If you are an organization that owns multiple Microsoft 365 tenants and want to streamline intra-organization cross-tenant application access, you might be interested in the cross-tenant synchronization feature. This feature allows you to automate the creation, updating, and deletion of B2B collaboration users across tenants in your organization. In this blog post, I will explain what cross-tenant synchronization is, how it works, and how to configure it using the Microsoft Entra admin center.
What is cross-tenant synchronization?
Cross-tenant synchronization is a feature that builds upon the Microsoft Entra B2B functionality and automates creating, updating, and deleting B2B users within tenants that your organization works with. It enables users to access applications and collaborate across tenants, while still allowing the organization to evolve. Here are the primary goals of cross-tenant synchronization:
- Seamless collaboration for a multitenant organization
- Automate lifecycle management of B2B collaboration users in a multitenant organization
- Automatically remove B2B accounts when a user leaves the organization
Cross-tenant synchronization is similar to a hybrid environment – each synchronization has a specific source and a specific target. The source tenant is the tenant where the user account originates, and the target tenant is the tenant where the user account is synchronized to. The source and target tenants can be different or the same, depending on your scenario. For example, you can use cross-tenant synchronization to sync users from a parent tenant to a child tenant, or from one child tenant to another child tenant, or even from one tenant to itself.
How does cross-tenant synchronization work?
Cross-tenant synchronization works by using the Microsoft Entra provisioning service, which is a cloud-based service that automatically creates, updates, and deletes user accounts in target applications based on user attributes and group membership in the source tenant. The provisioning service uses the Microsoft Entra Graph API to communicate with the source and target tenants, and supports the following operations:
- Create: When a user is added to a group in the source tenant that is in scope for provisioning, the provisioning service creates a corresponding B2B user in the target tenant with the same user principal name (UPN) and email address as the source user. The B2B user is also added to the same group in the target tenant.
- Update: When a user’s attributes or group membership change in the source tenant, the provisioning service updates the corresponding B2B user in the target tenant with the same changes. The provisioning service supports updating the following attributes: display name, given name, surname, job title, department, and mobile phone.
- Delete: When a user is removed from a group in the source tenant that is in scope for provisioning, or when a user is deleted from the source tenant, the provisioning service deletes the corresponding B2B user in the target tenant.
The provisioning service runs every 40 minutes by default, but you can change the frequency in the Microsoft Entra admin center. You can also monitor the provisioning status and logs in the Microsoft Entra admin center.
How to configure cross-tenant synchronization?
To configure cross-tenant synchronization, you need to have the following prerequisites:
- Source tenant: Microsoft Entra ID P1 or P2 license, Security Administrator role, Hybrid Identity Administrator role, Cloud Application Administrator or Application Administrator role.
- Target tenant: Microsoft Entra ID P1 or P2 license, Security Administrator role.
The configuration steps are as follows:
- Plan your provisioning deployment: Define how you would like to structure the tenants in your organization, determine who will be in scope for provisioning, and determine what data to map between tenants.
- Enable user synchronization in the target tenant: In the target tenant, go to the Microsoft Entra admin center, browse to Identity > External Identities > Cross-tenant access settings, and check the Allow users sync into this tenant checkbox. You also need to add the source tenant as a trusted organization and enable automatic redemption of invitations for the source tenant.
- Automatically redeem invitations in the source tenant: In the source tenant, go to the Microsoft Entra admin center, browse to Identity > External Identities > Cross-tenant access settings, and enable automatic redemption of invitations for the target tenant.
- Configure provisioning in the source tenant: In the source tenant, go to the Microsoft Entra admin center, browse to Identity > External Identities > Cross-tenant synchronization, and create a new configuration. You need to select the target tenant, the source groups, the target groups, and the attribute mappings for the configuration. You also need to assign users to the configuration and enable the configuration.
- Test and verify the provisioning: After enabling the configuration, you can test and verify the provisioning by checking the provisioning status and logs in the Microsoft Entra admin center, and by signing in to the target tenant as a B2B user.
Cross-tenant synchronization is a powerful feature that can help you simplify collaboration and lifecycle management of B2B users across tenants in your organization. It leverages the Microsoft Entra provisioning service and the Microsoft Entra B2B functionality to automate the creation, updating, and deletion of B2B users in the target tenant based on the source tenant. To configure cross-tenant synchronization, you need to have the appropriate licenses and roles in both the source and target tenants, and follow the steps in the Microsoft Entra admin center.