Microsoft Patents a Cross-Tenant Threat Detection System for Cloud Security

By Patentlyze Team · Updated May 22, 2026

Most cloud security tools are blind to threats that hop between isolated customer environments. Microsoft's new patent describes a way to spot those cross-tenant attacks without breaking the privacy walls between customers.

How Microsoft's cross-tenant threat detection works

Imagine your company rents space in a large office building, and so does another company. Each of you has locked offices — you can't walk into theirs, and they can't walk into yours. But a burglar could hit both offices in the same night, and the building's security guard would never connect the dots because they only watch one floor at a time.

That's roughly the problem Microsoft is solving here. In cloud computing, each business customer lives in its own "tenant" — an isolated slice of the cloud with its own security rules and data walls. Today, spotting an attacker who moves between tenants is hard, because no single security tool is allowed to look across those walls.

This patent describes a system where security data from multiple tenants gets collected into a shared store, but each tenant's data is tagged with its own private label. A special cross-tenant analyzer, armed with a master permission key, can then look across all of it to spot patterns that would be invisible to any single tenant's security team — and automatically trigger a defensive response.

Inside the multi-tenant identifier and shared store design

The system has three main moving parts working together.

First, data collection: Security events — think login attempts, file access logs, network traffic anomalies — are gathered from resources inside each security-bounded tenant (an isolated customer environment with its own access controls). Each batch of data is tagged with a tenant-specific identifier before being written to a central tenant-shared store, a unified repository associated with a single security account.

Second, cross-tenant analysis: A dedicated analysis component uses a multi-tenant identifier — essentially a privileged credential tied to the unified security account — to request read access across all the tenant-tagged datasets simultaneously. This is the key innovation: normal per-tenant credentials only unlock one slice; this multi-tenant key unlocks the whole picture while the underlying data stays partitioned.

Third, automated response: If the analysis detects a security threat — say, a credential-stuffing campaign hitting accounts across Tenant A and Tenant B in a coordinated pattern — it triggers execution of a pre-configured instruction. That instruction causes a security action (blocking an IP, revoking a token, alerting an admin) to fire against whichever tenant or tenants are implicated.

The architecture is designed to preserve tenant isolation for normal operations while enabling a privileged, auditable security layer to see across boundaries when it matters.

What this means for enterprise Microsoft cloud security

For large enterprises running Microsoft 365, Azure, or Defender across multiple business units or subsidiaries — each with its own tenant — this kind of cross-tenant visibility is a genuine operational gap today. A sophisticated attacker who compromises a contractor's tenant and then pivots into a parent company's tenant can fly under the radar of both tenants' individual security dashboards.

This patent signals that Microsoft Defender or a future Sentinel feature could offer a unified threat-hunting layer that spans a customer's entire tenant footprint. For security teams managing multi-tenant estates, that's a meaningful workflow improvement — fewer blind spots, fewer manual correlation tasks, and faster automated lockdowns when a cross-environment pattern emerges.

Editorial commentary on a publicly published patent application. Not legal advice.