Tenant security monitoring

Introduction

The Microsoft tenant is an early control plane. It should be useful on day one, but it should also be monitored because identity compromise quickly becomes business compromise.

Default onmicrosoft.com domain

The default onmicrosoft.com domain is useful and should be understood, not ignored. It can help with tenant identification, early setup, recovery scenarios and separation between the permanent company domain and the underlying Microsoft tenant.

Record:

• the tenant name and default onmicrosoft.com domain
• who owns the tenant
• which custom domains are verified
• whether any accounts still rely on the default domain
• how the default domain is used in recovery or administration scenarios

The default domain should not become a confusing shadow identity surface. It should be documented as part of the tenant record.

Identity security alerts

The company should enable practical alerts and automated controls early. At minimum, consider:

• SSO configuration changes.
• Enterprise application consent changes.
• Conditional Access changes.
• MFA changes for administrators.
• PIM role assignment or activation changes.
• Break-glass account sign-in or credential change.
• Risky user detection.
• Automatic disablement or blocking of high-risk users where appropriate.
• High failed-login volume, for example 100 failed logins in one hour.
• Sign-ins from unusual locations or impossible travel where available.
• Privileged role assignment outside the expected process.

The exact implementation can mature over time, but the company should not run privileged identity without visibility. Alerts should have owners, response expectations and a route into the incident process.

Identity review cadence

Identity monitoring should become a recurring review, not only a set of alerts. Run identity security review loop to review:

• disabled, expired, stale or inactive identities
• guest users and accounts without a clear owner
• risky users and risky sign-ins
• PIM eligible assignments, activations, approvals and repeated activations
• SSO, enterprise application consent, Conditional Access and MFA changes
• break-glass sign-in or credential-change evidence
• failed-login, password spray, impossible travel or unusual-location alerts

After Production, the same review should mature to include access reviews, phishing resilience, identity assurance for high-risk roles, MFA strength and evidence suitable for customer assurance.

How this evolves as the company grows

• At company setup, tenant monitoring should cover risky users, suspicious sign-ins, failed login spikes and critical identity changes.

• Before POC, alerts should protect the small number of accounts and assets that could compromise everything.

• Before Production, identity review should include PIM activity, privileged role changes, enterprise app consent and break-glass access.

• As the company scales, identity security should include regular access reviews, phishing resilience and board-visible material risks.

What an agent should look for

• Are risky users and failed-login spikes monitored?

• Are PIM and privileged changes reviewed?

• Are identity risks escalated when material?

What good looks like

The company can explain the decision, show the evidence behind it and identify the next point where the control needs to mature.