Skip to main content

The agency model

There are two ways to structure infrastructure for agency clients in TenantCore: one tenant per client, or multiple clients on a shared tenant with enforcement. One tenant per client is the recommended approach. Each client gets their own Microsoft 365 tenant, their own domains, and their own mailboxes. A suspension or deliverability problem for one client is fully isolated and cannot affect another. Multiple clients on a shared tenant is a viable alternative if you are managing strict send limits through TenantCore’s enforcement. The risk of a shared tenant is that all clients share the same TERRL and the same Microsoft abuse detection surface. With enforcement active on every domain, that risk is manageable, but the responsibility for keeping the tenant healthy sits entirely with you. See Tenant Architecture and Understanding TERRL for a full breakdown of how shared tenants work and what enforcement covers.

Who owns the tenant

There are two ways to structure tenant ownership for agency clients: The client creates and owns the Microsoft 365 tenant. You connect it to TenantCore using their Global Administrator credentials or a dedicated admin account they provision for you. Pros:
  • Client retains full ownership of infrastructure
  • No billing relationship between you and Microsoft for client licenses
  • Clean offboarding — you disconnect the tenant, they keep everything
Cons:
  • Requires client to set up a Microsoft account
  • More coordination overhead during onboarding

Agency-owned

You create and own the Microsoft 365 tenant on behalf of the client. You manage billing, licensing, and access. Pros:
  • Faster onboarding — no client involvement required
  • Full infrastructure control
Cons:
  • You absorb license costs (or pass them through with markup)
  • Offboarding requires transferring ownership or migrating infrastructure

Onboarding workflow

Regardless of ownership structure, the provisioning sequence is the same:

1. Create the tenant

Follow the Microsoft Tenant Setup guide. If the client is creating their own tenant, share that guide with them and have them send you Global Administrator credentials or create a dedicated admin account for your access.

2. Register sending domains

For each client, register dedicated sending domains. Use brand-adjacent variations — not the client’s primary domain. Examples for a client at acme.com:
  • tryacme.com
  • getacme.com
  • acmehq.com
Register these at your preferred registrar. The client does not need to be involved in domain registration unless they prefer to own the domains themselves.

3. Connect the tenant to TenantCore

  1. Go to Tenants in the TenantCore app
  2. Click Connect Tenant
  3. Enter the Global Administrator credentials for the client’s tenant
  4. TenantCore connects and configures Exchange Online
Label the tenant clearly in TenantCore, use the client’s name or a consistent naming convention so tenants are easy to identify across your account.

4. Add domains and configure DNS

Add each sending domain to the tenant through TenantCore. For each domain:
  1. TenantCore generates DNS records (MX, SPF, DKIM, DMARC and Microsoft 365 service records)
  2. Add those records to the domain’s registrar
  3. Wait for propagation and verification
If the client owns the domains, share the DNS records with them and have them add the records themselves, or request registrar access.

5. Provision mailboxes

Once domains are verified, provision mailboxes. New infrastructure should start conservatively, begin at 4 to 7 emails per mailbox per day and ramp up toward the 25 per day ceiling as your domains age and build reputation.

6. Set enforcement

After mailboxes are provisioned, set send limit enforcement through the Set Global Limit button on your dashboard. Select the tenant, select the domains, and apply the limit. This provisions transport rules in Exchange Online per domain.
Enforcement is not applied automatically. Until it is set, there is no Exchange-level ceiling on outbound volume. For agency clients especially, set enforcement before handing off to your sending tool.

7. Hand off credentials

Retrieve Mailbox credentials from TenantCore and enter them into your sending tool. Tag mailboxes by client so campaign attribution stays clean.

Managing multiple clients

Consistent naming — Use a standard format for mailbox display names and email addresses across clients. Makes debugging easier when something goes wrong. Stagger ramp schedules — Do not bring multiple new clients to full volume simultaneously. Staggering ramp-ups makes it easier to attribute deliverability issues if they arise. Separate sending tools per client — If your sequencer supports workspaces or accounts, keep clients isolated there too. Shared campaign pools make it harder to attribute performance and harder to offboard cleanly. Document tenant credentials securely — Store Microsoft admin credentials in a password manager with client-specific entries. You will need them if you ever need to access the admin center directly.