Microsoft 365 Governance for MSP Tenants

Managing Microsoft 365 across multiple client tenants is one of the most complex challenges for Australian MSPs. Each client has different compliance requirements, security needs, and user populations. This guide covers the governance framework you need.

The Governance Challenge

MSPs managing M365 tenants face unique challenges:

• Multi-tenant complexity — Each client is a separate tenant with its own policies
• Inconsistent baselines — Without standardisation, every tenant is configured differently
• Compliance requirements — Different clients have different regulatory obligations
• Security gaps — Inconsistent policies create exploitable weaknesses
• Audit readiness — You need to prove compliance across all tenants

Governance Framework

Tier 1: Baseline (All Clients)

Every client tenant should have these controls in place:

Identity & Access: - MFA enabled for all users - Conditional Access policies (block legacy auth, require compliant devices) - Password policy (14+ characters, 90-day rotation or passwordless) - Guest access restrictions - Self-service password reset configured

Data Protection: - DLP policies for sensitive data (credit cards, TFN, health records) - Email retention (minimum 7 years for business correspondence) - SharePoint/OneDrive external sharing restrictions - Teams guest access controls

Compliance: - Audit logging enabled - Standard retention labels - Basic eDiscovery configuration

Tier 2: Enhanced (Regulated Clients)

For clients in healthcare, finance, legal, or government:

Identity & Access: - Phishing-resistant MFA (FIDO2, hardware tokens) - Privileged Identity Management (PIM) - Just-in-time admin access - Conditional Access with risk-based policies - Sign-in frequency controls

Data Protection: - Advanced DLP with sensitivity labels - Information barriers - Customer-managed encryption keys - Data residency controls - Azure Information Protection

Compliance: - Communication compliance - Insider risk management - Advanced audit - eDiscovery with legal hold capabilities

Tier 3: Premium (Enterprise/MSP)

For MSPs managing their own tenant and enterprise clients:

Identity & Access: - Passwordless authentication - Continuous access evaluation - Device compliance enforcement - Network location-based policies - Cloud app security

Data Protection: - Auto-labeling with trainable classifiers - Microsoft Purview data governance - Sensitivity labels with encryption - Data lifecycle management - Records management

Compliance: - Full Microsoft Purview compliance suite - Automated investigation and response - Advanced threat analytics - Custom compliance programs

Multi-Tenant Management

Centralised Management Tools

Microsoft 365 Lighthouse: - Multi-tenant dashboard - Threat detection across tenants - Device management - User management

Partner Centre: - Billing and licensing - Customer management - Service health monitoring

Third-Party Tools: - Nerdio Manager — Multi-tenant AVD and M365 management - CenterEdge — Multi-tenant management - CyberDrain — Multi-tenant PowerShell automation

Standardisation Approach

1. Create baseline templates — Document the standard configuration for each tier
2. Use automation — PowerShell scripts or tools to apply policies across tenants
3. Audit regularly — Monthly compliance checks across all tenants
4. Document exceptions — Every deviation from baseline must be documented
5. Review quarterly — Update baselines as Microsoft releases new features

Conditional Access Policies

Essential Policies for All Tenants

Policy	Purpose
Block legacy authentication	Prevents password spray attacks
Require MFA for all users	Baseline security
Block risky sign-ins	Prevents compromised accounts
Require compliant devices	Ensures device security
Block high-risk users	Prevents compromised accounts

Recommended Conditional Access Structure

Baseline policies: - Require MFA for all users (exclude break-glass accounts) - Block legacy authentication - Block access from non-compliant devices - Require password change for high-risk users

Enhanced policies: - Require phishing-resistant MFA for admins - Block sign-ins from non-Australian countries (if applicable) - Require approved client apps - Enforce session controls

Premium policies: - Continuous access evaluation - Risk-based sign-in policies - Device compliance enforcement - Network location controls

Data Loss Prevention (DLP)

Common DLP Policies for Australian MSPs

Personal Identifiable Information: - Block external sharing of TFN (Tax File Number) - Block external sharing of Medicare numbers - Monitor and alert on credit card numbers - Protect Australian driver's licence numbers

Business Data: - Prevent accidental sharing of financial documents - Block sensitive data in email attachments - Protect confidential client information

Health Data: - Protect patient health information (My Health Record data) - Block external sharing of medical records - Monitor access to health-related SharePoint sites

Implementation Tips

1. Start in audit mode — Don't block immediately; monitor for 2-4 weeks
2. Tune policies — Remove false positives before enabling blocking
3. Train users — Explain why DLP is in place and how it protects them
4. Review regularly — Adjust as business needs change
5. Document everything — Required for compliance audits

Retention Policies

Standard Retention Framework

Data Type	Retention	Reason
Email	7 years	Australian business records
Financial documents	7 years	ATO requirements
HR records	7 years after termination	Fair Work requirements
Contracts	7 years after expiry	Legal limitation
Client data	Per contract terms	Varies
Teams messages	7 years	Business communications
SharePoint documents	Per policy	Business requirements

Implementation

1. Create retention labels — Define labels for different data types
2. Apply auto-labeling — Use trainable classifiers for common document types
3. Configure retention policies — Apply to mailboxes, sites, and groups
4. Test with pilot group — Verify before broad deployment
5. Monitor and adjust — Review quarterly

Compliance Checklist

• [ ] MFA enabled for all users
• [ ] Conditional Access policies deployed
• [ ] DLP policies in audit mode (or blocking after tuning)
• [ ] Retention policies configured
• [ ] Audit logging enabled
• [ ] Guest access restrictions in place
• [ ] External sharing controls configured
• [ ] Admin accounts use separate credentials
• [ ] Break-glass accounts configured and secured
• [ ] Regular access reviews scheduled
• [ ] Compliance baseline documented
• [ ] Client-specific customisations documented

[!TIP] Governance isn't a one-time project — it's an ongoing process. Schedule quarterly reviews of each client's M365 configuration against your baseline. Document every deviation and ensure compensating controls are in place.

Related Guides

• Essential 8 Implementation — Implement the Essential 8 framework
• M365 Governance Mistakes — Common governance failures to avoid
• Remote Work Security — Security checklist for remote and hybrid work
• Incident Management — How to handle security incidents
• PowerShell Automation — Automate governance tasks