← Home

Managing six M365 tenants without losing my mind

15 May, 2020 · 5 min read

2020. Managing multiple M365 tenants manually was eating my weekends. User provisioning, license assignment, mailbox permissions, security policies. Every tenant slightly different. Every change a potential landmine. I decided to automate my way out of it.

The platform

I built an automation platform on Microsoft Graph. Cert-based app-only auth so there are no passwords to rotate. The service principal authenticates with a certificate, and the certificate lifecycle is managed separately. No interactive login. No service account passwords expiring at 2am on a Saturday.

The scripts could onboard a user, assign licenses, configure mailbox delegation, and set up MFA in under a minute. What used to be a 30-minute manual process across three different admin portals became a single command.

From scripts to agents

Scripts are great until the edge cases pile up. What if the license pool is exhausted? What if the mailbox hasn't provisioned yet when you try to set permissions? What if the user already exists in one tenant but not another?

So I started building agents on top of the scripts. The agents don't just run the commands. They understand the context. They check the license count before assigning. They verify the mailbox exists before setting permissions. They wait and retry with backoff when Exchange is being slow. They do what a careful human engineer would do, except they never forget a step.

Multi-tenant complexity

Six tenants means six sets of policies. Six sets of license SKUs that don't always map to the same names. Six sets of admin consent grants. The agents handle this by maintaining a tenant configuration layer. Each tenant has its own config that describes its license mappings, default groups, mailbox policies, and security baselines. The automation adapts to the tenant. I don't adapt the automation.

What changed

My weekends came back. Onboarding went from "open three portals and hope you don't miss a step" to "run the agent and review the output." Offboarding went from a checklist I'd occasionally forget items on to a deterministic process that handles license recovery, mailbox conversion, and group cleanup in order.

The agents aren't perfect. They still escalate to me when something genuinely unexpected happens. But the 95% of tenant management that's repetitive and error-prone? That's handled. And it's handled the same way every time.