Microsoft Entra ID · Identity Governance
Tenant Governance Administrator
Manages all capabilities in the Microsoft Entra Tenant Governance service for multi-tenant organization management.
Scope: Full administration of Microsoft Entra Tenant Governance service for multi-tenant scenarios
Permissions
- Manage all tenant governance capabilities
- Configure governance policies across tenants
- Manage tenant governance settings and configurations
- Create and manage governance relationships
- View and manage all tenant governance data
Common use cases
- Multi-tenant organization governance setup
- Cross-tenant policy management and enforcement
- Subsidiary and partner tenant governance
- Centralized compliance governance across tenant boundaries
- Multi-tenant identity lifecycle coordination
Best practices
- Document governance policies for all managed tenants
- Establish clear ownership boundaries between tenants
- Coordinate governance changes across tenant administrators
- Regularly audit cross-tenant governance configurations
- Use least privilege — assign Reader roles where full admin is not needed
Security considerations
- Cross-tenant governance affects multiple organizations — high impact if misconfigured
- Governance relationships can enable cross-tenant data and access flows
- Monitor for unauthorized governance relationship changes
- Ensure all tenant administrators are aware of governance policies
Common questions
When should I assign the Tenant Governance Administrator role?
Assign Tenant Governance Administrator when you need to: Multi-tenant organization governance setup; Cross-tenant policy management and enforcement; Subsidiary and partner tenant governance; Centralized compliance governance across tenant boundaries; and Multi-tenant identity lifecycle coordination. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Tenant Governance Administrator role do?
The Tenant Governance Administrator role grants permissions including: Manage all tenant governance capabilities; Configure governance policies across tenants; Manage tenant governance settings and configurations; Create and manage governance relationships; and View and manage all tenant governance data. See the Permissions section above for the full list.
What are the security risks of the Tenant Governance Administrator role?
Key considerations when assigning Tenant Governance Administrator: Cross-tenant governance affects multiple organizations — high impact if misconfigured; Governance relationships can enable cross-tenant data and access flows; Monitor for unauthorized governance relationship changes; and Ensure all tenant administrators are aware of governance policies. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.