Microsoft had 7 million internal tenants and almost lost control of their environment and your org might be facing the same problem at a smaller scale. In this episode, we sit down with Jeff Staiman, PM Area Lead for Tenant Governance at Microsoft, to break down the feature born from the Midnight Blizzard attack. We cover discovery, drift detection, governance relationships, secure tenant creation, licensing, and exactly where admins should start.

What Can Your AI Applications Access?

Organizations are investing heavily in AI-powered applications and agents, but many are discovering they lack the operational visibility and governance discipline needed to scale AI confidently and securely.

With continuous visibility into Entra ID applications, permissions, OAuth access, secrets, certificates, and application ownership, ENow App Governance Accelerator can:

* Reduce uncertainty around what SaaS apps can access

* Accelerate application reviews and approval processes

* Strengthen operational trust across security and leadership teams

* Prevent unmanaged application growth from becoming operational risk

* Enable lean IT teams to support AI expansion at scale

* Demonstrate governance maturity required for enterprise AI adoption

While most admins focus on securing their primary production environment, many organizations are sitting on hundreds of “test” or “shadow” tenants that were created by users with a simple Azure subscription. These unmanaged environments often lack proper security bars and can become entry points for sophisticated attackers.

The Wake-Up Call: Midnight Blizzard

The urgency for these new features was fueled by the 2024 Midnight Blizzard attack. In that instance, attackers compromised a legacy test tenant and used its old access rights to move laterally into Microsoft’s core environment. This highlighted a critical gap: securing one tenant isn’t enough if you don’t even know how many other tenants are connected to your organization.

Three Things You’ll Learn in This Episode:

* Automatic Discovery of the “Unknown”: Jeff explains how the Related Tenants feature uses signals like B2B sign-in logs, multi-tenant app consents, and billing relationships to automatically find every tenant connected to your corporate identity.

* Configuration Drift Monitoring: You can now define a “Golden Configuration” for your tenants. The service monitors over 200 resource types across Entra, Intune, Teams, and Exchange every six hours, alerting you the moment a security setting is weakened.

* The “Three-Step” Handshake: To prevent accidental or malicious takeovers, Microsoft has implemented a rigorous trust process. If two tenants don’t share a billing relationship, the governed tenant must explicitly invite the governing tenant before any control can be established.

A New Approach to Licensing

Something many admins will find surprising is the licensing model. Unlike many Entra features that require a license for every user, Tenant Governance is licensed based on the number of admins interacting with the features. This makes it far more accessible for organizations trying to secure a massive multi-tenant estate without a massive budget.

Why you should listen: Jeff dives deep into how Microsoft managed its own 7 million internal tenants and shares the roadmap for future discovery signals, including using Global Secure Access network telemetry to find tenants being accessed from corporate devices.

Whether you are managing a merger or just trying to clean up years of “test” environments, this episode provides the blueprint for moving from manual, one-tenant-at-a-time management to a deterministic, automated security posture.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Jeff Staiman

Jeff Stammen is the PM Area Lead for Tenant Governance within the Identity and Access Management (IAM) team at Microsoft. A true company veteran of 31 years, Jeff originally joined Microsoft managing engineering compensation and famously architected Microsoft's core engineering leveling framework (Levels 59–61) directly from requirements delivered by Steve Ballmer. Today, he leads engineering and product efforts to secure multi-tenant cloud ecosystems at massive scale.

LinkedIn - https://www.linkedin.com/in/jeffstaiman/

🔗 Related Links

* Microsoft Entra Tenant Governance - https://learn.microsoft.com/en-us/entra/id-governance/tenant-governance/overview

📗 Chapters

00:00 Intro

00:18 Introducing Jeff Stammen

00:41 Jeff’s 31-Year Journey at Microsoft

01:25 The Midnight Blizzard Hack That Started It All

05:07 Tenant Governance: What It Is and Why It Exists

07:12 Where Should Admins Start?

09:57 Configuration Snapshots and Baselines

13:02 The M365 DSC Connection

15:18 What Resources Should You Monitor?

17:07 How Drift Detection Works

19:49 Multi-Tenant Monitoring Strategy

20:02 Related Tenants: Discovering Your Unknown Exposure

20:39 Licensing: Basic vs Premium Explained

22:48 Quotas and Resource Limits

24:27 Governance Relationships and Cross-Tenant Role Assignments

28:26 Two-Step vs Three-Step Governance Flow

31:15 Discovery Signals and Blind Spots

35:17 Tenant Restrictions: A Related Feature Worth Knowing

36:40 Secure Tenant Creation

38:10 Governance Policy Templates

40:01 Licensing Across Multiple Tenants

43:43 Final Recommendations: Where to Start Today

47:54 Wrap Up

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe