Table of Contents

Tell us about y our PDF experience. Multit enant or ganizations documentation A multitenant organization is an organization that has more than one instance of Microsoft Entra ID. Describes ways that users can have a seamless experience accessing resources and collaborating across multiple tenants. About multit enant or ganizations eOVERVIE W Multitenant organization capabilities Compare multitenant capabilities Configur e a multit enant or ganization eOVERVIE W What is a multitenant organization? cHOW-T O GUIDE Microsoft 365 admin center PowerShell or Microsoft Graph API Configur e cross-t enant synchr onization eOVERVIE W What is cross-tenant synchronization? cHOW-T O GUIDE Microsoft Entra admin center PowerShell or Microsoft Graph API

Collaborat e in Micr osoft 365 pCONCEPT Identity provisioning for Microsoft 365 Microsoft 365 multitenant people search Plan for multitenant organizations in Microsoft 365

Multitenant organization capabilities in Microsoft Entra ID Article •04/23/2024 This article provides an overview of the multitenant organization scenario and the related capabilities in Microsoft Entra ID. A tenant is an instance of Microsoft Entra ID in which information about a single organization resides including organizational objects such as users, groups, and devices and also application registrations, such as Microsoft 365 and third-party applications. A tenant also contains access and compliance policies for resources, such as applications registered in the directory. The primary functions served by a tenant include identity authentication as well as resource access management. From a Microsoft Entra perspective, a tenant forms an identity and access management scope. For example, a tenant administrator makes an application available to some or all the users in the tenant and enforces access policies on that application for users in that tenant. In addition, a tenant contains organizational branding data that drives end-user experiences, such as the organizations email domains and ShareP oint URLs used by employees in that organization. From a Microsoft 365 perspective, a tenant forms the default collaboration and licensing boundary. For example, users in Microsoft T eams or Microsoft Outlook can easily find and collaborate with other users in their tenant, but don't have the ability to find or see users in other tenants. Tenants contain privileged organizational data and are securely isolated from other tenants. In addition, tenants can be configured to have data persisted and processed in a specific region or cloud, which enables organizations to use tenants as a mechanism to meet data residency and handling compliance requirements. A multit enant or ganization is an organization that has more than one instance of Microsoft Entra ID. Here are the primary reasons why an organization might have multiple tenants: Conglomerat es: Organizations with multiple subsidiaries or business units that operate independently.What is a tenant? What is a multitenant organization?

Mergers and acquisitions: Organizations that merge or acquire companies. Divestitur e activity: In a divestiture, one organization splits off part of its business to form a new organization or sell it to an existing organization. Multiple clouds: Organizations that have compliance or regulatory needs to exist in multiple cloud environments. Multiple geographical boundaries: Organizations that operate in multiple geographic locations with various residency regulations. Test or staging t enants: Organizations that need multiple tenants for testing or staging purposes before deploying more broadly to primary tenants. Department or employ ee-cr eated tenants: Organizations where departments or employees have created tenants for development, testing, or separate control. Your organization may have recently acquired a new company, merged with another company, or restructured based on newly formed business units. If you have disparate identity management systems, it might be challenging for users in different tenants to access resources and collaborate. The following diagram shows how users in other tenants might not be able to access applications across tenants in your organization. As your organization evolves, your IT team must adapt to meet the changing needs. This often includes integrating with an existing tenant or forming a new one. R egardless of how the identity infrastructure is managed, it's critical that users have a seamless experience accessing resources and collaborating. T oday, you may be using custom scripts or on-premises solutions to bring the tenants together to provide a seamless experience across tenants. To enable users across tenants to collaborate in Teams Connect shared channels , you can use Microsoft Entra B2B direct connect . B2B direct connect is a feature of External Identities that lets you set up a mutual trust relationship with another Microsoft Entra organization for seamless collaboration in T eams. When the trust is established, the B2B direct connect user has single sign-on access using credentials from their home tenant.Multitenant challenges  B2B direct connect

Here's the primary constraint with using B2B direct connect across multiple tenants: Currently, B2B direct connect works only with T eams Connect shared channels. For more information, see B2B direct connect overview . To enable users across tenants to collaborate, you can use Microsoft Entra B2B collaboration . B2B collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. Once the external user has redeemed their invitation or completed sign-up, they're represented in your tenant as a user object. With B2B collaboration, you can securely share your company's applications and services with external users, while maintaining control over your own corporate data. Here are the primary constraints with using B2B collaboration across multiple tenants: Administrators must invite users using the B2B invitation process or build an onboarding experience using the B2B collaboration invitation manager . Administrators might have to synchronize users using custom scripts. Depending on automatic redemption settings, users might need to accept a consent prompt and follow a redemption process in each tenant. By default, users are of type external guest, which has different permissions than external member and might not be the desired user experience.  B2B collaboration 

For more information, see B2B collaboration overview . If you want users to have a more seamless collaboration experience across tenants, you can use cross-tenant synchronization . Cross-tenant synchronization is a one-way synchronization service in Microsoft Entra ID that automates creating, updating, and deleting B2B collaboration users across tenants in an organization. Cross-tenant synchronization builds on the B2B collaboration functionality and utilizes existing B2B cross-tenant access settings. Users are represented in the target tenant as a B2B collaboration user object. Here are the primary benefits with using cross-tenant synchronization: Automatically create B2B collaboration users within your organization and provide them access to the applications they need, without creating and maintaining custom scripts. Improve the user experience and ensure that users can access resources, without receiving an invitation email and having to accept a consent prompt in each tenant. Automatically update users and remove them when they leave the organization. Here are the primary constraints with using cross-tenant synchronization across multiple tenants: Doesn't enhance the current T eams or Microsoft 365 experiences. S ynchronized users will have the same cross-tenant T eams and Microsoft 365 experiences available to any other B2B collaboration user. Doesn't synchronize groups, devices, or contacts. For more information, see What is cross-tenant synchronization? .Cross-tenant synchronization 

