Microsoft Entra ID · Identity Governance

Tenant Governance Administrator

Manages all capabilities in the Microsoft Entra Tenant Governance service for multi-tenant organization management.

Scope: Full administration of Microsoft Entra Tenant Governance service for multi-tenant scenarios

Permissions

  • Manage all tenant governance capabilities
  • Configure governance policies across tenants
  • Manage tenant governance settings and configurations
  • Create and manage governance relationships
  • View and manage all tenant governance data

Common use cases

  • Multi-tenant organization governance setup
  • Cross-tenant policy management and enforcement
  • Subsidiary and partner tenant governance
  • Centralized compliance governance across tenant boundaries
  • Multi-tenant identity lifecycle coordination

Best practices

  • Document governance policies for all managed tenants
  • Establish clear ownership boundaries between tenants
  • Coordinate governance changes across tenant administrators
  • Regularly audit cross-tenant governance configurations
  • Use least privilege — assign Reader roles where full admin is not needed

Security considerations

  • Cross-tenant governance affects multiple organizations — high impact if misconfigured
  • Governance relationships can enable cross-tenant data and access flows
  • Monitor for unauthorized governance relationship changes
  • Ensure all tenant administrators are aware of governance policies

Common questions

When should I assign the Tenant Governance Administrator role?

Assign Tenant Governance Administrator when you need to: Multi-tenant organization governance setup; Cross-tenant policy management and enforcement; Subsidiary and partner tenant governance; Centralized compliance governance across tenant boundaries; and Multi-tenant identity lifecycle coordination. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Tenant Governance Administrator role do?

The Tenant Governance Administrator role grants permissions including: Manage all tenant governance capabilities; Configure governance policies across tenants; Manage tenant governance settings and configurations; Create and manage governance relationships; and View and manage all tenant governance data. See the Permissions section above for the full list.

What are the security risks of the Tenant Governance Administrator role?

Key considerations when assigning Tenant Governance Administrator: Cross-tenant governance affects multiple organizations — high impact if misconfigured; Governance relationships can enable cross-tenant data and access flows; Monitor for unauthorized governance relationship changes; and Ensure all tenant administrators are aware of governance policies. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →