Cross-tenant synchronization in Microsoft Entra ID (Azure Active Directory)

Microsoft announced the coming of cross-tenant synchronization. The feature is supposed to enter Global Availability in June 2023, according to the 109568 Roadmap item. Cross-tenant sync has the potential to make work in multi-tenant organizations easier by automating user creation and synchronization. This article provides general information about the feature, explains what multi-tenant organizations are and how is it different from a cross-tenant migration.

cross-tenant synchronization Microsoft 365

What is cross-tenant synchronization?

Cross-tenant synchronization is a feature designed to simplify collaboration in multi-tenant organizations. In simple terms, it automates creation, updating and removal of B2B users across tenants within the same Microsoft 365 organization. It is similar to a hybrid environment – each synchronization has a specific source and a specific target. Users are synchronized, together with chosen attributes, to the target tenant. Instead of an on-premises and a cloud environment, you have two cloud-based environments. In the target environment, instead of remote users, you have external users.

Cross-tenant collaboration isn’t new. AAD B2B collaboration was introduced back in 2015 for easy resource sharing, to allow guest users to access a strictly controlled “slice” of a specific Entra ID (Azure AD) tenant. Cross-tenant synchronization automates the process of provisioning such users and allows them to access Microsoft and 3rd party apps on both source and target tenant.

Microsoft emphasizes that the feature should only be used within a multi-tenant organization, and not to enhance collaboration between partners, since it gives too broad access to the target organization. The question is, what exactly stands for a multi-tenant organization.

What does multi-tenant organization mean?

Multi-tenant organization is a company that has more than one Microsoft 365 tenant. While most organizations and companies have their data contained within a single tenant, there is a lot of scenarios where an organization spans over multiple AAD instances, for example:

  • Large organizations with multiple subsidiaries or business units.
  • Companies that undergo mergers or acquisitions.
  • Organizations spanning across multiple geographic locations, where it makes sense to store data in different Azure datacenters.
  • Organizations with test, staging or demo tenants.

While the cross-tenant synchronization can help in multiple scenarios, it doesn’t always come with benefits. For example, if a Sales Team uses additional tenants to present how Microsoft 365 works together with additional 3rd party apps, there’s no point in synchronizing users from the main, production tenant. From the IT resource management point of view, it is easier to configure a single tenant using Microsoft 365 Groups instead of separate tenants.

Cross-tenant sync prerequisites

Creating cross-tenant synchronizations requires both source and target tenants to meet some requirements.

  • Each synchronized user requires Microsoft Entra ID P1 license.
  • Security Administrator role is required in both source and target tenants. Source tenant also requires Hybrid Identity, Cloud Application and Application Administrator roles to complete configuration.

How to configure cross-tenant synchronization?

You can configure cross-tenant synchronization from the Azure portal or using Graph API. For detailed instructions consult this Microsoft article.

Cross-tenant synchronization limitations and disadvantages

Here are some of the limitations that apply to the synchronization feature at the time of writing:

  • Only one-way sync is supported. It means that there’s always one source and one target tenant in a sync configuration. Companies with complex topologies need to set up multiple synchronization configurations with defined sets of users.
  • The target tenant isn’t queried for changes in attributes. It makes it quite easy to have differences between users in source and target tenants.
  • No support for cross-cloud sync.
  • Only Entra ID users can be synchronized (groups, devices and contacts are not supported).
  • Cross-tenant sync starts every 40 minutes.
  • External members aren’t supported in Power BI, Azure Virtual Desktop or Teams Connect shared channels.
  • Attributes synchronized to the target tenant are limited.

Is this the end of cross-tenant migrations?

While cross-tenant synchronization makes it easier to collaborate in multi-tenant companies, it is not a complete substitute to a cross-tenant migration. To quote this Microsoft article:

Cross-tenant synchronization isn’t a migration tool because the source tenant is required for synchronized users to authenticate. In addition, tenant migrations would require migrating user data such as SharePoint and OneDrive.

Right now, I wouldn’t use synchronization as a long-term solution, unless some legal regulations made me keep organization data in separate tenants. Cross-tenant migration has some clear advantages over a sync:

  • A single-tenant organization is usually much simpler to manage.
  • Migrating to a single tenant doesn’t come with all the B2B collaboration and synchronization limitations.
  • In case of mergers and acquisitions, a synchronization might provide a quick way to let users collaborate, but in the long run controlling access to resources is much quicker with security groups and conditional access policies configured in a single tenant.
  • External (guest) users need to be strictly monitored, since it’s easier to miss that an external account has been compromised.

Read also

How to migrate mailboxes between Office 365 tenants?

Exchange Hybrid Configuration Wizard step by step guide

Tools for Exchange Server

One thought on “Cross-tenant synchronization in Microsoft Entra ID (Azure Active Directory)

  1. If you use teams, right now cross-tenant-sync is going to cause you issues. The sync works great for Outlook, Sharepoint, ad, etc but with Teams its a cluster F. If you add someone from the other org in your teams with the synced account info, the other user gets an invite to ware they have to sign-in onto your tennant Teams and they don’t get the message into there running teams, and have to switch in teams to each others org. If you paste in the other person’s email address in teams and chose to search globally, then you will get the correct link to add in the user and they will receive your message right into there running teams instance and not be forced to login to your Teams tenant.

    Good luck!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.