Managing Multiple Tenants

1. Connecting Tenants

Each Microsoft 365 tenant requires its own OAuth connection. To connect a new tenant, navigate to the tenants page in SPScan and click "Connect Tenant". You will be redirected to Microsoft's login page where you need to sign in with an administrator account from the target tenant. The administrator must have either the Global Administrator or SharePoint Administrator role to grant the necessary application permissions.

For MSPs, you will typically need to coordinate with your client's IT contact to complete the OAuth consent flow. Some MSPs prefer to walk clients through the consent process during an onboarding call, while others send a direct link and instructions. The consent flow takes less than a minute to complete once the administrator is ready, and SPScan will begin scanning the tenant automatically afterwards.

SPScan uses Microsoft's multi-tenant OAuth authority, which means you do not need to register a separate application in each client's Azure AD. The same SPScan application is used across all tenants, simplifying the onboarding process. OAuth tokens are stored encrypted and are automatically refreshed before they expire, so connected tenants continue to be scanned without manual intervention.

2. Organising Your Dashboard

When you are monitoring many tenants, the dashboard becomes your primary operational tool. SPScan's dashboard provides an overview of all connected tenants with key metrics including compliance score, site count, storage usage, and the time of the last scan. Tenants with issues are highlighted so you can quickly identify which ones need attention.

Use the tenants list to get a comprehensive view of all connected tenants sorted by name, compliance score, or last scan time. The compliance score sort is particularly useful for daily reviews because it puts the tenants with the most permission issues at the top. You can click into any tenant to see its detailed sites, permissions, storage, and alerts.

For MSPs managing large numbers of tenants, we recommend establishing a daily review routine. Spend five minutes each morning scanning the dashboard for tenants with declining compliance scores or new high-severity alerts. This proactive approach catches issues early and prevents them from escalating into security incidents that are more difficult and time-consuming to remediate.

3. Per-Tenant Configuration

Each connected tenant can be configured independently in SPScan. The tenant detail page allows you to view and manage monitoring settings, alert rules, and storage thresholds for that specific tenant. This per-tenant configuration ensures that each tenant's monitoring is tailored to its specific requirements and risk profile.

Alert rules are scoped to individual tenants, so you can create different rules for different clients. A healthcare client might need alerts for any external sharing activity, while a marketing agency might only want alerts for anonymous access links. You can also assign different alert channels to different tenants, ensuring that notifications reach the right people.

Storage thresholds can also be configured per tenant. If one client has purchased additional SharePoint storage and has a higher quota, you can adjust the threshold alerts accordingly. This flexibility ensures that alerts are meaningful and actionable rather than generating false positives based on default thresholds that do not reflect the tenant's actual capacity.

4. Disconnecting Tenants

When you need to stop monitoring a tenant, you can disconnect it from the tenant detail page. Disconnecting a tenant revokes SPScan's OAuth token, removes the tenant from your dashboard, and updates your subscription quantity so you are no longer billed for that tenant. The process is immediate and does not affect any other connected tenants.

Before disconnecting a tenant, consider exporting any reports or data that you might need in the future. Once a tenant is disconnected, its historical scan data, permission records, and compliance scores are no longer accessible. If you need to retain this data for compliance or contractual purposes, download the relevant CSV and PDF reports before disconnecting.

If a client's OAuth token expires or is revoked from the Microsoft side (for example, if the client removes admin consent through Azure AD), SPScan will mark the tenant as disconnected and stop scanning it. You will receive a notification about the failed token refresh so you can coordinate with the client to re-establish the connection if needed.

5. Best Practices

Establish a consistent naming convention for your tenants in SPScan. Use the client's company name or a standardised abbreviation so that tenants are easy to identify at a glance. Consistent naming becomes increasingly important as you add more tenants, and it helps team members who are less familiar with specific clients navigate the dashboard efficiently.

Create a standard set of alert rules that you apply to every new tenant as a baseline. This ensures that critical events like anonymous sharing links and external access changes are always monitored, regardless of which team member onboards the tenant. You can then add tenant-specific rules on top of the baseline as needed for clients with particular requirements.

Schedule regular compliance reviews for all tenants, ideally monthly or quarterly. Use SPScan's compliance reports to track trends across your entire portfolio and identify tenants that need additional attention. These reviews are also an opportunity to revisit alert rules and thresholds, ensuring that your monitoring configuration evolves with your clients' changing needs and SharePoint usage patterns.