Get to know about Cross Tenant Synchronization

In today’s rapidly evolving business environment, organizations frequently operate across multiple Microsoft 365 tenants. Whether due to mergers, acquisitions, or global operations with distinct subsidiaries, cross-tenant collaboration can be a logistical challenge. Traditionally, managing user identities across multiple tenants required either duplicating accounts or manually sharing resources.

What is Cross-Tenant Synchronization?

Cross-tenant synchronization is a feature within Microsoft Entra (formerly Azure AD) that allows organizations to synchronize users, groups, and other directory objects across multiple Microsoft 365 tenants. This enables seamless collaboration between different tenants while maintaining organizational boundaries and security policies. Users synced from one tenant to another can collaborate, access resources, and appear in the address book as if they were in the same tenant without having to manually switch accounts.

This feature is designed to help organizations that manage multiple tenants, especially during periods of growth or restructuring, like mergers and acquisitions, or those with complex organizational structures.

Microsoft Entra

Why is Cross-Tenant Synchronization Important?

  1. Improved Collaboration: Users from different tenants can appear in the global address list, participate in teams, and access shared resources without needing guest accounts or switching between tenants. This greatly improves productivity and ensures smoother collaboration across organizational boundaries.
  2. Reduced Complexity: Without synchronization, managing multiple identities across tenants often involves complicated processes like creating shadow accounts or using third-party tools. Cross-tenant synchronization simplifies this by automating identity management, making it easier for IT administrators to manage and control user access.
  3. Business Agility: In the case of mergers and acquisitions, organizations need to integrate quickly. Cross-tenant synchronization allows users to collaborate almost immediately after an acquisition, providing a bridge until a full tenant-to-tenant migration is completed.

Use Cases for Cross-Tenant Synchronization

  1. Mergers and Acquisitions: In situations where one organization acquires another, immediate collaboration between teams is often essential. Cross-tenant synchronization allows employees to communicate and collaborate without waiting for a full tenant-to-tenant migration, providing a crucial stopgap during transitions.
  2. Multi-National Corporations: Large enterprises with regional offices or subsidiaries operating under their own tenants can benefit from synchronization. This allows employees from different regions to work together without being constrained by tenant boundaries.
  3. Hybrid and Multi-Tenant Scenarios: Organizations running hybrid environments (e.g., on-premises AD alongside Microsoft 365 tenants) or managing multiple tenants for different divisions can ensure consistency in identity management across all environments.

How Cross-Tenant Synchronization Works?

  1. One-Way or Two-Way Synchronization: Organizations can configure one-way synchronization where user objects from a source tenant are replicated in the target tenant. Alternatively, they can establish two-way synchronization if there is a need for bidirectional identity sharing between tenants.
  2. User and Group Synchronization: Once configured, users and groups from the source tenant are synchronized to the target tenant’s directory. These objects appear in the global address list of the target tenant, enabling employees to find and communicate with synced users as if they were internal.
  3. Synchronization Rules: Administrators can define specific rules to control which users and groups are synchronized. This can be based on user attributes like department, location, or role. For example, you may only want to sync executive teams or employees in specific departments rather than the entire user base.
  4. Security and Access Control: Synchronized users must be given appropriate permissions to access resources in the target tenant. Administrators can use Conditional Access Policies to manage how and when these users can access resources. Additionally, Microsoft Entra’s monitoring tools can help track cross-tenant activity for compliance and security purposes.
  5. No Automatic License Sharing: While identities are synchronized across tenants, licenses are not automatically transferred. This means that each tenant must assign licenses to the synchronized users if they need to access Microsoft 365 services in the target tenant.

Setting Up Cross-Tenant Synchronization: A Step-by-Step Guide

Step 1. Prepare Your Environment.

Ensure that both tenants use Microsoft Entra ID (Azure AD) and have sufficient admin privileges in both the source and target tenants.

Enable cross-tenant synchronization in both tenants.

The picture shows where we need to do the configurations.

Azure AD

Step 2. Configure Cross-Tenant Access Settings.

In the Microsoft Entra Admin Center, navigate to External Identities > Cross-Tenant Access Settings. Here, we need to configure the permissions for cross-tenant synchronization. Both the source and target tenants need to agree on the access policies.

External Identities

2.1. Copy the tenant ID of the first tenant and paste it into other tenant organizational settings in cross-tenant access settings.

Copy tenant ID

2.2. Check trust settings in both tenants (Inbound and Outbound).

2.3. After the initial setup is done, go to the first tenant cross-tenant synchronization and create a configuration.

Outbound

Step 3. Select Users and Groups for Synchronization.

Define which users or groups will be synchronized. You can choose to synchronize all users or apply filtering rules to limit the scope based on attributes like department or job title.

3.1. To establish provisioning, select automatic enter target tenant ID and save.

Tenant ID

3.2. Then, you can select which attributes to synchronize in the mappings section.

Mappings section

3.3. In provision on demand, if we select a user, it will be created on the target tenant.

Target tenant

Step 4. Test and Monitor.

It’s important to test the synchronization by checking that users and groups are successfully appearing in the target tenant. Regular monitoring and auditing of synchronization logs will help ensure everything is functioning correctly.

Note. If you want to synchronize the same users with all the other tenants in a multitenant organization, Microsoft recommends sharing users in the Microsoft 365 admin center.

If you want to synchronize different users to different tenants or use Entra groups to determine which users are in scope for provisioning, then you must configure cross-tenant synchronization directly in Microsoft Entra ID.


Similar Articles