Edit

Share via


Content distribution in multitenant management

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

Content distribution helps you manage content at scale, across tenants in multitenant management in Microsoft Defender XDR. In content distribution, you can create tenant groups to copy existing content, like custom detection rules, from the source tenant to the target tenants you assign during tenant group creation. The content then runs on the target tenant's devices or device groups that you set in the tenant group scope.

Distributing content in this manner, across tenants, enables you to organize tenants and content based on categories like business groups or location.

Note

Multitenant management currently supports adding custom detection rules to a tenant group. Additional content types will be added in the future.

Requirements

The following table lists the requirements for content distribution in multitenant management in Microsoft Defender XDR.

Requirement Description
Microsoft Defender XDR license To use content distribution, your organization must have a subscription to Microsoft 365 E5 or Office E5.
Permissions Users must be assigned the correct roles and permission at the individual tenant level to view and manage the associated data in multitenant management.
Access to content distribution is granted through the Security settings (manage) or Security Data Basic (read) permission in Microsoft 365 Defender Unified role-based access control (URBAC). Both of these roles are assigned to the Security Administrator and Security Reader Microsoft Entra built-in roles by default.
Delegate access Delegated access via Azure B2B or GDAP (CSP Parters only) must be obtained for at least one other tenant.

Create tenant groups

To create a new tenant group:

  1. Go to the Tenant groups page in multitenant management in Microsoft Defender XDR.

  2. Select Create tenant group. In the Tenants page, select Add tenant to see a list of available tenants that you can add to your tenant group. Choose the tenants you want to add to the tenant group, then select Add.:

    Screenshot of the tenant group creation wizard.

  3. In the Content selection page, select the content to be distirbuted across all tenants in your tenant group, then select Next.

    Screenshot of content selection wizard.

Note

The content type selection is currently limited to adding custom detection rules to a tenant group. Adding other content types will be available in the future.

  1. In the Custom detection rules page, select Add content to add specific detection rules to your tenant group.

    Screenshot of custom detection rules addition wizard.

  2. In the Select detection rules page, filter the source tenant of the content, then select Apply. Choose the content you want to add to your tenant group from the list.

    Screenshot of the detection rules selection pane.

  3. In the Device groups page, select the devices or specific device groups that need to be in your tenant's scope.

    Screenshot of the device selection pane.

  4. Add a tenant group name and description about your tenant group in the Details page.

  5. Review the details of the tenant group you created in the Summary page. Leave the Sync all authorized tenants option checked if content needs to be synchronized now or uncheck it if the sync is planned for a later time.

    Screenshot of summary of tenant groups with the checkbox highlighted.

  6. Select Submit to finish your tenant group creation.

Tip

If you choose to Sync all authorized tenants, all the tenants and scope within the tenants you have permission automatically syncs.

Your newly created tenant group appears in the Tenant groups page after creation. Select the tenant group from the list to add or remove content, add, edit, or remove tenants, or sync the tenant group.

Screenshot of a tenant group page and the actions available within the page.

Check the sync results under the Last sync result column. If the result is partially successful or failed, select the result to investigate the cause. When selecting the result, a side pane containing the errors, recommendations, and impacted assets appears. Here’s an example.

Screenshot of sync results side pane.

Syncing content among tenant groups

To sync content across tenant groups for the tenants you have permission for:

  1. Go to the Tenant groups page.

  2. Select the checkbox next to the tenant group you want to sync, then select Sync tenant group.

  3. Select Sync on the prompt that appears.

  4. Once the sync is completed, you see one of the following statuses:

    • Success
    • Partially successful
    • Failure
  5. If you experience a partial success or failure, select the value in the Last sync result column to investigate the cause.

Sync results show the number of synced tenants and content. Synced tenants indicate how many tenants had custom detection rules applied successfully. For example, if all rules are applied in 3 out of 3 tenants, the count is 3; if only 2 tenants succeed, the count is 2. Synced content represents the total custom detection rules synced across all target tenants.

Edit tenant groups

  1. Go to the Tenant groups page.
  2. Select the checkboxes next to the tenant group you want to edit, then select Edit tenant group.
  3. Edit the tenant group name and description, then select Save.

Remove tenant groups

  1. Go to the Tenant groups page.
  2. Select the checkboxes next to the tenant group you want to remove, then select Remove tenant group.

Troubleshooting

Common reasons for a sync to fail include:

  • User doesn't have permission to create custom detection rules on the target tenant.
  • User doesn't have permission to read custom detection rules from content source.
  • User doesn't have permission for the target device scope.

If the issue is with the target tenant, try creating an identical custom detection rule for further diagnosis. If the issue is with accessing the source data, try accessing the custom detection.

Additional resources