Each tenant in Microsoft 365 represents an isolated environment — one that contains all the different services, licenses, and subscriptions assigned to your organization. Learning to efficiently manage these tenants is key to having a solid foundation for your digital transformation with Microsoft 365.
But for organizations with a large employee headcount and complex interdepartmental structure, how do you set up your tenants to fit the needs of your scaling organization? In this article, we'll talk about:
Now, Microsoft's official stance on tenant management is simple. Use a single tenant to manage your entire Microsoft 365 infrastructure if your organization has less than 1 million users. Otherwise, use multiple tenants to create separate containers for different units, branches, and departments.
If your organization has been using Microsoft 365 for any length of time, however, you've already discovered that it's easier said than done. Designing the right tenant architecture to suit your organization's scaling needs is a balancing act, and without the right set of tools, you may end up facing administrative mismanagement that bottlenecks your organization further down the line.
In this guide to Microsoft tenants for MVPs, we cover all the basics needed to set you up with the right foundation for tenant administration and management. No matter what your organization size, company structure, or operational requirements — there's something useful here for everyone.
Before you go ahead and start deploying new tenants, it's important to consider all the possibilities and outcomes for your organization so that you can avoid significant restructuring expenses down the line. Once you have that in place, it’s time to make sure that you have each element in place to ensure smooth deployment and ongoing use.
“A common misconception among IT administrators regarding Microsoft 365 tenants is the belief that tenant configurations and management tasks are uniformly straightforward across different organizations,” says Kasia Nowicka, Product Marketing Manager at Coreview. “However, the biggest misconception I see and hear when working with clients is that the default settings and configurations provided by Microsoft at the beginning of tenant creation are best.”
Since the default settings are often designed to cater to the needs of a broad audience, they often fail to meet specific organizational needs or local security requirements. As you begin deploying tenants, it’s important to remember that each tenant setup can present unique challenges, requiring a nuanced approach to security, compliance, object and user management.
Here's an overview of some key steps to help you get started:
First, decide if you need a single or multiple tenants based on your organization's structure, compliance needs, etc. Having a single tenant simplifies many aspects of your organization's use of Microsoft 365. However, multiple tenants let you isolate departments, geographical regions, and legal entities for data isolation, compliance, billing and management purposes.
When creating a tenant, you must assign it to a specific geographic location that corresponds to Microsoft 365 datacenters. This impacts performance, so tenants should be located close to where your users are based for fast access. For example, if you have users in the United States and Europe, you may want a tenant hosted in North America and another in Europe.
Each tenant gets a dedicated instance in Microsoft 365. So, once you've decided on whether you need multiple tenants and locations, create the tenants in Microsoft 365 Admin Center. As part of tenant creation, assign DNS domains to be used with Microsoft 365, required licenses based on your needs, and any additional services beyond the defaults that come with the license level. This establishes a dedicated Microsoft 365 environment for your organization with access restricted to your users.
Optimizing networking performance is crucial for ensuring a good user experience with Microsoft 365 cloud services. Since a tenant is tied to a specific Microsoft 365 datacenter geo, optimizing connectivity between your users and those datacenters is a must. These steps should optimize routing and reduce network hops so users can access SharePoint, Exchange, Teams and other Microsoft 365 workloads with minimal latency:
First, configure DNS records and public IP addresses to route traffic properly to Microsoft 365 endpoints. ExpressRoute or Azure VPN can also be used to establish private, dedicated connectivity for optimal performance instead of sending traffic over the public Internet.
Next, implement local egress of Microsoft 365 traffic directly from branch offices instead of backhauling through data centers. This significantly reduces latency. Traffic should bypass proxies and firewalls when possible for maximum speed.
Finally, fine-tune bandwidth allocation and quality of service policies to prioritize Microsoft 365 application traffic. Monitor network analytics in the Microsoft 365 admin portal to identify bottlenecks.
To enable seamless authentication and single sign-on (SSO) for your users across cloud and on-premises resources, you need to synchronize your existing on-premises Active Directory identities with the Azure portal.
The main Microsoft tool for synchronizing on-premises AD with Azure Active Directory is Azure AD Connect. It is installed on a server on-premises and connects to your AD domains/forests and your Azure AD tenant. Azure AD Connect synchronizes user accounts, groups and other identity-related information from on-premises AD to Azure AD on a scheduled basis.
Once synchronized, users can sign in to Microsoft 365 cloud services like Exchange Online and SharePoint with the same credentials they use to sign in to on-premises corporate resources. Azure Active Directory handles the authentication, eliminating the need for a separate cloud identity. This provides a seamless SSO experience.
Some key things that Azure AD Connect synchronizes are:
With identities synchronized, you can assign licenses and access to cloud services and resources based on attributes and group memberships defined in your on-prem AD. This greatly simplifies cloud identity and access management.
To protect user access to Microsoft 365, you should implement strong authentication and sign-in security policies. Together, MFA, conditional access policies, and SSO can significantly harden sign-in security while delivering simplified access experience.
Require multi-factor authentication (MFA) to compel users to provide an additional form of identification beyond just a password when signing in. This adds a critical layer of protection by ensuring that stolen credentials alone cannot grant access. Enable MFA for all users using options like Microsoft Authenticator app, SMS, phone calls or FIDO security keys.
Next, configure conditional access policies that enforce controls like MFA based on sign-in risk levels, locations, devices etc. For example, require MFA for sign-ins from unknown locations. Use Azure AD Identity Protection to detect risks and automatically trigger mitigations.
Finally, implement seamless single sign-on (SSO) using Azure AD Connect Pass-through Authentication or Password Hash Sync. This lets users conveniently sign in just once with their on-premises Active Directory credentials to access both cloud and on-premises applications.
To fully transition to Microsoft 365 cloud services, you need to migrate any existing on-premises Exchange and SharePoint servers and data. Microsoft provides migration tools and guidance to facilitate this process.
For Exchange, use the Exchange Migration Assistant to migrate on-premises mailboxes to Exchange Online. This tool can migrate mailbox data, calendar items and contacts while co-existing with your current Exchange environment during the transition. Follow Microsoft's recommended best practices such as pre-staging accounts in Office 365.
For SharePoint, use the SharePoint Migration Tool to migrate content from SharePoint Server sites and libraries to SharePoint Online in Microsoft 365. The tool can stage data first before cutting over or migrate directly. Carefully plan site structure mapping, content types, permissions and other elements.
In both cases, validate migrated data, reconfigure any links or references to point to the cloud services, and decommission on-premises servers once the transition is complete. This ensures you fully leverage the cloud-based Exchange Online and SharePoint Online services within Microsoft 365.
Microsoft Endpoint Manager provides a unified platform to manage and secure devices across your organization including Windows PCs, Macs, mobile devices, and virtual desktops.
With Endpoint Manager and Intune, you can configure device compliance policies to enforce password requirements, encryption standards, antimalware settings and more. Devices that do not meet compliance requirements can be blocked from accessing corporate data.
You can also keep devices secure by enabling automatic OS updates through Windows Update for Business. You can prioritize deployment of critical Windows security updates across your fleet. Endpoint Manager even gives you control and visibility into update progress.
In fact, there's a lot more you can do with Endpoint Manager. Gain enhanced visibility into device health status, missing software updates, and detected threats through centralized dashboards and reporting. Then, remediate issues as needed across the enterprise from a single admin console.
Microsoft Endpoint Manager (formerly Microsoft Intune) enables centralized deployment and management of Microsoft 365 Apps as well as third-party apps across an organization's devices.
You can configure and deploy the Microsoft 365 Apps suite containing Outlook, Word, Excel and other Office apps to Windows 10 devices. This leverages the Office Deployment Tool under the hood to stage installations. Ensure you meet Office 365 networking requirements for access to Office content delivery networks.
For Windows apps, specify the app package to upload the .intunewin file and deploy to groups. Configure any required or optional app settings through the Endpoint Manager console.
For non-Windows devices, add apps from the managed Google Play Store or Apple App Store. Configure app protection policies to restrict copy/paste, save as and other functions.
Each Microsoft Entra tenant provides a foundation for an organization's digital transformation with Microsoft 365 — including collaboration, performance, privacy, compliance, and security.
Over the years, Microsoft has introduced several new features and standout functionalities to make the management of tenant organizations seamless and efficient, including multi-tenant architectures, tenant-to-tenant migration, tenant isolation, cross tenant collaboration, tenant consolidation, and multi geo data residency capabilities. Let's take a look at how each of them can prove useful to your organization:
Tenant-to-tenant migration in Microsoft 365 involves the transfer of users, groups, and data from one Microsoft 365 tenant to another. This process is essential in scenarios such as company mergers, acquisitions, or divestitures.
