Azure Cross Tenant Sync Best Practices and Setup

Azure Cross Tenant Sync allows you to synchronize data between different Azure Active Directory (AAD) tenants, enabling seamless collaboration and data sharing across organizations.

To set up Azure Cross Tenant Sync, you'll need to create a new Azure AD B2B collaboration. This involves sending an invitation to the external user, which can be done using the Azure AD portal or PowerShell.

The maximum number of users that can be invited to a B2B collaboration is 100,000. This limit can be increased by contacting Microsoft Support.

It's essential to establish a clear understanding of data ownership and governance before implementing Azure Cross Tenant Sync, as this will help prevent any potential data conflicts or issues.

To get started with Azure cross-tenant sync, you'll need an Azure AD Premium P1 SKU or equivalent license. This is a crucial requirement for the feature to work.

You'll also need to have a Hybrid Identity Administrator role or a Global Administrator role in your Azure AD instance. This will give you the necessary permissions to configure the cross-tenant sync settings.

To invite external users to your Microsoft 365 tenant, you'll need to use Azure B2B, which requires a premium license for each user you synchronize. This can be a bit pricey, but it's worth it for the benefits of cross-tenant sync.

Here are the specific requirements you'll need to meet:

By meeting these prerequisites, you'll be well on your way to setting up Azure cross-tenant sync and enjoying its benefits.

To configure cross-tenant sync, you need to create a trust between the source and target tenant. This involves creating a cross-tenant settings object for each tenant involved. You'll also need to decide on the topology to use and ensure you have an Azure AD Premium P1 SKU or equivalent.

You must toggle the Allow users sync into this tenant setting under the Inbound access settings configuration corresponding to the source-target relationship in the target tenant. This setting can be found under the Cross-tenant sync tab.

You'll also need to toggle the Suppress consent prompts for users setting under Trust settings for both the source and target tenant. This is a mandatory setting and failing to toggle it will result in an impasse later on.

To create the actual cross-tenant sync object, navigate to the Cross-tenant synchronization tab under the Azure AD blade. Click the Configurations tab, then the New configuration button, and provide a name for the configuration.

Here are the steps to create a new configuration:

After creating the configuration, you'll need to validate that the sync works by clicking on the configuration you've just created and clicking on Provisioning. Set the Provisioning Mode to Automatic instead of Manual, provide the Tenant ID of the target tenant, click on Test connection, and Save.

Sync Settings are crucial for a successful Azure Cross-Tenant Sync. To allow users to sync into the target tenant, you need to select the "Allow users sync into this tenant" option.

The "Suppress consent prompts for users" option must be enabled within the Trust settings tab in the Outbound access cross-tenant setting. This is a mandatory setting, and failing to toggle it will result in an impasse later on.

To configure cross-tenant sync, you need to create a cross-tenant settings object for each of the tenants involved. This includes toggling the "Allow users sync into this tenant" setting under the Inbound access settings configuration corresponding to the source-target relationship in the target tenant.

The Suppress consent prompts setting is different depending on where you're toggling it from. In the source tenant, it's called "Suppress consent prompts for users", while in the target tenant, it's called "Suppress consent prompts for users in other tenants."

Here are the steps to configure the Suppress consent prompts setting:

The Azure AD Premium licensing requirement is enforced here. Without it, the option will be grayed out and cannot be toggled, and in turn, the cross-tenant sync cannot be configured.

To ensure seamless user experience, it's essential to configure trust settings properly. Selecting the "Customize settings" option within the "Trust settings" tab allows users to avoid getting another MFA prompt as soon as they visit the tenant.

Configuring trust settings also enables automatic trust between tenants once the source tenant trusts a device. This setting should be configured in the source tenant to avoid any disruptions.

Suppressing the Consent Prompt is also crucial to avoid bothering users with unnecessary prompts. This setting should be configured in the source tenant to ensure a smooth user experience.

To configure trust settings, select the "Customize settings" option within the "Trust settings" tab and choose all available options. This allows users to avoid getting another MFA prompt after visiting your tenant.

By selecting this option, you also enable compliance, automatically trusting a device once the source tenant trusts it. The same goes for the target tenant.

Suppressing the Consent Prompt is also a good idea, as it can be annoying for users to receive it. Ensure this setting is configured in the source tenant.

You can find more information about configuring trust settings in the Microsoft documentation.

To create a trust between two tenants, you must configure the cross-tenant access settings. This involves adding an external Azure AD tenant by typing any domain or the tenant ID of the target tenant.

Microsoft has been improving its identity products and services, making it easier for organizations to manage their user identities. This includes products like Active Directory, AD, and Entra ID.

Entra ID is a cloud-based service that supports B2B scenarios and multiple tenants. It's available with Azure AD Premium P1 or P2 licenses. Entra ID synchronizes tenant directories every 40+ minutes using the information defined in the cross-tenant synchronization configuration.

