Microsoft Entra ID · Identity Governance
Tenant Governance Relationship Administrator
Can initiate governance relationships with other tenants and terminate existing governance relationships in Microsoft Entra Tenant Governance.
Scope: Manage governance relationship initiation and termination between tenants
Permissions
- Initiate new governance relationships with other tenants
- Terminate existing governance relationships
- Manage governance relationship lifecycle
- Configure relationship settings and parameters
Common use cases
- Establishing governance relationships with subsidiaries
- Onboarding new tenants into governance framework
- Offboarding tenants from governance relationships
- Managing partner tenant governance connections
Best practices
- Document all governance relationship changes
- Require dual authorization for relationship initiation
- Plan relationship termination impact before executing
- Maintain inventory of all active governance relationships
Security considerations
- Initiating relationships creates cross-tenant governance links
- Termination may disrupt connected tenant governance policies
- Unauthorized relationship creation could expose governance data
- Monitor for unexpected relationship initiation attempts
Common questions
When should I assign the Tenant Governance Relationship Administrator role?
Assign Tenant Governance Relationship Administrator when you need to: Establishing governance relationships with subsidiaries; Onboarding new tenants into governance framework; Offboarding tenants from governance relationships; and Managing partner tenant governance connections. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Tenant Governance Relationship Administrator role do?
The Tenant Governance Relationship Administrator role grants permissions including: Initiate new governance relationships with other tenants; Terminate existing governance relationships; Manage governance relationship lifecycle; and Configure relationship settings and parameters. See the Permissions section above for the full list.
What are the security risks of the Tenant Governance Relationship Administrator role?
Key considerations when assigning Tenant Governance Relationship Administrator: Initiating relationships creates cross-tenant governance links; Termination may disrupt connected tenant governance policies; Unauthorized relationship creation could expose governance data; and Monitor for unexpected relationship initiation attempts. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.