Multitenant organization is a feature in Microsoft Entra ID and Microsoft 365 that enables you to form a tenant group within your organization. Each pair of tenants in the group is governed by cross-tenant access settings that you can use to configure B2B or cross-tenant synchronization. Here are the primary benefits of a multitenant organization: Differentiate in-organization and out-of-organization external users Improved collaborative experience in new Microsoft T eams Improved people search experience across tenants For more information, see What is a multitenant organization in Microsoft Entra ID? . Depending on the needs of your organization, you can use any combination of B2B direct connect, B2B collaboration, cross-tenant synchronization, and multitenant organization capabilities. B2B direct connect and B2B collaboration are independent capabilities, while cross-tenant synchronization and multitenant organization capabilities are independent of each other, though both rely on underlying B2B collaboration. The following table compares the capabilities of each feature. For more information about different external identity scenarios, see Comparing External Identities feature sets.Multitenant organization  Compare multitenant capabilities ノExpand table

B2B dir ect connect (Org-to-org external or internal)B2B collaboration (Org-to-org external or internal)Cross-t enant synchr onization (Org int ernal)Multit enant organization (Org int ernal) Purpose Users can access T eams Connect shared channels hosted in external tenants.Users can access apps/resources hosted in external tenants, usually with limited guest privileges. Depending on automatic redemption settings, users might need to accept a consent prompt in each tenant.Users can seamlessly access apps/resources across the same organization, even if they're hosted in different tenants.Users can more seamlessly collaborate across a multitenant organization in new T eams and people search. Value Enables external collaboration within T eams Connect shared channels only. More convenient for administrators because they don't have to manage B2B users.Enables external collaboration. More control and monitoring for administrators by managing the B2B collaboration users. Administrators can limit the access that these external users have to their apps/resources.Enables collaboration across organizational tenants. Administrators don't have to manually invite and synchronize users between tenants to ensure continuous access to apps/resources within the organization.Enables collaboration across organizational tenants. Administrators continue to have full configuration ability via cross- tenant access settings. Optional cross-tenant access templates allow pre- configuration of cross-tenant access settings. Primar y administrat or workflowConfigure cross-tenant access to provide external users inbound access to tenant the credentials for their home tenant.Add external users to resource tenant by using the B2B invitation process or build your own onboarding experience using the B2B collaborationConfigure the cross-tenant synchronization engine to synchronize users between multiple tenants as B2B collaboration users.Create a multitenant organization, add (invite) tenants, join a multitenant organization. Leverage existing B2B collaboration users or use cross- tenant synchronization to

B2B dir ect connect (Org-to-org external or internal)B2B collaboration (Org-to-org external or internal)Cross-t enant synchr onization (Org int ernal)Multit enant organization (Org int ernal) invitation manager .provision B2B collaboration users. Trust lev el Mid trust. B2B direct connect users are less easy to track, mandating a certain level of trust with the external organization.Low to mid trust. User objects can be tracked easily and managed with granular controls.High trust. All tenants are part of the same organization, and users are typically granted member access to all apps/resources.High trust. All tenants are part of the same organization, and users are typically granted member access to all apps/resources. Effect on usersUsers access the resource tenant using the credentials for their home tenant. User objects aren't created in the resource tenant.External users are added to a tenant as B2B collaboration users.Within the same organization, users are synchronized from their home tenant to the resource tenant as B2B collaboration users.Within the same multitenant organization, B2B collaboration users, particularly member users, benefit from enhanced, seamless collaboration across Microsoft 365. User type B2B direct connect user

  • N/AB2B collaboration user
  • External member
  • External guest (default)B2B collaboration user
  • External member (default)
  • External guestB2B collaboration user
  • External member (default)
  • External guest The following diagram shows how B2B direct connect, B2B collaboration, and cross- tenant synchronization capabilities could be used together.

To better understand multitenant organization scenario related Microsoft Entra capabilities, you can refer back to the following list of terms. Term Definition tenant An instance of Microsoft Entra ID. organization The top level of a business hierarchy. multitenant organizationAn organization that has more than one instance of Microsoft Entra ID, as well as a capability to group those instances in Microsoft Entra ID. creator tenant The tenant that created the multitenant organization. owner tenant A tenant with the owner role. Initially, the creator tenant. added tenant A tenant that was added by an owner tenant. joiner tenant A tenant that is joining the multitenant organization. join request A joiner or added tenant submits a join request to join the multitenant organization. pending tenant A tenant that was added by an owner but that hasn't yet joined. active tenant A tenant that created or joined the multitenant organization.  Terminology ノExpand table

Term Definition member tenant A tenant with the member role. Most joiner tenants start as members. multitenant organization tenantAn active tenant of the multitenant organization, not pending. cross-tenant synchronizationA one-way synchronization service in Microsoft Entra ID that automates creating, updating, and deleting B2B collaboration users across tenants in an organization. cross-tenant access settingsSettings to manage collaboration for specific Microsoft Entra organizations. cross-tenant access settings templateAn optional template to preconfigure cross-tenant access settings that are applied to any partner tenant newly joining the multitenant organization. organizational settingsCross-tenant access settings for specific Microsoft Entra organizations. configuration An application and underlying service principal in Microsoft Entra ID that includes the settings (such as target tenant, user scope, and attribute mappings) needed for cross-tenant synchronization. provisioning The process of automatically creating or synchronizing objects across a boundary. automatic redemption A B2B setting to automatically redeem invitations so newly created users don't receive an invitation email or have to accept a consent prompt when added to a target tenant. What is a multitenant organization in Microsoft Entra ID? What is cross-tenant synchronization?Next steps

