Unit 8: Configure Tenant-Wide Settings

Tenant-wide settings apply globally to all users, groups, and applications in a tenant. They control identity behavior, external collaboration, and default security posture.

1. Tenant Properties

Location: Identity → Overview → Properties Includes:

• Directory name.
• Country/region (set during creation and cannot be changed).
• Notification language.
• Tenant ID (unique GUID).
• Technical and privacy contacts.

2. User Settings

Location: Identity → Users → User Settings Controls global user permissions such as:

• Whether users can register applications.
• Whether non-admins can access the Entra admin portal.
• LinkedIn sign-in and data sharing integration.

Example: Contoso disables app registration for all users and assigns only the Application Developer role to its DevOps team.

3. External Collaboration Settings

Location: Identity → External Identities → External collaboration settings Defines what guest users can do:

• Whether they can invite others.
• Whether they have self-service capabilities.
• How much access they get (limited or full).

4. Manage Security Defaults

Security Defaults enforce preconfigured security baselines:

• Require MFA for all users and admins.
• Block legacy authentication protocols.
• Protect Azure portal access.

Availability: Included at no cost for all tenants to help combat password spray, replay, and phishing attacks.

Example: Fabrikam enables Security Defaults to enforce MFA automatically without purchasing Entra P1 or P2.

5. Configure Tenant Properties

Key fields to maintain:

• Name: Friendly tenant name (e.g., “Contoso Marketing Co.”).
• Country/Region: Defines data residency (immutable).
• Notification Language: Default for alerts.
• Tenant ID: Needed for API access and troubleshooting.
• Technical Contact: Person responsible for technical queries.
• Global Privacy Contact: Contact for privacy issues and breach notifications.
• Privacy Statement URL: Link to the company’s privacy policy.

Best Practice: Always fill out privacy contacts and URLs so Microsoft can reach the correct personnel in case of incidents.