Overview of multi-tenant management in Microsoft Defender XDR

Applies to:


Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.


To learn how to turn on preview features, see Microsoft Defender XDR preview features.

Managing multi-tenant environments can add an additional layer of complexity when it comes to keeping up with the ever-evolving security threats facing your enterprise. Navigating across multiple tenants can be time consuming and reduce the overall efficiency of security operation center (SOC) teams.

Multi-tenant management in Microsoft Defender XDR was designed to provide security operation teams with a single, unified view of all the tenants they manage. This view enables teams to quickly investigate incidents and perform advanced hunting across data from multiple tenants, improving their security operations.


To learn more about multi-tenant organizations, see Multi-tenant organizations documentation.

Some of the key benefits you get with multi-tenant management in Microsoft Defender XDR include:

  • A centralized place to manage incidents across tenants: A unified view provides SOC analysts with all the information they need for incident investigation across multiple tenants, eliminating the need to sign in and out of each one.

  • Streamlined threat hunting: Multi-tenancy support enables SOC teams use Microsoft Defender XDR advanced hunting capabilities to create KQL queries that will proactively hunt for threats across multiple tenants.

  • Multi-customer management for partners: Managed Security Service Provider (MSSP) partners can now gain visibility into security incidents, alerts, and threat hunting across multiple customers through a single pane of glass.

What's included in multi-tenant management in Microsoft Defender XDR

The following key capabilities are available for each tenant you have access to in multi-tenant management in Microsoft Defender XDR:

Capability Description
Incidents & alerts > Incidents Manage incidents originating from multiple tenants.
Incidents & alerts > Alerts Manage alerts originating from multiple tenants.
Hunting > Advanced hunting Proactively hunt for intrusion attempts and breach activity across multiple tenants at the same time.
Hunting > Custom detection rules View and manage custom detection rules across multiple tenants.
Assets > Devices > Tenants For all tenants and at a tenant-specific level, explore the device counts across different values such as device type, device value, onboarding status, and risk status.
Endpoints >Vulnerability Management > Dashboard The Microsoft Defender Vulnerability Management dashboard provides both security administrators and security operations teams with aggregated vulnerability management information across multiple tenants.
Endpoints > Vulnerability management > Tenants For all tenants and at a tenant-specific level, explore vulnerability management information across different values such as exposed devices, security recommendations, weaknesses, and critical CVEs.
Configuration > Settings Lists the tenants you have access to. Use this page to view and manage your tenants.

Next steps