Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Microsoft Entra Tenant Governance is currently in PREVIEW. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Governance policy templates are a foundational component of the Tenant Governance service, which helps organizations secure Microsoft Entra tenants at scale. Before establishing a governance relationship between tenants, create a governance policy template that defines the relationship behavior. These templates are reusable across distinct governance relationships, enabling consistent and scalable management of cross-tenant access.
How governance policy templates work
A governance policy template serves as a blueprint for governance relationships. When you create a template, you define two key areas of access:
Cross-tenant delegated administration roles - Specify which Microsoft Entra built-in roles users from the governing tenant have in the governed tenant.
Multitenant applications - Select custom applications to create and manage across tenants.
After you create a template, you can use it to establish multiple governance relationships with different governed tenants, ensuring consistent access policies across your organization.
When you create a governance relationship, Tenant Governance captures and stores a policy snapshot with the relationship. This snapshot represents the roles and permissions that applied at the time you established or last updated the relationship.
Updating a governance policy template doesn't automatically update relationships that you created using that template. This design ensures that the governed tenant always has the opportunity to review desired permission changes for the relationship. To apply permission updates to an active relationship, you must repeat the request and approval process.
Cross-tenant delegated administration configuration
By selecting Microsoft Entra built-in roles and assigning them to a group in the governing tenant, you define which roles (and level of access) users in that group have in the governed tenant. With these roles, users can:
Sign in to the governed tenant using their governing tenant credentials.
Manage the governed tenant without needing a local or business-to-business (B2B) account in that tenant.
Each group can have multiple role assignments, and each policy template can have multiple groups defined. When you create the governance relationship, Tenant Governance creates granular delegated admin privileges (GDAP) role assignments in the governed tenant.
Multitenant application configuration
By selecting custom, multitenant applications in the policy template, you enable centralized application management. When you create the governance relationship, Tenant Governance creates a service principal with the same permissions in the governed tenant.
This capability allows you to manage your custom, multitenant applications at scale from the central governing tenant. You don't need to go into every tenant individually to monitor and maintain least privileged app access.
For example, assume you've built a custom line of business app called Contoso Resource Manager, responsible for monitoring, reporting, and automating resource configuration across your tenants. Use the governance relationship to set up a service principal instance of Contoso Resource Manager across your governed tenants, with the right provisioned permissions consented. When you need to add or remove permissions, do so through the governance relationship instead of making changes and consenting to permissions on a per-tenant basis.
Default policy template
The default policy template is a special template used for secure tenant creation scenarios. When you create a new add-on tenant, Tenant Governance automatically establishes a governance relationship between the parent tenant and the add-on tenant using the default policy template. This setup ensures that new tenants immediately come under centralized tenant administration from the start.
The default policy template has these characteristics:
Unique identifier: Instead of a GUID, the default policy template has an ID of "default."
Configuration required: You must configure the default policy template before you can use it.