What is a multitenant organization in Microsoft Entra ID? Article •04/24/2024 Multitenant organization is a feature in Microsoft Entra ID and Microsoft 365 that enables you to form a tenant group within your organization. Each pair of tenants in the group is governed by cross-tenant access settings that you can use to configure B2B or cross-tenant synchronization. Here are the primary goals of multitenant organization: Define a group of tenants belonging to your organization Collaborate across your tenants in new Microsoft T eams Enable search and discovery of user profiles across your tenants through Microsoft 365 people search Organizations that own multiple Microsoft Entra tenants and want to streamline intra- organization cross-tenant collaboration in Microsoft 365. The multitenant organization capability is built on the assumption of reciprocal provisioning of B2B member users across multitenant organization tenants. As such, the multitenant organization capability assumes the simultaneous use of Microsoft Entra cross-tenant synchronization or an alternative bulk provisioning engine for external identities . Here are the primary benefits of a multitenant organization: Differentiate in-organization and out-of-organization external users In Microsoft Entra ID, external users originating from within a multitenant organization can be differentiated from external users originating from outside the multitenant organization. This differentiation facilitates the application of different policies for in-organization and out-of-organization external users.Why use multitenant organization? Who should use it? Benefits

Improved collaborative experience in Microsoft T eams In new Microsoft T eams, multitenant organization users can expect an improved collaborative experience across tenants with chat, calling, and meeting start notifications from all connected tenants across the multitenant organization. Tenant switching is more seamless and faster. For more information, see Announcing more seamless collaboration in Microsoft T eams for multitenant organizations and Microsoft T eams: Advantages of the new architecture . Improved people search experience across tenants Across Microsoft 365 services, the multitenant organization people search experience is a collaboration feature that enables search and discovery of people across multiple tenants. Once enabled, users are able to search and discover synced user profiles in a tenant's global address list and view their corresponding people cards. For more information, see Microsoft 365 multitenant organization people search . The multitenant organization capability enables you to form a tenant group within your organization. The following list describes the basic lifecycle of a multitenant organization. Define a multitenant organization One tenant administrator defines a multitenant organization as a grouping of tenants. The grouping of tenants isn't reciprocal until each listed tenant takes action to join the multitenant organization. The objective is a reciprocal agreement between all listed tenants. Join a multitenant organization Tenant administrators of listed tenants take action to join the multitenant organization. After joining, the multitenant organization relationship is reciprocal between each and every tenant that joined the multitenant organization. Leave a multitenant organization Tenant administrators of listed tenants can leave a multitenant organization at any time. While a tenant administrator who defined the multitenant organization can add and remove listed tenants they don't control the other tenants. How does a multitenant organization work?

A multitenant organization is established as a collaboration of equals. Each tenant administrator stays in control of their tenant and their membership in the multitenant organization. Administrators staying in control of their resources is a guiding principle for multitenant organization collaboration. Cross-tenant access settings are required for each tenant-to- tenant relationship. T enant administrators explicitly configure, as needed, the following policies: Cross-tenant access partner configurations For more information, see Configure cross-tenant access settings for B2B collaboration and crossT enantAccessP olicyConfigurationP artner resource type . Cross-tenant access identity synchronization For more information, see Configure cross-tenant synchronization and crossT enantIdentityS yncPolicyP artner resource type . The following diagram shows three tenants A, B, and C that form a multitenant organization.Cross-tenant access setting s Multitenant organization example  ノExpand table

Tenant Descr iption A Administrators see a multitenant organization consisting of A, B, C. They also see cross-tenant access settings for B and C. B Administrators see a multitenant organization consisting of A, B, C. They also see cross-tenant access settings for A and C. C Administrators see a multitenant organization consisting of A, B, C. They also see cross-tenant access settings for A and B. To ease the setup of homogenous cross-tenant access settings applied to partner tenants in the multitenant organization, the administrator of each multitenant organization tenant can configure optional cross-tenant access settings templates dedicated to the multitenant organization. These templates can be used to preconfigure cross-tenant access settings that are applied to any partner tenant newly joining the multitenant organization. To facilitate the management of a multitenant organization, any given multitenant organization tenant has an associated role and state. Tenant roleDescr iption Owner One tenant creates the multitenant organization. The multitenant organization creating tenant receives the role of owner. The privilege of the owner tenant is to add tenants into a pending state as well as to remove tenants from the multitenant organization. Also, an owner tenant can change the role of other multitenant organization tenants. Member Following the addition of pending tenants to the multitenant organization, pending tenants need to join the multitenant organization to turn their state from pending to active. Joined tenants typically start in the member role. Any member tenant has the privilege to leave the multitenant organization.Templates for cross-tenant access setting s Tenant role and state ノExpand table ノExpand table

Tenant stateDescr iption Pending A pending tenant has yet to join a multitenant organization. While listed in an administrator’s view of the multitenant organization, a pending tenant isn't yet part of the multitenant organization, and as such is hidden from an end user’s view of a multitenant organization. Active Following the addition of pending tenants to the multitenant organization, pending tenants need to join the multitenant organization to turn their state from pending to active. Joined tenants typically start in the member role. Any member tenant has the privilege to leave the multitenant organization. The multitenant organization capability has been designed with the following constraints: Any given tenant can only create or join a single multitenant organization. Any multitenant organization must have at least one active owner tenant. Each active tenant must have cross-tenant access settings for all active tenants. Any active tenant may leave a multitenant organization by removing themselves from it. A multitenant organization is deleted when the only remaining active (owner) tenant leaves. Resour ce Limit Notes Maximum number of active tenants, including the owner tenant100 The owner tenant can add more than 100 pending tenants, but they won't be able to join the multitenant organization if the limit is exceeded. This limit is applied at the time a pending tenant joins a multitenant organization. This limit is specific to the number of tenants in a multitenant organization. It does not apply to cross-tenant synchronization by itself. T o increase this limit, submit a support request in the Microsoft Entra or Microsoft 365 admin center. In the Microsoft Graph APIs, the default limit of 100 tenants is only enforced at the time of joining. In Microsoft 365 admin center, the default limit is enforced at multitenant organization creation time and at time of joining.Constraints Limits ノExpand table

