Microsoft had 7 million internal tenants and almost lost control of their environment and your org might be facing the same problem at a smaller scale. In this episode, we sit down with Jeff Staiman, PM Area Lead for Tenant Governance at Microsoft, to break down the feature born from the Midnight Blizzard attack. We cover discovery, drift detection, governance relationships, secure tenant creation, licensing, and exactly where admins should start.
What Can Your AI Applications Access?
Organizations are investing heavily in AI-powered applications and agents, but many are discovering they lack the operational visibility and governance discipline needed to scale AI confidently and securely.
With continuous visibility into Entra ID applications, permissions, OAuth access, secrets, certificates, and application ownership, ENow App Governance Accelerator can:
Reduce uncertainty around what SaaS apps can access
Accelerate application reviews and approval processes
Strengthen operational trust across security and leadership teams
Prevent unmanaged application growth from becoming operational risk
Enable lean IT teams to support AI expansion at scale
Demonstrate governance maturity required for enterprise AI adoption
While most admins focus on securing their primary production environment, many organizations are sitting on hundreds of “test” or “shadow” tenants that were created by users with a simple Azure subscription. These unmanaged environments often lack proper security bars and can become entry points for sophisticated attackers.
The Wake-Up Call: Midnight Blizzard
The urgency for these new features was fueled by the 2024 Midnight Blizzard attack. In that instance, attackers compromised a legacy test tenant and used its old access rights to move laterally into Microsoft’s core environment. This highlighted a critical gap: securing one tenant isn’t enough if you don’t even know how many other tenants are connected to your organization.
Three Things You’ll Learn in This Episode:
Automatic Discovery of the “Unknown”: Jeff explains how the Related Tenants feature uses signals like B2B sign-in logs, multi-tenant app consents, and billing relationships to automatically find every tenant connected to your corporate identity.
Configuration Drift Monitoring: You can now define a “Golden Configuration” for your tenants. The service monitors over 200 resource types across Entra, Intune, Teams, and Exchange every six hours, alerting you the moment a security setting is weakened.
The “Three-Step” Handshake: To prevent accidental or malicious takeovers, Microsoft has implemented a rigorous trust process. If two tenants don’t share a billing relationship, the governed tenant must explicitly invite the governing tenant before any control can be established.
A New Approach to Licensing
Something many admins will find surprising is the licensing model. Unlike many Entra features that require a license for every user, Tenant Governance is licensed based on the number of admins interacting with the features. This makes it far more accessible for organizations trying to secure a massive multi-tenant estate without a massive budget.
Why you should listen: Jeff dives deep into how Microsoft managed its own 7 million internal tenants and shares the roadmap for future discovery signals, including using Global Secure Access network telemetry to find tenants being accessed from corporate devices.
Whether you are managing a merger or just trying to clean up years of “test” environments, this episode provides the blueprint for moving from manual, one-tenant-at-a-time management to a deterministic, automated security posture.
Subscribe with your favorite podcast player or watch on YouTube 👇
About Jeff Staiman
Jeff Stammen is the PM Area Lead for Tenant Governance within the Identity and Access Management (IAM) team at Microsoft. A true company veteran of 31 years, Jeff originally joined Microsoft managing engineering compensation and famously architected Microsoft's core engineering leveling framework (Levels 59–61) directly from requirements delivered by Steve Ballmer. Today, he leads engineering and product efforts to secure multi-tenant cloud ecosystems at massive scale.
LinkedIn - https://www.linkedin.com/in/jeffstaiman/
🔗 Related Links
Microsoft Entra Tenant Governance - https://learn.microsoft.com/en-us/entra/id-governance/tenant-governance/overview
📗 Chapters
00:00 Intro
00:18 Introducing Jeff Stammen
00:41 Jeff’s 31-Year Journey at Microsoft
01:25 The Midnight Blizzard Hack That Started It All
05:07 Tenant Governance: What It Is and Why It Exists
07:12 Where Should Admins Start?
09:57 Configuration Snapshots and Baselines
13:02 The M365 DSC Connection
15:18 What Resources Should You Monitor?
17:07 How Drift Detection Works
19:49 Multi-Tenant Monitoring Strategy
20:02 Related Tenants: Discovering Your Unknown Exposure
20:39 Licensing: Basic vs Premium Explained
22:48 Quotas and Resource Limits
24:27 Governance Relationships and Cross-Tenant Role Assignments
28:26 Two-Step vs Three-Step Governance Flow
31:15 Discovery Signals and Blind Spots
35:17 Tenant Restrictions: A Related Feature Worth Knowing
36:40 Secure Tenant Creation
38:10 Governance Policy Templates
40:01 Licensing Across Multiple Tenants
43:43 Final Recommendations: Where to Start Today
47:54 Wrap Up
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill
