants they're managing. For more information, see Microsoft Defender multitenant management.
Integration with external ticketing systems: If an external ticketing system fetches and synchronizes with the alerts and incidents you manage, we recommend that you use the Microsoft Graph REST API v1.0 to ensure seamless integration and efficient management of incidents and alerts across different systems.
If you're using the Microsoft Sentinel SecurityInsights API to interact with Microsoft Sentinel incidents, you might need to update your automation conditions and trigger criteria due to changes in the response body.
For more information, see Configure APIs.
Advanced hunting
Advanced hunting lets you proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants and workspaces at the same time, in a single place. If you have multiple tenants with Microsoft Sentinel workspaces onboarded to the Microsoft Defender portal (MTO), you can query Microsoft Sentinel with data from all your workspaces, running queries across multiple workspaces and tenants using the workspace operator in your query.
For more information, see Advanced hunting in Microsoft Defender multitenant management.
Manage workloads across tenants
This section explores the various actions you can take and methods you can use for managing specific workloads, either through MTO or other available means.
Endpoints
The multitenant view in the Defender portal provides security administrators a consolidated view of all security policies across their entire organization, including all tenants' policies, without needing to switch portals. To access this page, go to Endpoints > Configuration Management > Endpoint Security Policies.
Once the tenants are onboarded to multitenant management in Defender (MTO), endpoints across all onboarded tenants can be managed through the Devices page. For more information, see Devices in multitenant management.
Important
To manage security settings for multiple tenants in the multitenant view in the Defender portal, you must follow all the prerequisites to configure security settings for a single tenant for each of their tenants, including the following RBAC requirements:
- For Microsoft Defender, use the security administrator role (or custom role with security configuration management permissions scoped to all devices)
- For Microsoft Intune, use the Endpoint security manager role
- The devices in each Defender tenant must be affiliated with the corresponding Microsoft Entra tenant
For more information, see Use Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune.
Note
Multitenant management in Defender (MTO) doesn't support Microsoft Defender for Business tenants.
Email and collaboration tools
When managing email and collaboration tools in the unified portal, there are some important distinctions to note around capabilities as they relate to managing customers through B2B and Granular Delegated Admin Privileges (GDAP).
Identities
The multitenant view in the Defender portal provides complex organizations with means to segregate regions and business units into individual tenants, without losing access to those tenant data.
Once the tenants are onboarded to multitenant management in Defender (MTO), identities across all onboarded tenants can be managed through the Identities page. For more information, see Multitenant identities.
Cloud applications
Microsoft Defender for Cloud Apps is a software-as-a-service (SaaS) security solution that comes with relevant licenses and a compliance boundary of the tenant where the license is provisioned. Due to this architecture, only Microsoft 365 and Azure connectors ingest activities and trigger alerts for users within those tenants. However, you can still connect multiple third-party connectors.
Defender for Cloud Apps is natively integrated with Microsoft Defender and follows the same multitenancy capabilities. While connectors are limited to a specific tenant, the data ingested from each tenant in the CloudAppEvents table and incidents or alerts are available through MTO. You can hunt for events across tenants and triage incidents or that originate from Defender for Cloud Apps signals.
For more information, see Microsoft Defender for Cloud Apps overview.
Cloud
Microsoft Defender for Cloud is integrated with Microsoft Defender. This integration lets you access Defender for Cloud alerts and incidents within the Defender portal, and provides you with richer context to investigations that span cloud resources, devices, and identities. It allows security teams to get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment.
For more information, see What is Microsoft Defender for Cloud?.
Exposure management
Microsoft Security Exposure Management is a security solution that provides a unified view of security posture across company assets and workloads. It enriches asset information with security context that helps you to proactively manage attack surfaces, protect critical assets, and explore and mitigate exposure risk.
For more information, see What is Microsoft Security Exposure Management?.
Data
Microsoft Purview data security solutions provide unified data discovery, classification, and protection across clouds, SaaS, and on premises data stores. They complement Defender and Microsoft Sentinel by turning data risk into actionable security signals, helping you understand what sensitive data exists, where it lives, and how it is being accessed or shared. For more information, see Microsoft Purview data security solutions.
Key integrations include:
Alert and incidents (Defender and Sentinel): Microsoft Purview Data Loss Prevention, Insider Risk Management and sensitivity-label based detections generates alerts that flow into the unified incident queue. This enables correlation with device, identity, cloud application, and network signals, surfacing cross-domain attack stories and reducing context switching for analysts. When Microsoft Purview alerts are part of an incident, the unified portal displays the metadata and can be used in automation rules and playbooks through the Microsoft Graph security APIs, just like other Defender and Sentinel alerts.
Hunting and investigations (advanced hunting): Microsoft Purview events, such as data loss prevention (DLP) hits, file access anomalies, and label changes are available in Defender advanced hunting schema. You can run cross-tenant queries in the MTO portal to hunt for patterns that span data, identity, and endpoint signals. For example, a surge of high-sensitivity file downloads from a single user, followed by anomalous sign-in behavior.