By defining a multitenant organization, as well as pivoting on the Microsoft Entra user property of userT ype, external identities are segmented as follows: External members originating from within a multitenant organization External guests originating from within a multitenant organization External members originating from outside of your organization External guests originating from outside of your organization This segmentation of external users, due to the definition of a multitenant organization, enables administrators to better differentiate in-organization from out-of-organization external users. External members originating from within a multitenant organization are called multitenant organization members. Multitenant collaboration capabilities in Microsoft 365 aim to provide a seamless collaboration experience across tenant boundaries when collaborating with multitenant organization member users. If you haven't previously used Microsoft Entra cross-tenant synchronization, and you intend to establish a collaborating user set topology where the same set of users is shared to all multitenant organization tenants, you might want to use the Microsoft 365 admin center share users functionality. If you're already using Microsoft Entra cross-tenant synchronization, for various multi-hub multi-spoke topologies , you don't need to use the Microsoft 365 admin center share users functionality. Instead, you might want to continue using your existing Microsoft Entra cross-tenant synchronization jobs. Here are the basic steps to get started using multitenant organization. For more information, see Plan for multitenant organizations in Microsoft 365 .External user segmentation Choosing between Microsoft 365 admin center and cross-tenant synchronization Get started Step 1: Plan your deployment

Create your multitenant organization using Microsoft 365 admin center , Microsoft Graph P owerShell , or Microsoft Graph API : First tenant, soon-to-be owner tenant, creates a multitenant organization. Owner tenant adds one or more joiner tenants. Join a multitenant organization using Microsoft 365 admin center or Microsoft Graph PowerShell , or Microsoft Graph API : Joiner tenants submit a join request to join the multitenant organization of owner tenant. To allow for asynchronous processing, wait up to 2 hour s. Your multitenant organization is formed. Depending on your use case, you may want to synchronize users using one of the following methods: Synchronize users in multitenant organizations in Microsoft 365 Configure cross-tenant synchronization Configure cross-tenant synchronization using P owerShell or Microsoft Graph API Your alternative bulk provisioning engine The multitenant organization capability requires Microsoft Entra ID P1 licenses. Only one Microsoft Entra ID P1 license is required per employee per multitenant organization. Also, you must have at least one Microsoft Entra ID P1 license per tenant. T o find the right license for your requirements, see Compare generally available features of Microsoft Entra ID . Plan for multitenant organizations in Microsoft 365 What is cross-tenant synchronization?Step 2: Create your multitenant organization Step 3: Join a multitenant organization Step 4: Synchronize users License requirements Next steps

What is cross-tenant synchronization? Article •01/03/2024 Cross-tenant s ynchr onization automates creating, updating, and deleting Microsoft Entra B2B collaboration users across tenants in an organization. It enables users to access applications and collaborate across tenants, while still allowing the organization to evolve. Here are the primary goals of cross-tenant synchronization: Seamless collaboration for a multitenant organization Automate lifecycle management of B2B collaboration users in a multitenant organization Automatically remove B2B accounts when a user leaves the organization Cross-tenant synchronization automates creating, updating, and deleting B2B collaboration users. Users created with cross-tenant synchronization are able to access both Microsoft applications (such as T eams and ShareP oint) and non-Microsoft applications (such as ServiceNow , Adobe , and many more), regardless of which tenant the apps are integrated with. These users continue to benefit from the security capabilities in Microsoft Entra ID, such as Microsoft Entra Conditional Access and cross- tenant access settings , and can be governed through features such as Microsoft Entra entitlement management . The following diagram shows how you can use cross-tenant synchronization to enable users to access applications across tenants in your organization.https://www.youtube-nocookie.com/embed/7B-PQwNfGBc Why use cross-tenant synchronization?

Organizations that own multiple Microsoft Entra tenants and want to streamline intra-organization cross-tenant application access. Cross-tenant synchronization is not currently suitable for use across organizational boundaries. With cross-tenant synchronization, you can do the following: Automatically create B2B collaboration users within your organization and provide them access to the applications they need, without creating and maintaining custom scripts. Improve the user experience and ensure that users can access resources, without receiving an invitation email and having to accept a consent prompt in each tenant. Automatically update users and remove them when they leave the organization. Users created by cross-tenant synchronization will have the same experience when accessing Microsoft T eams and other Microsoft 365 services as B2B collaboration users created through a manual invitation. If your organization uses shared channels, please see the known issues document for additional details. Over time, the member userT ype will be used by the various Microsoft 365 services to provide differentiated end user experiences for users in a multitenant organization.  Who should use? Benefits Teams and Microsoft 365

When you configure cross-tenant synchronization, you define a trust relationship between a source tenant and a target tenant. Cross-tenant synchronization has the following properties: Based on the Microsoft Entra provisioning engine. Is a push process from the source tenant, not a pull process from the target tenant. Supports pushing only internal members from the source tenant. It doesn't support syncing external users from the source tenant. Users in scope for synchronization are configured in the source tenant. Attribute mapping is configured in the source tenant. Extension attributes are supported. Target tenant administrators can stop a synchronization at any time. The following table shows the parts of cross-tenant synchronization and which tenant they're configured. Tenant Cross-t enant access settingsAutomatic r edemption Sync settings configurationUser s in scope Source tenant✔ ✔ ✔ Target tenant✔ ✔ The cross-tenant synchronization setting is an inbound only organizational setting to allow the administrator of a source tenant to synchronize users into a target tenant. This setting is a check box with the name Allow user s sync int o this t enant that is specified in the target tenant. This setting doesn't impact B2B invitations created through other processes such as manual invitation or Microsoft Entra entitlement management .Properties ノExpand table Cross-tenant synchronization setting

