ThreatLocker Organizations
ThreatLocker is built for MSPs and treats each customer as a child organization beneath the partner organization. The API key you authenticate with belongs to a parent (partner) org and can see all of its children. Most fleet-wide reporting and any tenant pivot work runs through this skill.
API Tools
List Child Organizations
threatlocker_organizations_list_children
Returns the full list of child organizations visible to the
authenticated key — typically organizationId, organizationName,
isPartner, parentOrganizationId, computer counts, and creation
timestamp. This is the first call in nearly every multi-tenant
workflow.
Get Organization Auth Key
threatlocker_organizations_get_auth_key
Retrieves the auth key for a specific child organization. Used during agent provisioning and when a per-org integration (e.g. a client-facing dashboard) needs its own scoped credential.
Treat this output like any other secret. Don't paste it into tickets, chat, or unencrypted notes.
Organizations Eligible for Move
threatlocker_organizations_for_move_computers
Returns the orgs that are valid destinations when relocating a computer — usually a subset of child orgs filtered by partnership and permission. Not the same as the full child list.
Key Concepts
Partner vs Customer Org
- Partner org — Top-level MSP tenant. Holds the API key, owns global computer groups, and parents customer orgs.
- Customer (child) org — One per MSP client. Holds that client's computers, org-specific groups, approvals, and Action Log entries.
How Tenant Scoping Works
Three ways to scope a call to a specific tenant:
- Set the
organizationIdheader on the HTTP call. - Send
childOrganizations: truein aGetByParametersbody to roll across all children at once. - Omit both — the API key's primary org is used.
See api-patterns for header/body details.
Common Workflows
MSP Multi-Tenant Pivot
The fan-out pattern for any per-client report:
threatlocker_organizations_list_childrento enumerate.- For each child, scope subsequent calls via the
organizationIdheader and produce per-tenant numbers. - Or, if the entity supports it, use
childOrganizations: trueonce and bucket results client-side byorganizationId.
Onboarding a New Client Org
When a new customer is added in the ThreatLocker portal:
threatlocker_organizations_list_childrenand confirm the new org appears.threatlocker_organizations_get_auth_keyfor the new org and securely transmit the key to the deployment team.- After agent rollout, validate computer count via the
computersskill and confirm at least one Action Log entry per endpoint viaaudit-log.
Moving Computers Between Orgs
This happens when a client splits, merges, or you discover a computer was registered to the wrong tenant:
threatlocker_organizations_for_move_computersto confirm the target org is move-eligible.- Issue the move via the appropriate computer endpoint (the ThreatLocker portal also exposes this in the UI).
- Re-pull the computer with
threatlocker_computers_getand confirm the neworganizationIdand that thecomputerGroupreset to the destination org's default.
Per-Tenant Approval Queue Audit
- List children.
- For each, set
organizationIdheader and callthreatlocker_approvals_pending_count. - Output a per-tenant pending count to spot the org generating the most queue pressure (often a sign of policy mode mismatch or a newly onboarded client still in baseline).
Edge Cases
- Inactive or hidden orgs — Some child orgs are archived or hidden. The list endpoint may include a flag; ignore those for fleet reports.
- Stale auth keys — A previously retrieved auth key continues to work until rotated. Don't assume the key in your records is current; pull fresh when in doubt.
- Move eligibility surprises —
for_move_computersfilters by partner relationship. If an org isn't in the result, the source org's parent doesn't have permission to move into it.
Best Practices
- Cache the child list for a session — it rarely changes mid-session.
- Always include both
organizationIdandorganizationNamein multi-tenant reports so a reader knows which client a number refers to. - Treat auth keys as secrets in transit (encrypted vaults, not tickets) and at rest.
- Before any move, snapshot the source computer record so you can confirm post-move state.
Related Skills
- api-patterns —
organizationIdheader andchildOrganizationsbody flag - computers — Computers within an org
- approval-requests — Per-tenant queue
- audit-log — Per-tenant Action Log