Microsoft has added four new admin roles in Entra, all related to Microsoft Entra Tenant Governance.
- Tenant Governance Administrator
- Tenant Governance Reader
- Tenant Governance Relationship Administrator
- Tenant Governance Relationship Reader
Note
Newly published roles may take some time to become fully active.
Content
What is Microsoft Entra Tenant Governance?
Microsoft Entra Tenant Governance (currently in Preview) is a service that should help organizations gain visibility and control over multiple Microsoft Entra tenants, including known tenants, shadow IT tenants, and newly created ones.
Tenant Governance is built around four main capabilities:
- Discovering related tenants based on B2B, application, and billing signals.
- Managing governance relationships between a governing and governed tenant through structured workflows and policy templates.
- Monitoring configuration drift across governed tenants against a defined JSON baseline covering over 200 resource types across Entra, Intune, Exchange Online, Teams, Purview, and Defender.
- Controlling the secure creation of new add-on tenants with governance applied from the start.
Tenant Governance is available at two service levels: Tenant Governance Basic and Tenant Governance Premium
Tenant Governance Administrator
Users with the Tenant Governance Administrator role control who, from outside the organization, can access the tenant and under what conditions. In the broader context of Microsoft Entra Tenant Governance deployment, they are the central actors across the entire governance lifecycle.
Users with the role can…
- Discover and classify related tenants based on B2B collaboration signals and shared billing relationships.
- Create and manage governance policy templates that define delegated roles and provisioned applications.
- Establish governance relationships with partner or subsidiary tenants through structured request-and-accept handshakes.
- Enable cross-tenant delegated administration, allowing administrators in a governing tenant to manage governed tenants without requiring local or B2B accounts.
- Monitor configuration drift across governed tenants to maintain a consistent, compliant baseline state.
- Play a key role in the secure creation of new governed tenants, ensuring governance relationships are established from day one.
Role Definition ID: 1981f584-96e9-4a6f-95b0-f522373f8fae
Role permissions:
microsoft.directory/crossTenantAccessPolicy/basic/update
microsoft.directory/crossTenantAccessPolicy/default/standard/read
microsoft.directory/crossTenantAccessPolicy/partners/create
microsoft.directory/crossTenantAccessPolicy/partners/delete
microsoft.directory/crossTenantAccessPolicy/partners/standard/read
microsoft.directory/crossTenantAccessPolicy/standard/read
microsoft.directory/tenantGovernance/invitations/create
microsoft.directory/tenantGovernance/invitations/delete
microsoft.directory/tenantGovernance/invitations/standard/read
microsoft.directory/tenantGovernance/policyTemplates/allProperties/update
microsoft.directory/tenantGovernance/policyTemplates/create
microsoft.directory/tenantGovernance/policyTemplates/delete
microsoft.directory/tenantGovernance/policyTemplates/standard/read
microsoft.directory/tenantGovernance/relatedTenants/refresh
microsoft.directory/tenantGovernance/relatedTenants/standard/read
microsoft.directory/tenantGovernance/relationships/allProperties/update
microsoft.directory/tenantGovernance/relationships/create
microsoft.directory/tenantGovernance/relationships/standard/read
microsoft.directory/tenantGovernance/requests/allProperties/update
microsoft.directory/tenantGovernance/requests/create
microsoft.directory/tenantGovernance/requests/standard/read
microsoft.directory/tenantGovernance/settings/allProperties/update
microsoft.directory/tenantGovernance/settings/standard/read
Tenant Governance Reader
Users with the Tenant Governance Reader role have read-only access across all areas of the Microsoft Entra Tenant Governance service. They can view governance invitations, policy templates, related tenant data, governance relationships, incoming and outgoing requests, and tenant governance settings, covering the full breadth of the governance lifecycle in read-only mode.
This role suits compliance officers, auditors, or security analysts who need a clear picture of how the organization’s multi-tenant governance is structured and what external tenant relationships exist, without the ability to create, modify, or delete anything.
Role Definition ID: e0a4caa6-fe82-443f-b92f-d87341d17b2e
Role permissions:
microsoft.directory/tenantGovernance/invitations/standard/read
microsoft.directory/tenantGovernance/policyTemplates/standard/read
microsoft.directory/tenantGovernance/relatedTenants/standard/read
microsoft.directory/tenantGovernance/relationships/standard/read
microsoft.directory/tenantGovernance/requests/standard/read
microsoft.directory/tenantGovernance/settings/standard/read
Tenant Governance Relationship Administrator
Users with the Tenant Governance Relationship Administrator role handle the operational management of governance relationships and the policy templates that define them.
Users with the role can…
- Create, update, and delete policy templates.
- Establish new governance relationships and send governance requests.
- Read across all tenant governance data, including invitations, related tenants, and settings.
- Cannot modify the underlying tenant governance settings themselves.
Compared to the Tenant Governance Administrator, this role is more narrowly scoped. It covers the full lifecycle of governance relationships and their templates, but stops short of broader administrative capabilities such as enabling tenant discovery or managing configuration monitoring.
This role fits someone responsible for onboarding and maintaining partner or subsidiary tenant relationships day-to-day, without requiring full administrative control over the entire Tenant Governance service.
Role Definition ID: b8e31d83-1534-480f-9b10-0338ded51b7e
Role permissions:
microsoft.directory/tenantGovernance/invitations/standard/read
microsoft.directory/tenantGovernance/policyTemplates/allProperties/update
microsoft.directory/tenantGovernance/policyTemplates/create
microsoft.directory/tenantGovernance/policyTemplates/delete
microsoft.directory/tenantGovernance/policyTemplates/standard/read
microsoft.directory/tenantGovernance/relatedTenants/standard/read
microsoft.directory/tenantGovernance/relationships/allProperties/update
microsoft.directory/tenantGovernance/relationships/create
microsoft.directory/tenantGovernance/relationships/standard/read
microsoft.directory/tenantGovernance/requests/create
microsoft.directory/tenantGovernance/requests/standard/read
microsoft.directory/tenantGovernance/settings/standard/read
Tenant Governance Relationship Reader
Users with the Tenant Governance Relationship Reader role have read-only access to the core relationship-related areas of the Microsoft Entra Tenant Governance service. They can view governance invitations, policy templates, governance relationships, requests, and settings, but cannot read related tenant discovery data and cannot make any changes.
Compared to the Tenant Governance Reader, this role is narrower in scope. It lacks visibility into related tenant discovery data, making it better suited for users who need oversight of established and ongoing governance relationships only, rather than the broader tenant discovery landscape.
Role Definition ID: 124577f8-48ed-456a-839f-13b419002e33
Role permissions:
microsoft.directory/tenantGovernance/invitations/standard/read
microsoft.directory/tenantGovernance/policyTemplates/standard/read
microsoft.directory/tenantGovernance/relationships/standard/read
microsoft.directory/tenantGovernance/requests/standard/read
microsoft.directory/tenantGovernance/settings/standard/read