It requires careful planning to ensure the preservation of existing data and settings, as well as minimal downtime and disruption to users. Microsoft provides tools and resources to facilitate this migration — including the ability to migrate Exchange Online mailboxes, SharePoint Online and OneDrive for Business data, as well as Microsoft Teams users and groups — between tenants.
For tenant-to-tenant migration best practices, read “Microsoft 365 tenant-to-tenant migration: a comprehensive for IT leader.”
Tenant segmentation in Microsoft 365 involves separating business units or departments within a single domain. By segmenting your tenant using role-based access control (RBAC), you can manage different departments or business units more efficiently. This allows for better control over access to resources and data, ensuring compliance with organizational policies.
You can also assign specific administrators to manage each segment, reducing the workload for technical staff and improving overall management efficiency. Natively, Microsoft does not offer enough features to enable smooth segmentation for single tenant organizations, which is why many companies use SaaS platforms like CoreView.
There are many reasons for opting for multiple tenants, including administrative isolation, compliance requirements, and the need to accommodate mergers and acquisitions. Each tenant operates as an independent entity, providing isolation and autonomy in management and configuration.
If your organization is spread across different regions, Microsoft 365 Multi-Geo can ensure compliance with data residency requirements and optimize performance by locating data closer to the users. It also allows organizations to move core data to a specific data center geo, which can be beneficial for regulatory compliance and latency reduction.
Learn how Enterprise IT Managers and System Admins can manage multiple tenants in Azure AD (now Entra).
Tenant consolidation in Microsoft 365 involves merging multiple tenants into a single master tenant. This typically happens during M&A situations when companies need to align their IT infrastructure. The consolidation process involves cloning user accounts, OneDrive data, Exchange mailboxes, SharePoint sites, Teams settings, and more from one tenant to another.
However, the biggest technical consideration in a consolidation is that your domain name can only live in a single tenant in an active state at a time. Consolidating multiple tenants into a single master tenant can improve productivity and security while eliminating the recurring costs associated with managing duplicate accounts.
Microsoft 365 isolation controls are security measures that protect core customer data by ensuring confidentiality, privacy, integrity, and availability across tenants. These controls are achieved through tenant containers, logical and physical security measures, as well as access control mechanisms.
Microsoft 365 customers each get their own isolated tenant which contains their users, data, settings, etc. This keeps everything separate from other tenants. Customer data is stored on shared infrastructure like servers and databases, but logical controls like identity and access management secure each tenant's data separately. Meanwhile, strict physical security protects data centers using perimeter fencing, security officers, and video surveillance. Servers, racks, and infrastructure are all physically locked and protected.
Read best practices for MSPs managing multiple tenants.
There's no shortage of expert advice on Microsoft 365 out there — a lot of it from unfounded sources who lack any practical experience in the platform. So, let's take a moment to understand why we're qualified to talk about this.
At CoreView, we are a Microsoft AI Cloud Partner responsible for overseeing more than 25 million managed licenses across 30K+ active admin users. Our configuration management, delegated administration, and workflow automation solutions are used by leading organizations, resellers, integrators, and managed service providers like Asmodee, CUNY, D’leteren, Fugro, and many more. We have been featured in Forbes Technology Council, Crunchbase, and Growth Think Tank as experts in Microsoft 365 management and automation.
Based on our decade-long experience helping companies streamline their Microsoft 365 operations, here are a few expert tips to help you make the most of your organization's cloud productivity infrastructure with M365:
For more tenant best practices, read Tenant Management Best Practices for Enterprise IT.
Explore essential resources for managing your Microsoft 365 environment with our in-depth guides.
Complex organizations often need multiple Microsoft tenants to keep business processes and operations operating independently.
For MSPs looking to secure and manage client Microsoft tenants, check out these resources.
Microsoft MVPs need advanced delegation and automation capabilities that match real-world business structures, enhance oversight, enforce security best practices. That means having the ability to isolate tenants based on business structure, delegate admin roles to the right employees using granular permissions, and have complete visibility into each action from your admins.
However, Microsoft 365 relies heavily on multi-tenant setups for complex organizational needs, while its default tenant administration roles are predefined and cannot be customized. This can often grant technicians broader permissions than necessary. Microsoft also does not allow delegating access to specific tasks or attributes.
To make matters worse, there's little transparency into what tasks delegated admins are performing and what changes they are making. Microsoft's audit logs are difficult to parse through without the right external toolsets, making accountability a challenge.
