Enhancements in Microsoft Defender for Multi-tenant and Device Security Management
Microsoft Defender has introduced significant enhancements in 2025 to improve multi-tenant and device security management, focusing on streamlining security operations, enhancing visibility, and providing robust tools for administrators managing complex environments.
These updates cater to the needs of large enterprises, managed security service providers (MSSPs), and organizations with diverse device ecosystems.
Below is a detailed description of these enhancements:
Multi-Tenant Management Enhancements
Unified View Across Tenants
Microsoft Defender XDR now offers a centralized, single-pane-of-glass experience for security operations teams managing multiple tenants. This unified view allows administrators to monitor incidents, alerts, and device statuses across all managed tenants without needing to switch between portals or sign in and out of individual tenant directories. This reduces operational overhead and speeds up incident response.
Streamlined Incident Management
Security teams can triage and investigate incidents across multiple tenants from one interface. The system consolidates incident data, including security information and event management (SIEM) and extended detection and response (XDR) inputs, enabling faster identification and resolution of threats spanning multiple environments.
Advanced Threat Hunting Across Tenants
Multi-tenant support integrates with Microsoft Defender XDR’s advanced hunting capabilities, allowing security analysts to run Kusto Query Language (KQL) queries across data from multiple tenants. This proactive threat-hunting feature helps identify patterns or threats that might affect several tenants simultaneously, improving overall security posture.
Content Distribution and Tenant Groups
Administrators can create tenant groups to distribute security content, such as custom detection rules, from a source tenant to multiple target tenants. This ensures consistent policy enforcement and reduces manual configuration efforts. The scope can be set to specific devices or device groups within each tenant, enhancing scalability and management efficiency.
Support for MSSPs
Managed Security Service Providers benefit from multi-customer management features, gaining visibility into incidents, alerts, and hunting activities across all their clients’ tenants through a single interface. This simplifies workflows for service providers supporting diverse organizations.
Integration with Microsoft Sentinel
For tenants with a Microsoft Sentinel workspace onboarded to the unified security operations platform, multi-tenant management supports cross-tenant SIEM and XDR data analysis. Although limited to one Sentinel workspace per tenant, this integration enhances visibility into both endpoint and broader security events across tenants.
Device Security Management Enhancements
Cross-Platform Security Settings Management
Microsoft Defender for Endpoint now allows security administrators to configure settings for devices across multiple platforms—Windows, Linux, and macOS—directly within the Defender XDR portal. This eliminates the need to use separate tools or leave the portal, fostering collaboration between security and IT teams by providing a shared view.
Integration with Microsoft Intune
Devices not enrolled in Intune can still have their Microsoft Defender settings managed via Intune policies, provided they are onboarded to Defender for Endpoint. This is particularly useful for hybrid environments, with support for platforms like Linux (agent version 101.23052.0009 or later) and macOS, broadening the scope of manageable devices.
Multi-Tenant Device Policy Management
The multi-tenant view in Defender XDR enables administrators to oversee and manage device security policies across all tenants in a consolidated manner. This includes endpoint security policies that strengthen device posture without requiring portal-switching, a feature especially valuable for large enterprises and MSSPs.
Role-Based Access Control (RBAC) Requirements
To manage device security settings across tenants, administrators need the Security Administrator role in Defender (or a custom role with security configuration permissions) and the Endpoint Security Manager role in Intune. Devices must also be affiliated with their corresponding Microsoft Entra tenant, ensuring proper governance and access control.
Enhanced Device Inventory and Status Monitoring
The device inventory feature provides a high-level overview of device statuses per tenant, helping administrators quickly assess compliance and security health across multi-tenant environments. This visibility aids in prioritizing remediation efforts.
Limitations and Considerations
Currently, these enhancements do not support Microsoft Defender for Business tenants, focusing instead on enterprise-grade deployments. Additionally, administrators must ensure prerequisites (e.g., Entra tenant affiliation and proper role assignments) are met for each tenant to leverage these capabilities fully.
Broader Implications
These enhancements reflect Microsoft’s push toward a unified security operations platform, integrating Defender XDR with tools like Microsoft Sentinel and Intune.
These updates have made it easier for organizations to maintain a consistent security baseline, respond to threats efficiently, and manage diverse device ecosystems across multiple tenants. The focus on automation, scalability, and cross-tenant visibility positions Microsoft Defender as a powerful solution for modern, complex security needs.
