Microsoft has significantly expanded the multitenant content distribution capability in the Defender portal, enabling security partners to distribute more content types across customer tenants.

What's New?

Security-focused partners (MSSPs) managing Microsoft Sentinel and Defender security content across multiple customer tenants can now distribute four additional content types:

Analytics rules — Custom detection rules

Automation rules — Automated response workflows

Workbooks — Custom dashboards and reports

Alert tuning rules — Fine-tuned alert configurations

What Is Content Distribution?

Content distribution is a powerful multitenant feature that enables scalable management of security content across customer tenants. Here's how it works:

1. Create Distribution Profiles

Within the multitenant portal, partners create content distribution profiles that define what content should be replicated and where.

2. Seamless Replication

Content from a source tenant (such as custom detection rules) is seamlessly replicated to designated target tenants.

3. Localized Execution

Once distributed, the content runs on the target tenant, enabling:

- Centralized control — Manage content from one location
- Localized execution — Content operates within each customer's environment
- Consistent baseline — Ensure uniform security posture across all customers

Why This Matters for MSSPs

Faster Tenant Onboarding

Quickly onboard new customers by replicating proven security content, eliminating manual configuration time.

Consistent Security Baseline

Maintain uniform security policies, detection rules, and automation across your entire customer base.

Centralized Management

Update security content once and distribute it across all managed tenants, reducing operational overhead.

Scalability

Manage security content for dozens or hundreds of customer tenants from a single interface.

Who Should Use This?

This capability is designed for:

- Managed Security Service Providers (MSSPs) managing multiple customer tenants
- Partners with delegated access to customer environments
- Security teams responsible for Microsoft Sentinel and Defender across multiple tenants

Technical Requirements

- Multitenant management access in the Defender portal
- Delegated access to customer tenants
- Microsoft Sentinel and/or Defender deployed in managed tenants

Supported Content Types (Current)

With this update, the complete list of supported content types includes:

- Analytics rules
- Automation rules
- Workbooks
- Alert tuning rules
- (Previous content types remain supported)

Next Steps

  1. Review your current security content — Identify rules, workbooks, and automation that should be standardized across customers
  2. Create distribution profiles — Set up profiles in the multitenant Defender portal
  3. Test distribution — Start with a small set of target tenants to validate the process
  4. Scale deployment — Expand distribution to all managed tenants
  5. Learn more — Visit New content types supported in multitenant content distribution on Microsoft Community Hub

Source: Microsoft Partner Center Announcements — February 2, 2026