Azure Cross Tenant Sharing

Cross tenant settings and sync allows two or more separate organisations with separate tenants come together and collaborate as one.

Prerequisites

  • Azure AD Premium P1 or P2 license.

Limitations:

  • When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups.
  • Azure Virtual Desktop – External/guest users are not supported
  • Power BI – External member is not supported
  • Teams – External member is not supported

SETUP

Target Tenant:

Setup Organisational settings with target tenant

Configure inbound access settings and turn on cross-tenant sync. (This is allowing the source tenant to be able to sync to this target tenant)

On the inbound settings you can also setup which groups can connect to the tenant from the source (the guid of the group from the source tenant is added here)

On Source Tenant:

Create organisational setting



Configure outbound trust settings enable “auto redeem”

On source Azure Active Directory > Cross-tenant synchronization,

Create new config and add in the users that will be synchronised to the target tenant. I created a group and also added some users

Once synced you should see the users in the target tenant:

Once I configured the SharePoint sharing on the site and libraries we were ready to test:

A user who had access to SharePoint and was setup in the sync but was NOT allowed on the inbound settings on the target gets an error:

AdeleV who is part of the group allowed access could see the target SharePoint

Finally a user who was synced and allowed in inbound settings but wasn’t given permissions to view SharePoint received a SharePoint message

About the author