Posey's Tips & Tricks
Take a Fresh Look at Your Microsoft 365 Tenant, Part 1
Without a point person, an enterprise's tenants can get out of hand.
Without a point person, an enterprise's tenants can get out of hand.
In the world of Microsoft 365 and Microsoft Azure, the word tenant has always been loosely equivalent to the word subscription. Yes, I realize that there are some differences between the two, but hear me out.
When you create a new Microsoft 365 subscription, you also create a new tenant. The person who oversees that subscription is sometimes referred to as the tenant administrator. Even some of the Microsoft documentation seems to use the word tenant and the word subscription interchangeably.
In a perfect world, each organization would have a single subscription (and thus a single tenant). However, larger organizations often deal with multiple tenants. If one organization acquires another organization, for example, then the purchaser may end up with two tenants to manage -- one for each organization. What you might not realize, however, is that multi-tenancy is not solely reserved for huge corporations. In fact, a default permission allows Entra ID (formerly known as Azure AD) users to create tenants within your organization.
Obviously, allowing users to create their own tenants on a whim can lead to all kinds of problems. The good news is that there is a way to make it so that users do not have the ability to create a tenant. I will show you how to do that a little bit later on. Before I do, I want to take some time to talk about what it means for a user to create a new tenant and what actually happens when they do. I will also show you how to find out whether or not anyone has already created a tenant without your knowledge.
How To Create a Tenant
Needless to say, the terms tenant and subscription are not one in the same, as a single subscription can contain multiple tenants. That being the case, I want to show you how to create a tenant. Once I have done that, I will talk about the implications of having a multi-tenant subscription.
To get started, log into the Azure portal and open Entra ID. From there, select the Overview tab and then click the Manage Tenants link, which you can see near the top of Figure 1.
At this point, you will be taken to the Manage Tenants screen. You should see a single tenant, which is listed as the default. To create a new tenant, click on the Create button, shown in Figure 2.
Now, you will be taken to a screen that asks you to select the type of tenant that you want to create. You can choose between creating a Microsoft Entra ID tenant and an Azure AD B2C tenant. Depending on your subscription type, you might see this listed as Workforce or Customer. For the sake of this article, we'll create an Entra ID tenant.
Click Next, and you will be taken to the Configuration screen. Here you will need to provide a name for the organization that you are creating (because a creating a tenant is loosely the same as creating a new organization). You will also be required to provide an initial domain name and to specify your location. You can see what all of this looks like in Figure 3.
Now, click Review+Create and then click the Create button to complete the process. At this point, you will be presented with a captcha asking you to prove that you are not a robot. This brings up an important point. As I was writing this blog post, I was initially using a free Microsoft 365 E5 subscription. Every time that I would complete the captcha, the captcha would fail. This did not happen because I completed the captcha incorrectly, but rather because you cannot create tenants on free subscriptions. It is also worth noting that when the captcha succeeds, the browser will appear to lock up for a minute or two while the new tenant is being created.
What Is a Tenant?
So what is a tenant exactly? Well, think of a tenant as an isolation boundary. A tenant can have its own DNS name associated with it. It can also have its own collection of users, groups, and other entra ID objects. When you create a tenant, the person who created the tenant becomes the tenant administrator and therefore has what is essentially global admin privileges for that tenant, but not for the subscription as a whole.
So now that I have explained what a tenant is and what's involved in creating a tenant, I want to show you how to see what tenants exist in your organization and how to disable end user tenant creation. I will cover all of that in Part 2.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.