Tenant-to-tenant delivery is a direct mail path between Microsoft 365 tenants that may avoid the recipient's normal security stack. It can be legitimate for SaaS workflows, but it also creates a bypass route if organisations do not force all mail through their own inspection and logging layers.
Expanded Definition
Tenant-to-tenant delivery describes a message path in Microsoft 365 where mail is sent directly between tenants instead of being forced through an organisation’s usual inspection, filtering, archiving, and logging controls. The term is operational rather than formally standardised, and usage varies across Microsoft-centric environments, so definitions should be read as implementation focused rather than universal. In practice, the security concern is not the existence of tenant-to-tenant messaging itself, but the possibility that trust decisions, routing rules, or exceptions allow content to reach a recipient without the same protections applied to inbound internet mail. That can create blind spots for DLP, anti-phishing, malware analysis, and evidence retention. The most common misapplication is treating tenant-to-tenant delivery as equivalent to trusted internal mail, which occurs when administrators assume Microsoft origin alone guarantees inspection and provenance.
Examples and Use Cases
Implementing tenant-to-tenant delivery rigorously often introduces mail-flow complexity, requiring organisations to balance interoperability for business workflows against the cost of tighter inspection and exception management.
- A parent company and subsidiary share a Microsoft 365 trust relationship for collaboration, but mail bypasses the central secure email gateway unless routing is explicitly enforced.
- A SaaS provider sends service notifications from its own tenant to customer tenants, and security teams must decide whether those messages should still pass through NIST Cybersecurity Framework 2.0-aligned logging and filtering controls.
- A merger creates temporary tenant-to-tenant mail paths during cutover, increasing the risk that phishing or spoofed internal-looking messages evade normal scrutiny.
- Security operations teams test whether transport rules, journaling, and journaling exceptions preserve evidentiary traceability across tenant boundaries.
- Identity and email administrators review whether sender authentication, mailbox permissions, and cross-tenant trust settings create unintended delivery shortcuts.
Because this pattern is usually created for business continuity or integration, the key question is not whether mail can flow, but whether every route remains visible and controlled.
Why It Matters for Security Teams
Security teams need to understand tenant-to-tenant delivery because it can undermine assumptions about where inspection occurs, where logs are collected, and which policies actually apply. If messages bypass the organisation’s normal stack, controls for phishing detection, malware scanning, DLP, eDiscovery, and incident response may no longer have the same coverage. This is especially important in Microsoft 365 environments where email is often treated as a governed channel, yet routing exceptions can quietly create alternate paths. From a governance perspective, the issue maps to security architecture, monitoring, and data protection, all of which are core concerns in the NIST Cybersecurity Framework 2.0. Identity teams should also pay attention because cross-tenant delivery can blur accountability between source tenant, destination tenant, and any intermediary policy layer. Organisations typically encounter the real impact only after a suspicious message, compliance gap, or audit failure exposes the bypass, at which point tenant-to-tenant delivery becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Tenant-to-tenant delivery affects access path governance and trusted communications boundaries. |
| NIST SP 800-53 Rev 5 | AU-2 | Cross-tenant mail routing can weaken audit visibility if logging is not consistently preserved. |
| ISO/IEC 27001:2022 | A.8.12 | Email routing exceptions must be governed as information leakage and transfer risks. |
Document every cross-tenant mail path and enforce controls that preserve authorised communications boundaries.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org