One of the key benefits of Entra ID Cross-Tenant Sync is that it makes it easier to support user access to resources across multiple tenants. This is especially important in the context of business mergers and acquisitions, where organizations often need to integrate multiple tenants.

Entra ID Cross-Tenant Sync only supports synchronization of users (in the source tenant) to guest users (in the target tenant). It does not support synchronizing contacts and groups. This may be a limitation for some organizations, especially those with complex directory structures.

To give you a better idea of the configurations available in Entra ID Cross-Tenant Sync, here are some key limitations:

By understanding these limitations, organizations can plan their deployment of Entra ID Cross-Tenant Sync more effectively. This can help ensure a smooth transition to the new service and minimize any potential disruptions to user access.

Only Azure AD users can be synchronized between tenants.

Adding users is a straightforward process, simply select the users and groups you want to sync to the target tenant.

Azure AD users like Adele Vance can be easily added to the sync process, as demonstrated in the example.

Groups, devices, and contacts aren’t currently supported for synchronization, so keep that in mind when planning your sync.

In the context of M&A projects, creating guest user accounts in each tenant is necessary for user access to resources like Teams channels or SharePoint sites.

We can create guest accounts manually or with PowerShell, but this approach is not practical when working with thousands of users in both tenants.

The Entra ID Cross-Tenant Sync feature makes things a lot easier by automating the update process when a change occurs in one tenant.

To get started with Azure Cross-Tenant Sync, you'll need to click Start Provisioning in the target tenant's configuration after you've set everything up.

You can expect the first synchronization to take up to 40 minutes to complete.

The provisioning log is where you can check the progress and status of the sync, and it's a great place to see what's happening for each object.

Now that you've set up your configuration, it's time to start the sync process.

You'll need to open the configuration for the target tenant and click Start Provisioning. This will initiate the synchronization process.

Wait for up to 40 minutes for the first synchronization to complete. You can use this time to do other tasks while the system works its magic.

To track the progress and status, check the provisioning log. This will give you a clear picture of what's happening with each object and whether they're being created or skipped.

In the log, you'll see what's happening for each object, including whether they're being created or skipped. Skipped usually means the object already exists or is not a supported type.

If you see a skipped object, you can click on it to view the detailed changes performed by Cross-Tenant Synchronization. This will give you more information about why the object was skipped.

It's time to wrap up and share some practical tips to get you started.

Microsoft has taken a significant step forward with collaboration and ease of use between B2B tenants.

Setting up a Dynamic Group can be a game-changer when synchronizing users between tenants.

This allows you to identify synchronized users quickly.

Using a custom DisplayName is a great way to make synchronized users easy to spot.

It's also a good idea to set the showInAddressList to null so they won't clutter the Global Address List.

If a user already exists in the target tenant, the default "Apply this mapping" setting won't synchronize or apply since it's set to "Only during object creation."

To change the UserType, you can edit the attribute mapping by clicking the "Provision Azure Active Directory Users" option, then changing the Constant Value from "Member" to "Guest."

The default mapping often works, but one adjustment you should make is the mapping of the userType field to force Entra ID to consider the users created by Cross-Tenant sync as internal users.

Mappings are the first thing you should configure when the validating process passes, as they can affect existing users when synchronizing new objects.

If a user already exists in the target tenant, it won't synchronize or apply since the default "Apply this mapping" setting is set to "Only during object creation." This can be a problem if you want to treat users differently in cases like Conditional Access or Access reviews.

To edit the attribute mapping, click the "Provision Azure Active Directory Users" option, where you can see a list of attributes mapping. You should pay special attention to the UserType field, as it controls types of users (guest users or full B2B users).

The possible values for the UserType field are Guest and Member. If you're handling M&A projects, you should set the UserType field to Member to force Entra ID to consider the users created by Cross-Tenant sync as internal users.

Attribute mappings are defined for the source tenant, meaning they define how users from your tenant will appear in the target tenant.

To configure the target tenant, you'll need to apply two settings to the cross-tenant access policy for the source tenant: automatically redeem invitations and allow user sync into this tenant. This will prevent Entra ID from sending email to synchronized users asking for consent and allow cross-tenant sync to write identity into your tenant.

You'll also need to configure cross-tenant access settings, which involves creating a trust between the two tenants. This requires adding an external Azure AD tenant, changing the Outbound access settings for the source tenant, and changing the Inbound access settings for the target tenant.

To enable cross-tenant sync, you'll need to toggle the Allow users sync into this tenant setting under the Inbound access settings configuration corresponding to the source-target relationship in the target tenant. You'll also need to toggle the Suppress consent prompts … setting under Trust settings for the Outbound (in the source tenant) and Inbound (target tenant) settings.

Here are the steps to create a cross-tenant sync object:

Remember to validate that the sync works by clicking on the configuration, clicking on Provisioning, and setting the Provisioning Mode to Automatic. You'll also need to provide the Tenant ID of the target tenant and click on Test connection and Save.