Why tenant sprawl is a business risk hiding in plain sight

Organisations are rarely static entities, regularly evolving through merger and acquisition (M&A), expansion, or periods of rapid growth.

The, often unintended, consequence of these changes is that you end up running more than one Microsoft identity environment.

This is tenant sprawl, and it represents a genuine risk to resilience that many boards have yet to put on the agenda.

Why tenant sprawl matters

Tenant sprawl creates security and operational exposure that can be hard (in some cases, impossible) for leadership to measure or manage.

Fragmented identity environments create gaps that attackers exploit. Incidents take longer to contain and cost more to resolve.

It’s also an area of growing interest with regulators and auditors, who increasingly expect clarity and evidence you may not be able to confidently provide.

From a business perspective, this matters for a number of reasons.

1.    Resilience

Security investments assume consistency. Controls like identity protection, access governance and monitoring are designed for environments you know about. Tenants that sit outside that view undermine those investments and increase the likelihood of undetected compromise.

2.    Operational exposure

Unclear ownership creates fragility. When key individuals leave, or incidents occur, recovering access to unknown or poorly documented tenants is slow and disruptive. That delay has direct operational and reputational consequences. UK resilience guidance consistently emphasises simplicity and architectural clarity. Tenant sprawl moves organisations in the opposite direction.

3.    Accountability

Regulatory and audit expectations increasingly require clarity over where data resides and who can access it. Tenant sprawl makes it harder to evidence control, even when intent is sound. NIS2 pushes organisations toward access control and privilege management that apply across the whole supply chain, including subsidiaries and acquired entities.

Attackers understand this dynamic. They know that unmanaged tenants often have lighter controls and weaker oversight. These environments are used as entry points or stepping stones into better-protected systems.

Visibility is the foundation of control

Good governance starts with good visibility.

Executives should expect a clear, defensible answer to three questions.

This requires a view of every tenant relationship that can create material risk, from external access to shared services and commercial ownership. Once identified, classify each tenant by exposure and decide the required action: govern it, restrict it, integrate it, or retire it.

This turns an abstract risk into a managed portfolio with clear ownership, prioritisation, and reporting that leadership can track over time.

Scaling governance without slowing the business

The second challenge is scale. Traditional ways of managing access across tenants create complexity and introduce new risks. They do not align with how organisations operate after growth or acquisition.

Effective governance relies on a central model that keeps access consistent across the estate. It supports separation of duties, clear accountability, and faster change when teams reorganise or when a new acquisition lands.

For organisations going through merger and acquisition, this removes a familiar drag on integration. You bring new tenants under governance quickly, with minimal disruption to business continuity.

The ICO’s action against Marriott after the Starwood acquisition showed how inherited environments become your accountability once you own the risk.

Configuration drift undermines long-term resilience

Security posture is not static. Over time, configurations and policies change, and local decisions introduce inconsistency. This drift often goes unnoticed until an incident exposes it.

Leaders already manage this pattern in other areas. Standards are set, adherence is checked, and exceptions are reviewed. Identity and security need the same operating rhythm to sustain resilience.

Regular validation against agreed standards reduces the chance that today’s secure environment becomes a future weak link.

Governing tenants from day one

A critical shift is mindset. Tenant creation itself should be treated as a governed business process.

Make tenant creation a governed business process with fast approval, clear ownership, and a defined lifecycle. That keeps new environments inside oversight from the start, instead of pulling them into control during an incident.

This is especially important for project-led or temporary tenants, which are the most likely to be forgotten and the hardest to recover.

What this means for executive leadership

The core insight is simple. Your security controls are only as strong as the environments they cover. Unseen tenants weaken the value of every investment made in identity, security and compliance.

Tenant governance is no longer a technical hygiene issue. It is a resilience, risk and accountability concern that deserves senior sponsorship.

The question for leadership is not whether tenant sprawl exists. It is whether you are discovering it through structured governance or through an attack, outage or audit finding.

That choice is still yours.

Not sure you could answer “how many tenants do we have” with confidence? Contact our team.