To configure this setting using Microsoft Graph, see the Update crossT enantIdentityS yncPolicyP artner API. For more information, see Configure cross- tenant synchronization . The automatic redemption setting is an inbound and outbound organizational trust setting to automatically redeem invitations so users don't have to accept the consent prompt the first time they access the resource/target tenant. This setting is a check box with the following name: Automatically r edeem invitations with the t enant The automatic redemption setting applies to cross-tenant synchronization, B2B collaboration, and B2B direct connect in the following situations:  Automatic redemption setting  Compare setting for different scenarios

When users are created in a target tenant using cross-tenant synchronization. When users are added to a resource tenant using B2B collaboration. When users access resources in a resource tenant using B2B direct connect. The following table shows how this setting compares when enabled for these scenarios: Item Cross-t enant synchr onizationB2B collaborationB2B dir ect connect Automatic redemption setting Required Optional Optional Users receive a B2B collaboration invitation emailNo No N/A Users must accept a consent promptNo No No Users receive a B2B collaboration notification emailNo Yes N/A This setting doesn't impact application consent experiences. For more information, see Consent experience for applications in Microsoft Entra ID . This setting isn't supported for organizations across different Microsoft cloud environments, such as Azure commercial and Azure Government. The automatic redemption setting will only suppress the consent prompt and invitation email if both the home/source tenant (outbound) and resource/target tenant (inbound) checks this setting. The following table shows the consent prompt behavior for source tenant users when the automatic redemption setting is checked for different cross-tenant access setting combinations.ノExpand table When is consent prompt suppressed?

Home/sour ce tenant Resour ce/tar get t enant Consent pr ompt behavior for sour ce tenant user s Outbound Inbound Suppressed Not suppressed Not suppressed Not suppressed Inbound Outbound Not suppressed Not suppressed Not suppressed Not suppressed To configure this setting using Microsoft Graph, see the Update crossT enantAccessP olicyConfigurationP artner API. For more information, see Configure cross-tenant synchronization . For cross-tenant synchronization, users don't receive an email or have to accept a consent prompt. If users want to see what tenants they belong to, they can open their My Account page and select Organizations . In the Microsoft Entra admin center, users can open their Portal settings , view their Directories + subscriptions , and switch directories. For more information, including privacy information, see Leave an organization as an external user . Here are the basic steps to get started using cross-tenant synchronization.ノExpand table How do users know what tenants they belong to? Get started

Cross-tenant synchronization provides a flexible solution to enable collaboration, but every organization is different. For example, you might have a central tenant, satellite tenants, or sort of a mesh of tenants. Cross-tenant synchronization supports any of these topologies. For more information, see Topologies for cross-tenant synchronization . In the target tenant where users are created, navigate to the Cross-t enant access settings page. Here you enable cross-tenant synchronization and the B2B automatic redemption settings by selecting the respective check boxes. For more information, see Configure cross-tenant synchronization . In any source tenant, navigate to the Cross-t enant access settings page and enable the B2B automatic redemption feature. Next, you use the Cross-t enant synchr onization page to set up a cross-tenant synchronization job and specify: Which users you want to synchronize What attributes you want to include Any transformations For anyone that has used Microsoft Entra ID to provision identities into a SaaS application , this experience will be familiar. Once you have synchronization configured,Step 1: Define how to structure the tenants in your organization Step 2: Enable cross-tenant synchronization in the target tenants Step 3: Enable cross-tenant synchronization in the source tenants

you can start testing with a few users and make sure they're created with all the attributes that you need. When testing is complete, you can quickly add additional users to synchronize and roll out across your organization. For more information, see Configure cross-tenant synchronization . In the source tenant: Using this feature requires Microsoft Entra ID P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant. T o find the right license for your requirements, see Compare generally available features of Microsoft Entra ID . In the target tenant: Cross-tenant sync relies on the Microsoft Entra External ID billing model. T o understand the external identities licensing model, see MAU billing model for Microsoft Entra External ID . You will also need at least one Microsoft Entra ID P1 license in the target tenant to enable auto-redemption. Which clouds can cross-tenant synchronization be used in? Cross-tenant synchronization is supported within the commercial cloud and Azure Government. Cross-tenant synchronization isn't supported within the Microsoft Azure operated by 21Vianet cloud. Synchronization is only supported between two tenants in the same cloud. Cross-cloud (such as public cloud to Azure Government) isn't currently supported. Will cross-tenant synchronization manage existing B2B users?License requirements Frequently asked questions Clouds Existing B2B users

Yes. Cross-tenant synchronization uses an internal attribute called the alternativeSecurityIdentifier to uniquely match an internal user in the source tenant with an external / B2B user in the target tenant. Cross-tenant synchronization can update existing B2B users, ensuring that each user has only one account. Cross-tenant synchronization cannot match an internal user in the source tenant with an internal user in the target tenant (both type member and type guest). How often does cross-tenant synchronization run? The sync interval is currently fixed to start at 40-minute intervals. S ync duration varies based on the number of in-scope users. The initial sync cycle is likely to take significantly longer than the following incremental sync cycles. How do I control what is synchronized into the target tenant? In the source tenant, you can control which users are provisioned with the configuration or attribute-based filters. Y ou can also control what attributes on the user object are synchronized. For more information, see Scoping users or groups to be provisioned with scoping filters . If a user is removed from the scope of sync in a source tenant, will cross-tenant synchronization soft delete them in the target? Yes. If a user is removed from the scope of sync in a source tenant, cross-tenant synchronization will soft delete them in the target tenant. What object types can be synchronized? Microsoft Entra users can be synchronized between tenants. (Groups, devices, and contacts aren't currently supported.) What user types can be synchronized? Internal members can be synchronized from source tenants. Internal guests can't be synchronized from source tenants. Users can be synchronized to target tenants as external members (default) or external guests.Synchronization frequency Scope Object types