Ivan Fioravanti, CTO and Cofounder of CoreView with over 25 years of experience with Microsoft 365, explains it best with lessons learned from his recent experience: “After CoreView acquired Simeon Cloud, several issues arose for users across Mail, Teams, SharePoint, and OneDrive. This stemmed from managing two separate Microsoft 365 tenants: one for CoreView and one for Simeon Cloud.”
“While we could’ve used native Microsoft workarounds, the final results would be lackluster. That’s because these multi-tenant setups can introduce management complexity and potential security issues. All in all, it’s much easier for whole organizations to operate with a single integrated tenant experience.”
Ivan and the CoreView team decided to pursue a tenant migration project at the end of 2023, using virtual tenants in lieu of having multiple tenants. After migrating Simeon Cloud’s tenant to CoreView’s, the team can easily enforce security protocols, optimize license usage, and streamline things like user provisioning across the entire tenant.
This is precisely where third-party tools come in. SaaS platforms like CoreView and Simeon Cloud enable you to build on top of existing Microsoft 365 tools with more flexibility and customizability in how you manage your tenants and perform administrative tasks. This can help you enforce better security standards across your organization while still empowering each employee with the right level of access to get the job done.
Microsoft 365 admins are tasked with managing complex cloud environments across large and distributed organizations. “You need an easy way to manage bulk actions and workflows,” says nine-time Microsoft MVP Vasil Michev.
“Of course, you can either hire a team of experienced Graph and PowerShell users or develop your current team’s expertise in Graph and PowerShell. However, my recommendation is to use a third-party solution that automates things like user onboarding and offboarding and auto-remediates misconfigurations.”
Simeon Cloud is a no-code platform that allows IT administrators to easily capture, backup, and replicate tenant configurations across clients. The tool connects directly to an organization's Microsoft 365 environment via API to extract key settings and policies across services like Azure AD, Intune, Exchange, Teams, etc.
These configurations are stored in the cloud in a centralized code-based structure that serves as the "source of truth" for that tenant. Any changes can then be quickly rolled out to other tenants with just a few clicks. You also get access to a detailed audit trail and the ability to roll back changes whenever you want.
David Nevins, Simeon’s Head of Customer Success, explains how the team helped the enterprise IT team at GCM Grosvenor implement better security and management standards for Microsoft Intune: “A leading global alternative asset manager, GCM Grosvenor was starting to use Intune for device and application management. They had their ideal Intune environment configured in their development tenant.”
David continues: “However, the bank wanted a systematic way of replicating their Intune development environment to production. That would help them stage the release, ensure no manual errors occur when recreating the configurations, and apply a software development lifecycle-like process to making configuration changes to their tenant.”
“With Simeon, they were successful in deploying Intune and now have a standardized change management process for making configuration and settings changes to their M365 tenants,” adds David. “CTO Eric Levin was pleased with the output, saying that they were able to enable key governance programs for Microsoft 365.”
More than 5,000 MSPs and IT administrators use Simeon Cloud — now acquired by CoreView — to automate their tenant management workflows in Microsoft 365. Want to learn how they do it? Request a demo today!
Here are the answers to some common questions we get from our clients regarding Microsoft 365 tenant management and administration:
A Microsoft 365 tenant organization is a dedicated instance of M365 services like Office 365, Azure, Intune, Exchange Online, SharePoint Online, Microsoft Teams, etc. that runs in its own isolated environment. It hosts an organization's configurations, data, and user accounts away from other organizations. A tenant gets created when an organization purchases new Microsoft 365 subscriptions and licenses.
Each tenant in Microsoft 365 contains its own separate Microsoft Entra, which allows for the secure management of user accounts, groups, applications, configurations, and more.
To get a Microsoft 365 tenant, you need to purchase a subscription that includes tenant provisioning. The common options are:
Once you purchase a qualifying subscription, a Microsoft 365 tenant is automatically created for you. This tenant is a dedicated instance that houses your organization's data, users, groups, permissions, etc.
First, prepare the tenant for deletion by removing all resources associated with it. This includes applications, users, groups, policies, subscriptions, etc.
Once all resources are cleaned up, sign in to the Microsoft Entra admin center as a Global Administrator and navigate to the Azure Active Directory section. On the Overview page, click on "Manage tenants" and select the tenant you want to delete. Then click on the "Delete" button at the top.
From there, just follow the on-screen prompts to complete the tenant deletion process. The tenant along with all associated data will be permanently deleted.