Today’s blog will discuss a new Microsoft Entra feature called cross-tenant synchronization. A feature that was requested by many of the community members and organizations. In today’s world, we often see organizations struggling with managing external users (also known as guest users). Cross-tenant synchronization can close the gap for organizations in their Identity Governance strategy. This blog will explain the key features, how this new feature works, and how you can enable this feature.
What is cross-tenant synchronization in short?
This feature makes collaboration between multiple Microsoft 365 tenants easier. It automates creating, updating, and deleting Azure AD B2B users across multi-tenants.
- Azure AD Premium (P1 or P2) license (each user you synchronize needs a premium license).
- Hybrid Identity Administrator role or a Global Administrator role
Today you can use Azure B2B to invite users from external organizations to your Microsoft 365 tenant. The use case for inviting external users is collaborating and accessing Microsoft Applications (Teams, SharePoint) and third-party applications (Salesforce, ServiceNow, etc.). We all know the invitation process doesn’t work well; you must create some processes, like manually adding user(s) or automating the invitation process. Besides this, you always have to think of life-cycle management. What if a user changes his name, changes from the department, or leaves the company? The ideal scenario would be synchronizing all these changes between B2B tenants. That’s where cross-tenant synchronization kicks in!
What do you need to know?
- This feature won’t replace B2B direct connect.
- Cross-tenant synchronization is a push, not a pull process from the target tenant. Therefore, you first need to configure it in the source tenant.
- Users previously invited to tenants were assigned the UserType attribute Guest. When enabling this feature, the default UserType will be Member.
This can be changed in the mapping section.
- It detects existing B2B users, and it avoids creating duplicates
- You always need to set up synchronization in the source tenant for a user. This means the tenant where the identity is managed.
- Users created by cross-tenant synchronization will have the same experience accessing Microsoft Teams and other Microsoft 365 services as B2B collaboration users created through a manual invitation.
Illustration of Cross-tenant synchronization
Configure cross-tenant access settings
Before synchronizing users and groups between the two tenants, the source and target tenant, we must configure the cross-tenant access settings. Configuring cross-tenant access settings allows us to create a trust between the two tenants. Before creating any configuration, you must follow the below steps. Otherwise, you will receive a permission error.
Therefore, for the source tenant, navigate to the Azure Portal or Entra Portal, click External Identities, and select Cross-tenant access settings. Next, click Add organization; here, you can add an external Azure AD tenant by typing any domain or the tenant ID of the target tenant. Now that we have added the target tenant, we need to change the Outbound access settings since we will sync our users from the source tenant.
We follow the same steps for the target tenant, but we need to change the Inbound access settings for the target tenant.
In- and Outbound cross-tenant settings
Looking at the Inbound access cross-tenant setting, we have several tabs. In this blog, I want to highlight two of them: the “Trust settings” and “Cross-tenant sync” options.
For the best user experience, I recommend you select the “Customize settings” option within the “Trust settings” tab, followed by selecting all the available options. With this configuration, we allow users not to get another MFA prompt as soon as they visit our tenant. The same goes for compliance. Once the source tenant trusts a device, it is automatically trusted by the target tenant. We also want to suppress the Consent Prompt. We don’t want to bother users with that. Ensure this setting is configured in the source tenant.
To ensure that users are synced into the target tenant, it is necessary that the “Allow users sync into this tenant” option is selected. If not checked, the source tenant cannot sync users.
Looking at the Outbound access cross-tenant setting, we must check if the “Suppress consent prompts for users..” option is enabled within the Trust settings tab.
Configure cross-tenant sync
Now that we have created a trust between the source and the target tenant, we can start with the configuration. If you didn’t follow the above steps, please follow them since you will receive error(s) in your configuration.
- Navigate to the Azure Active Directory portal or the Microsoft Entra Portal.
- Click on the Cross-tenant synchronization blade.
- Now click on the Configurations blade and select New configuration to create a 1 to 1 synchronization between the source and target tenant.
- Now provide the name that you want to use and click on Create. In my example, I will use Contoso A.
- Now that we have created a configuration, we must validate that the sync works. Therefore, click on the configuration you have just created, and click on Provisioning. Now set the Provisioning Mode to Automatic instead of Manual.
- Provide the Tenant ID of the target tenant, click on Test connection, and Save. At this stage, no synchronization will be started.
We don’t have to provide credentials since we have already created a trust.
If you receive an error in this test, ensure that you have suppressed the consent for both tenants and enabled the checkbox in the target tenant that says “Allow sync into this tenant.”
The mappings are the first thing you might want to configure when the validating process passes. Some reasons why you might want to change this:
– If a user already exists in the target tenant (because it was invited in the past), it won’t synchronize or apply since the default “Apply this mapping” setting is set to “Only during object creation.”
– Users/objects synced using this feature are identified as Member Type “Member” instead of the “Guest.” This could treat users differently in cases like Conditional Access or Access reviews.
Friendly reminder to think about the settings in terms of attributes. This may affect existing users when synchronizing new objects.
If you want to edit the attribute mapping, click the “Provision Azure Active Directory Users” option. There we can see a list of attributes mapping. In case of changing the UserType, click on the Value Member. Now change the Constant Value from Member to Guest. As soon as we start our first synchronization, it will sync the user as a UserType Guest.
You can configure some other settings related to synchronization. For example, we can configure an alert, prevent accidental deletion threshold, and configure the synchronization scope. By default, only the assigned users and groups will be synchronized.
Users and groups
In this section, we can Add Azure AD users/groups that we want to allow to be synced to the target tenant. In this blog, as an example, I will synchronize Adele Vance.
Only Azure AD users can be synchronized between tenants. (Groups, devices, and contacts aren’t currently supported.)
Now that we have configured all the settings, we can start our first provisioning. To do this, we click on the Overview blade and then select Start provisioning.
We can see the interval (40 minutes by default) by clicking on View provisioning details. If you want to force a provisioning, click the Restart Provisioning option.
Provision on demand
If you’ve got an urgent need that can wait, you can force a specific synchronization if you type the user or group by name, UserPrincipalName, or e-mail; you can provision an Azure AD user instantly. After the provisioning, it will show you the performed action with a summary. Did all the tests pass? Is the user in-scope etc.?
We can see exactly what happened in the case of synchronization. Was the user created, updated, or skipped for some reason? When clicking on an entry, it will show us the steps performed, troubleshooting & recommendations, modified properties, and a summary.
How to remove a configuration?
The configuration we created in the previous step can be easily removed by browsing to the Enterprise Applications blade. You can find Enterprise Applications under the blade Applications in the Microsoft Entra Portal.
Wrap-up & Tips
Personally, I think it is too early to call out whether this feature should be deployed cross-company, or only in a scenario where you as an organization have multiple tenants. But I’m sure Microsoft has taken a step forward regarding collaboration and ease of use between B2B tenants. So let’s see what the future brings us!
Some tips when using this feature, I would set up a Dynamic Group that allows you to synchronize users between the tenants. Then, use a custom DisplayName to identify synchronized users quickly. And set the showInAddressList to null so it won’t show the synchronized users in the Global Address List.