For more information about the UserT ype definitions, see Properties of a Microsoft Entra B2B collaboration user . I have existing B2B collaboration users. What will happen to them? Cross-tenant synchronization will match the user and make any necessary updates to the user, such as update the display name. By default, the UserT ype won't be updated from guest to member, but you can configure this in the attribute mappings. What user attributes can be synchronized? Cross-tenant synchronization will sync commonly used attributes on the user object in Microsoft Entra ID, including (but not limited to) displayName, userPrincipalName, and directory extension attributes. Cross-tenant synchronization supports provisioning the manager attribute. Both the user and their manager must be in scope for provisioning. For cross-tenant synchronization configurations created before January 2024 with the default schema / attribute mappings: The manager attribute will automatically be added to the mappings. This does not trigger an initial sync cycle. Manager updates will apply on the incremental cycle for users that are undergoing changes (e.g. manager change). The sync engine doesn’t automatically update all existing users that were provisioned previously. To update the manager for existing users that are in scope for provisioning, you can use on-demand provisioning for specific users or do a restart to provision the manager for all users. For cross-tenant synchronization configurations created before January 2024 with a custom schema / attribute mappings (e.g. you added an attribute to the mappings or changed the default mappings): You need to manually add the manager attribute to your attribute mappings. This will trigger a restart and update all users that are in scope for provisioning. This should be a direct mapping of the manager attribute in the source tenant to the manager in the target tenant. If the manager of a user is removed in the source tenant and no new manager is assigned in the source tenant, the manager attribute will not be updated in the target tenant. What attributes can't be synchronized?Attributes

Attributes including (but not limited to) photos, custom security attributes, and user attributes outside of the directory can't be synchronized by cross-tenant synchronization. Can I control where user attributes are sourced/managed? Cross-tenant synchronization doesn't offer direct control over source of authority. The user and its attributes are deemed authoritative at the source tenant. There are parallel sources of authority workstreams that will evolve source of authority controls for users down to the attribute level and a user object at the source may ultimately reflect multiple underlying sources. For the tenant-to-tenant process, this is still treated as the source tenant's values being authoritative for the sync process (even if pieces actually originate elsewhere) into the target tenant. Currently, there's no support for reversing the sync process's source of authority. Cross-tenant synchronization only supports source of authority at the object level. That means all attributes of a user must come from the same source, including credentials. It isn't possible to reverse the source of authority or federation direction of a synchronized object. What happens if attributes for a synced user are changed in the target tenant? Cross-tenant synchronization doesn't query for changes in the target. If no changes are made to the synced user in the source tenant, then user attribute changes made in the target tenant will persist. However, if changes are made to the user in the source tenant, then during the next synchronization cycle, the user in the target tenant will be updated to match the user in the source tenant. Can the target tenant manually block sign-in for a specific home/source tenant user that is synced? If no changes are made to the synced user in the source tenant, then the block sign-in setting in the target tenant will persist. If a change is detected for the user in the source tenant, cross-tenant synchronization will re-enable that user blocked from sign-in in the target tenant. Can I sync a mesh between multiple tenants? Cross-tenant synchronization is configured as a single-direction peer-to-peer sync, meaning sync is configured between one source and one target tenant. Multiple instances of cross-tenant synchronization can be configured to sync from a singleStructure

source to multiple targets and from multiple sources into a single target. But only one sync instance can exist between a source and a target. Cross-tenant synchronization only synchronizes users that are internal to the home/source tenant, ensuring that you can't end up with a loop where a user is written back to the same tenant. Multiple topologies are supported. For more information, see Topologies for cross- tenant synchronization . Can I use cross-tenant synchronization across organizations (outside my multitenant organization)? For privacy reasons, cross-tenant synchronization is intended for use within an organization. W e recommend using entitlement management for inviting B2B collaboration users across organizations. Can cross-tenant synchronization be used to migrate users from one tenant to another tenant? No. Cross-tenant synchronization isn't a migration tool because the source tenant is required for synchronized users to authenticate. In addition, tenant migrations would require migrating user data such as ShareP oint and OneDrive. Does cross-tenant synchronization resolve any present B2B collaboration limitations? Since cross-tenant synchronization is built on existing B2B collaboration technology, existing limitations apply. Examples include (but aren't limited to): App or serviceLimitations Power BI - Support for UserT ype Member in P ower BI is currently in preview. For more information, see Distribute P ower BI content to external guest users with Microsoft Entra B2B . Azure Virtual Desktop- External member and external guest aren't supported in Azure Virtual Desktop. How does cross-tenant synchronization relate to B2B direct connect ?B2B collaboration ノExpand table B2B direct connect

B2B direct connect is the underlying identity technology required for Teams Connect shared channels . We recommend B2B collaboration for all other cross-tenant application access scenarios, including both Microsoft and non-Microsoft applications. B2B direct connect and cross-tenant synchronization are designed to co-exist, and you can enable them both for broad coverage of cross-tenant scenarios. We're trying to determine the extent to which we'll need to utilize cross-tenant synchronization in our multitenant organization. Do you plan to extend support for B2B direct connect beyond T eams Connect? There's no plan to extend support for B2B direct connect beyond T eams Connect shared channels. Does cross-tenant synchronization enhance any cross-tenant Microsoft 365 app access user experiences? Cross-tenant synchronization utilizes a feature that improves the user experience by suppressing the first-time B2B consent prompt and redemption process in each tenant. Synchronized users will have the same cross-tenant Microsoft 365 experiences available to any other B2B collaboration user. Can cross-tenant synchronization enable people search scenarios where synchronized users appear in the global address list of the target tenant? Yes, but you must set the value for the showInAddr essList attribute of synchronized users to True, which is not set by default. If you want to create a unified address list, you'll need to set up a mesh peer-to-peer topology . For more information, see Step 9: R eview attribute mappings . Cross-tenant synchronization creates B2B collaboration users and doesn't create contacts. Does cross-tenant synchronization enhance any current T eams experiences? Synchronized users will have the same cross-tenant Microsoft 365 experiences available to any other B2B collaboration user.Microsoft 365 Teams

