If you are an organisation that owns multiple Microsoft 365 tenants and want to streamline intra-organisation cross-tenant application access, you might be interested in the cross-tenant synchronisation feature. This feature allows you to automate the creation, updating, and deletion of B2B collaboration users across tenants in your organisation. In this blog post, I will explain what cross-tenant synchronisation is, how it works, and how to configure it using the Microsoft Entra admin center.
What is cross-tenant synchronisation?
Cross-tenant synchronization is a feature that builds upon the Microsoft Entra B2B functionality and automates creating, updating, and deleting B2B users within tenants that your organisation works with. It enables users to access applications and collaborate across tenants, while still allowing the organisation to evolve. Here are the primary goals of cross-tenant synchronisation:
- Seamless collaboration for a multitenant organisation
- Automate lifecycle management of B2B collaboration users in a multitenant organisation
- Automatically remove B2B accounts when a user leaves the organisation
Cross-tenant synchronisation is similar to a hybrid environment – each synchronisation has a specific source and a specific target. The source tenant is the tenant where the user account originates, and the target tenant is the tenant where the user account is synchronised to. The source and target tenants can be different or the same, depending on your scenario. For example, you can use cross-tenant synchronisation to sync users from a parent tenant to a child tenant, or from one child tenant to another child tenant, or even from one tenant to itself.
How does cross-tenant synchronisation work?
Cross-tenant synchronisation works by using the Microsoft Entra provisioning service, which is a cloud-based service that automatically creates, updates, and deletes user accounts in target applications based on user attributes and group membership in the source tenant. The provisioning service uses the Microsoft Entra Graph API to communicate with the source and target tenants, and supports the following operations:
- Create: When a user is added to a group in the source tenant that is in scope for provisioning, the provisioning service creates a corresponding B2B user in the target tenant with the same user principal name (UPN) and email address as the source user. The B2B user is also added to the same group in the target tenant.
- Update: When a user’s attributes or group membership change in the source tenant, the provisioning service updates the corresponding B2B user in the target tenant with the same changes. The provisioning service supports updating the following attributes: display name, given name, surname, job title, department, and mobile phone.
- Delete: When a user is removed from a group in the source tenant that is in scope for provisioning, or when a user is deleted from the source tenant, the provisioning service deletes the corresponding B2B user in the target tenant.
The provisioning service runs every 40 minutes by default, but you can change the frequency in the Microsoft Entra admin center. You can also monitor the provisioning status and logs in the Microsoft Entra admin center.
How to configure cross-tenant synchronisation?
To configure cross-tenant synchronisation, you need to have the following prerequisites:
- Source tenant: Microsoft Entra ID P1 or P2 license, Security Administrator role, Hybrid Identity Administrator role, Cloud Application Administrator or Application Administrator role.
- Target tenant: Microsoft Entra ID P1 or P2 license, Security Administrator role.
The configuration steps are as follows:
- Plan your provisioning deployment: Define how you would like to structure the tenants in your organisation, determine who will be in scope for provisioning, and determine what data to map between tenants.
- Enable user synchronisation in the target tenant: In the target tenant, go to the Microsoft Entra admin center, browse to Identity > External Identities > Cross-tenant access settings, and check the Allow users sync into this tenant checkbox. You also need to add the source tenant as a trusted organisation and enable automatic redemption of invitations for the source tenant.
- Automatically redeem invitations in the source tenant: In the source tenant, go to the Microsoft Entra admin center, browse to Identity > External Identities > Cross-tenant access settings, and enable automatic redemption of invitations for the target tenant.
- Configure provisioning in the source tenant: In the source tenant, go to the Microsoft Entra admin center, browse to Identity > External Identities > Cross-tenant synchronisation, and create a new configuration. You need to select the target tenant, the source groups, the target groups, and the attribute mappings for the configuration. You also need to assign users to the configuration and enable the configuration.
- Test and verify the provisioning: After enabling the configuration, you can test and verify the provisioning by checking the provisioning status and logs in the Microsoft Entra admin center, and by signing in to the target tenant as a B2B user.
Conclusion
Cross-tenant synchronisation is a powerful feature that can help you simplify collaboration and lifecycle management of B2B users across tenants in your organisation. It leverages the Microsoft Entra provisioning service and the Microsoft Entra B2B functionality to automate the creation, updating, and deletion of B2B users in the target tenant based on the source tenant. To configure cross-tenant synchronisation, you need to have the appropriate licenses and roles in both the source and target tenants, and follow the steps in the Microsoft Entra admin center.