Manage365 Docs

Manage your partner tenant

Your own Microsoft 365 tenant — the one your MSP staff sign in with — is special. Manage365 lets you manage it under the same roof as your customer tenants, but without GDAP, without charging you for it, and without the risk of deleting it by accident.

What is_own_msp_tenant means

When a tenant is flagged as your own, three things change:

  • No GDAP required — Manage365 talks to Graph directly using client credentials against your partner app registration. You're already the tenant admin, so the delegation dance isn't needed.
  • Free — excluded from billing — your own tenant never counts toward billed tenant totals. Business tier with 19 customer tenants + your own partner tenant invoices as 19 tenants, not 20.
  • Protected from hard-delete — the tenant-delete endpoint refuses to remove your own tenant. If you really need to disconnect it, use the Disable action on the /my-tenant page instead (see below).

How it gets enabled

Automatically, on Graph setup

When an MSP owner completes the admin-consent flow on Settings → Graph API → Complete consent, Manage365:

  1. Reads the consenting tenant's tenant ID and primary verified domain from Microsoft Identity
  2. Checks whether a tenant with that tenantId already exists for this MSP
  3. If not, creates a tenant row with is_own_msp_tenant = true
  4. Runs the first Graph sync: users, licences, security score, CA policies. Same data shape as a GDAP-connected customer tenant.

You don't click anything beyond the admin-consent button — it just shows up in Customer tenants with a “Partner tenant” badge when the first sync completes.

Manually, via /my-tenant

If the auto-enable didn't fire (old consent before this feature shipped, or the tenant row was deleted and you need to re-add), go to Settings → My tenant:

  • Enable — creates or converts the existing tenant row to is_own_msp_tenant = true
  • Disable — clears the flag + removes the row. Your own partner tenant is the one case where delete is routed here instead of through the normal tenant-delete path.

What you can do with a partner tenant

Everything you can do with a customer tenant, minus the GDAP management UI:

  • Compliance scans (Essential Eight / APRA / CIS M365)
  • Standards drift detection + re-apply
  • MSP Library assignments
  • Alerts, notifications, playbooks
  • Conditional Access review + edit
  • Licence reporting + Copilot readiness
  • User lifecycle, password resets, MFA ops
  • Defender XDR cross-tenant views

The practical upshot: you get to dogfood Manage365 against your own tenant. Every feature you'd sell to a customer, you're running on yourself first.

Billing exclusion

The billing service filters out is_own_msp_tenant tenants when computing invoiced totals. This runs at invoice generation time — there's no config toggle, and there's no way to accidentally get charged for your own tenant. See Billing & invoicing for the full billing rules.

Hard-delete protection

The normal tenant-delete path (see Hard-delete tenants + MSPs) refuses to operate on a partner tenant. The response:

403 Forbidden
{
  "message": "Cannot hard-delete the MSP's own partner tenant.
    Disable via /my-tenant first."
}

This is deliberate. Accidentally wiping your own tenant row would break sign-in for every MSP user and cascade-delete audit events the platform needs for incident forensics. The Disable action on /my-tenant is the only path out.

Endpoints

Method + pathWhat it doesPermission
GET /my-tenantReturns the partner tenant (if any), plus the detected tenant ID from the current admin-consent sessionTENANTS_READ
POST /my-tenant/enableCreate or convert the partner tenant rowTENANTS_MANAGE (msp_owner / msp_admin)
POST /my-tenant/disableRemove the partner tenant row (data cascade)TENANTS_MANAGE (msp_owner / msp_admin)

Common pitfalls

  • Trying to change the flag on a customer tenant is_own_msp_tenant is set by the auto-enable flow only. It can't be flipped on an existing customer tenant via the normal tenant-edit form.
  • Multiple partner tenants per MSP — not supported. Each MSP has exactly one Microsoft partner registration and therefore exactly one partner tenant. The enable endpoint rejects a second with 409.
  • GDAP invite to your own tenant — ignored. If you accidentally send a GDAP invite to your own partner tenant it's de-duplicated against the client-credentials connection and skipped. No errors, no duplicate rows.

FAQ

Can staff on my partner tenant see customer data? No — that's a Manage365 RBAC question, not a tenant-flag question. Staff see what their MSP role lets them see, regardless of whose tenant they authenticate from.

What if my Microsoft partner tenant ID changes? Rare (usually only on tenant migration). Disable via /my-tenant, complete Graph consent again from the new tenant, auto-enable will recreate the row with the new ID.

Does the partner tenant appear in portfolio rollups? Yes — Defender XDR, wallboards, and cross-tenant user search include it. It's just another tenant for read purposes.