What federation options are supported for users in the target tenant back to the source tenant? For each internal user in the source tenant, cross-tenant synchronization creates a federated external user (commonly used in B2B) in the target. It supports syncing internal users. This includes internal users federated to other identity systems using domain federation (such as Active Directory Federation Services ). It doesn't support syncing external users. Does cross-tenant synchronization use S ystem for Cross-Domain Identity Management (SCIM)? No. Currently, Microsoft Entra ID supports a SCIM client, but not a SCIM server. For more information, see SCIM synchronization with Microsoft Entra ID . Does cross-tenant synchronization support deprovisioning users? Yes, when the below actions occur in the source tenant, the user will be soft deleted in the target tenant. Delete the user in the source tenant Unassign the user from the cross-tenant synchronization configuration Remove the user from a group that is assigned to the cross-tenant synchronization configuration An attribute on the user changes such that they do not meet the scoping filter conditions defined on the cross-tenant synchronization configuration anymore If the user is blocked from sign-in in the source tenant (accountEnabled = false) they will be blocked from sign-in in the target. This is not a deletion, but an updated to the accountEnabled property. Users are not soft deleted from the target tenant in this scenario:

  1. Add a user to a group and assign it to the cross-tenant synchronization configuration in the source tenant.
  2. Provision the user on-demand or through the incremental cycle.
  3. Update the account enabled status to false on the user in the source tenant.
  4. Provision the user on-demand or through the incremental cycle. The account enabled status is changed to false in the target tenant.
  5. Remove the user from the group in the source tenant.Integration Deprovisioning

Does cross-tenant synchronization support restoring users? If the user in the source tenant is restored, reassigned to the app, meets the scoping condition again within 30 days of soft deletion, it will be restored in the target tenant. IT admins can also manually restore the user directly in the target tenant. How can I deprovision all the users that are currently in scope of cross-tenant synchronization? Unassign all users and / or groups from the cross-tenant synchronization configuration. This will trigger all the users that were unassigned, either directly or through group membership, to be deprovisioned in subsequent sync cycles. Please note that the target tenant will need to keep the inbound policy for sync enabled until deprovisioning is complete. If the scope is set to Sync all user s and gr oups , you will also need to change it to Sync only assigned user s and gr oups . The users will be automatically soft deleted by cross-tenant synchronization. The users will be automatically hard deleted after 30 days or you can choose to hard delete the users directly from the target tenant. Y ou can choose to hard delete the users directly in the target tenant or wait 30 days for the users to be automatically hard deleted. If the sync relationship is severed, are external users previously managed by cross- tenant synchronization deleted in the target tenant? No. No changes are made to the external users previously managed by cross- tenant synchronization if the relationship is severed (for example, if the cross- tenant synchronization policy is deleted). Topologies for cross-tenant synchronization Configure cross-tenant synchronizationNext steps

Multitenant organization identity provisioning for Microsoft 365 Article •04/24/2024 The multitenant organization capability is designed for organizations that own multiple Microsoft Entra tenants and want to streamline intra-organization cross-tenant collaboration in Microsoft 365. It's built on the premise of reciprocal provisioning of B2B member users across multitenant organization tenants. Teams external access and Teams shared channels excluded, Microsoft 365 people search is typically scoped to within local tenant boundaries. In multitenant organizations with increased need for cross-tenant coworker collaboration, it's recommended to reciprocally provision users from their home tenants into the resource tenants of collaborating coworkers. The new Microsoft T eams experience improves upon Microsoft 365 people search and Teams external access for a unified seamless collaboration experience. For this improved experience to light up, the multitenant organization representation in Microsoft Entra ID is required and collaborating users shall be provisioned as B2B members. For more information, see Announcing more seamless collaboration in Microsoft T eams for multitenant organizations . Collaboration in Microsoft 365 is built on the premise of reciprocal provisioning of B2B identities across multitenant organization tenants. For example, say Annie in tenant A, Bob and Barbara in tenant B, and Charlie in tenant C want to collaborate. Conceptually, these four users represent a collaborating user set of four internal identities across three tenants.Microsoft 365 people search New Microsoft Teams Collaborating user set

For people search to succeed, while scoped to local tenant boundaries, the entire collaborating user set must be represented within the scope of each multitenant organization tenant A, B, and C, in the form of either internal or B2B identities. Depending on your organization’s needs, the collaborating user set may contain a subset of collaborating employees, or eventually all employees. One of the simpler ways to achieve a collaborating user set in each multitenant organization tenant is for each tenant administrator to define their user contribution and synchronization them outbound. T enant administrators on the receiving end should accept the shared users inbound. Administrator A contributes or shares Annie Administrator B contributes or shares Bob and Barbara Administrator C contributes or shares Charles   Sharing your users

Microsoft 365 admin center facilitates orchestration of such a collaborating user set across multitenant organization tenants. For more information, see Synchronize users in multitenant organizations in Microsoft 365 . Alternatively, pair-wise configuration of inbound and outbound cross-tenant synchronization can be used to orchestrate such collating user set across multitenant organization tenants. For more information, see What is a cross-tenant synchronization . To ensure a seamless collaboration experience across the multitenant organization in new Microsoft T eams, B2B identities are provisioned as B2B users of Member userT ype. User synchr onization method Default userT ype pr oper ty Synchronize users in multitenant organizations in Microsoft 365Member Remains Guest, if the B2B identity already existed as Guest Cross-tenant synchronization in Microsoft Entra ID Member Remains Guest, if the B2B identity already existed as Guest  B2B member users ノExpand table