Context enrichment: Purview's data inventory and classification enrich the Security Exposure Management story by mapping critical data assets to exposure insights and attack paths. This helps prioritize mitigations based on the business impact of exposed data.
Manage cases
The unified security operations portal provides native case management to eliminate reliance on external ticketing systems and maintain security context within the Defender portal. For complete guidance on case features, workflows, linking incidents and IoCs, RBAC requirements, and customization options, see Cases overview. For multitenant case management, see Manage cases in MTO.
Note: Case management supports custom workflows, task assignments, rich collaboration, and evidence linking.
Get started with Microsoft Sentinel data lake
Microsoft Sentinel includes a unified, security data lake, designed to help optimize costs, simplify data management, and accelerate the adoption of AI in security operations. This data lake serves as the foundation for the Microsoft Sentinel platform. It has a cloud-native architecture and brings together all security data for greater visibility, deeper security analysis, and contextual awareness. It provides affordable, long-term retention allowing organizations to maintain robust security while not compromising on costs.
The Microsoft Sentinel platform lets you expand your MSSP offerings through professional services, managed services, and agentic solutions:
Offer advisory, consulting, and strategic guidance on lake architectures, with high-value opportunities in deployment, configuration, and cost optimization.
Provide ongoing management of Microsoft Sentinel data lake platforms and SOC operations, helping your customers lower data ingestion and retention costs while expanding recurring revenue streams through enhanced security protection opportunities.
Develop AI agentic solutions for automated threat enrichment and response, building analytics, and evolving SOAR to agent-based workflows.
Get started with agentic AI
You have multiple opportunities to engage with your customers and diversify your MSSP offerings when it comes to agentic AI scenarios within the Microsoft Defender portal. We break down these benefits into Sell, Build, and Use buckets.
Sell
You can engage with your customers to sell consulting services that educate, enable, configure, and implement agentic solutions, such as:
Partner-developed consulting services - Traditional consulting services available through the Microsoft Marketplace. Provide training workshops, implementation engagements, and assessments, proof-of-concepts, or proof-of-value deliveries. These services are great opportunities to improve your customer environment's security maturity, increase their staff's skilling and readiness, and showcase product return on investment with real-world use case scenarios.
Partner-developed security services – Traditional security service offerings like partner-managed security services, partner-managed XDR solutions, and other partner-developed security services are available in the Microsoft Security Store.
Microsoft-developed Security Copilot agents - Microsoft-developed Security Copilot agents that span across Microsoft Defender, Microsoft Sentinel, and other security solutions available within the Defender portal.
Partner-developed Security Copilot agents - These agents are available for purchase and deployment through the Microsoft Security Store. You can integrate your own published Security Copilot agents or other partner agents into your customers' Microsoft Defender environment. For more information, see Partner agents.
Build
Develop Security Copilot agents that can be monetized through the Microsoft Security Store. The agents can be a one-time purchase, subscription-based model for recurring agent updates, or provided at no cost. Partner-developed agent types include:
- Role/Persona-based agents - Designed with skills to perform a specific type of persona or role like an L1 SOC Analyst
- Scenario-based agents - Designed with skills for a specific type of scenario like phishing, insider threat, or advanced persistent threats (APTs)
- Product-based agents - Designed with skills to integrate with a specific product/solution like Microsoft Defender or a third-party security vendors
For more information, see Microsoft Security Copilot agent development overview.
Use
Partner developed agents within your customer's Microsoft Defender environment as part of their partner managed SOC offering. This includes acting on behalf of your customer within their tenant as an augmentation of their internal team, or performing SOC activities from their tenant and applying multitenancy capabilities of Microsoft Defender through delegated access.
Training and community resources
Transition Guide: Transition Your Microsoft Sentinel Environment to the Defender Portal
How to: Connect Microsoft Sentinel to the Microsoft Defender
Documentation: Microsoft's unified security operations platform documentation
Capability differences: Microsoft Sentinel in the Microsoft Defender portal
Alert correlation and incident merging: Alert correlation and incident merging in the Microsoft Defender portal
What's new: What's new in the Microsoft's unified SecOps platform
Transitioning Microsoft Sentinel into Microsoft Defender– 10 video series:
Recorded Webinars:
Transition to the Unified SOC Platform: Deep Dive and Interactive Q&A for SOC Professionals
The Unified SecOps Experience Using Microsoft Sentinel's Latest Features
What's New in Microsoft Sentinel and the Unified Security Operations Platform
Unlocking the Power of the Unified SecOps: Mastering Multiple Workspaces and Tenants
Case Management: Explore New Case Management Features and Exploring Case Management in the Unified SecOps Platform
Join our security community: https://aka.ms/SecurityCommunity