From a security perspective, you should review the default permissions granted to B2B member users. For more information, see Compare member and guest default permissions . To change the userT ype from Guest to Member (or vice versa), a source tenant administrator can amend the attribute mappings , or a target tenant administrator can change the userT ype if the property is not recurringly synchronized. To unshare users, you deprovision users by using the user deprovisioning capabilities available in Microsoft Entra cross-tenant synchronization. By default, when provisioning scope is reduced while a synchronization job is running, users fall out of scope and are soft deleted, unless T arget Object Actions for Delete is disabled. For more information, see Deprovisioning and Define who is in scope for provisioning . Plan for multitenant organizations in Microsoft 365 Set up a multitenant org in Microsoft 365Unsharing your users Next steps

Multitenant organization optional policy templates Article •04/23/2024 Administrators staying in control of their resources is a guiding principle for multitenant organization collaboration. Cross-tenant access settings are required for each tenant-to- tenant relationship. T enant administrators explicitly configure cross-tenant access partner configurations and identity synchronization settings for partner tenants inside the multitenant organization. To help apply homogenous cross-tenant access settings to partner tenants in the multitenant organization, the administrator of each tenant can configure optional cross- tenant access settings templates dedicated to the multitenant organization. This article describes how to use templates to preconfigure cross-tenant access settings that are applied to any partner tenant newly joining the multitenant organization. Within a multitenant organization, each pair of tenants must have bi-directional cross- tenant access settings , for both, partner configuration and identity synchronization. These settings provide the underlying policy framework for enabling trust and for sharing users and applications. When your tenant joins a new multitenant organization, or when a partner tenant joins your existing multitenant organization, cross-tenant access settings to other partner tenants in the enlarged multitenant organization, if they don't already exist, are automatically generated in an unconfigured state. In an unconfigured state, these cross- tenant access settings pass through the default settings . Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings. T ypically, these settings are configured to be nontrusting. For example, cross-tenant trusts for multifactor authentication and compliant device claims might be disabled and user and group sharing in B2B direct connect or B2B collaboration might be disallowed. In multitenant organizations, on the other hand, cross-tenant access settings are typically expected to be trusting. For example, cross-tenant trusts for multifactor authentication and compliant device claims might be enabled and user and group sharing in B2B direct connect or B2B collaboration might be allowed.Autogeneration of cross-tenant access setting s

While the autogeneration of cross-tenant access settings for multitenant organization partner tenants in and of itself doesn't change any authentication or authorization policy behavior, it allows your organization to easily customize the cross-tenant access settings for partner tenants in the multitenant organization on a per-tenant basis. As previously described, in multitenant organizations, cross-tenant access settings are typically expected to be trusting. For example, cross-tenant trusts for multifactor authentication and compliant device claims might be enabled and user and group sharing in B2B direct connect or B2B collaboration might be allowed. While autogeneration of cross-tenant access settings, per previous section, guarantees the existence of cross-tenant access settings for every multitenant organization partner tenant, further maintenance of the cross-tenant access settings for multitenant organization partner tenants is conducted individually, on a per-tenant basis. To reduce the workload for administrators at the time of multitenant organization formation, you can optionally use policy templates for preemptive configuration of cross-tenant access settings. These template settings are applied at the time of your tenant joins a multitenant organization to all external multitenant organization partner tenants as well as at the time of any partner tenant joins your existing multitenant organization to such new partner tenant. Enablement or configuration of the optional policy templates , at the time of a partner tenant joins a multitenant organization, preemptively amend the corresponding cross- tenant access settings , for both partner configuration and identity synchronization. As an example, consider the actions of the administrators for an anticipated multitenant organization with three tenants, A, B, and C. The administrators of all three tenants enable and configure their respective optional policy templates to enable cross-tenant trusts for multifactor authentication and compliant device claims and to allow user and group sharing in B2B direct connect and B2B collaboration. Administrator A creates the multitenant organization and adds tenants B and C as pending tenants to the multitenant organization. Administrator B joins the multitenant organization. Cross-tenant access settings in tenant A for partner tenant B are amended, according to tenant A policy template settings. Vice versa, cross-tenant access settings in tenant B for partner tenant A are amended, according to tenant B policy template settings.Policy templates at multitenant organization formation

Administrator C joins the multitenant organization. Cross-tenant access settings in tenants A (and B) for partner tenant C are amended, according to tenant A (and B) policy template settings. Similarly, cross-tenant access settings in tenant C for partner tenants A and B are amended, according to tenant C policy template settings. Following the formation of this multitenant organization of three tenants, the cross-tenant access settings of all tenant pairs in the multitenant organization have preemptively been configured. In summary, configuration of the optional policy templates enable you to homogeneously initialize cross-tenant access settings across your multitenant organization, while maintaining maximum flexibility to customize your cross-tenant access settings as needed on a per-tenant basis. To stop using the policy templates, you can reset them to their default state. For more information, see Configure multitenant organization templates . To provide administrators with further configurability, you can choose when cross- tenant access settings are to be amended according to the policy templates. For example, you can choose to apply the policy templates for the following tenants when a tenant joins a multitenant organization: Tenant Descr iption Only new partner tenants Tenants whose cross-tenant access settings are autogenerated Only existing partner tenants Tenants who already have cross-tenant access settings All partner tenants Both new partner tenants and existing partner tenants No partner tenants Policy templates are effectively disabled In this context, new partners refer to tenants for which you haven't yet configured cross- tenant access settings, while existing partners refer to tenants for which you have already configured cross-tenant access settings. This scoping is specified with the templateApplicationLevel property on the cross-tenant access partner configuration template and the templateApplicationLevel property on the cross-tenant access identity synchronization template .Policy template scoping and additional properties ノExpand table

Finally, in terms of interpretation of template property values, any template property value of null has no effect on the corresponding property value in the targeted cross- tenant access settings, while a defined template property value causes the corresponding property value in the targeted cross-tenant access settings to be amended in accordance with the template. The following table illustrates how template property values are being applied to corresponding cross-tenant access setting values. Templat e Value Initial P artner Settings V alue (Befor e joining multit enant or g)Final P artner Settings V alue (After joining multit enant or g) null