Cross Tenant Azure: Enable Seamless Collaboration Across Tenants

Azure Active Directory (Azure AD) provides a unified identity platform for cross-tenant collaboration, allowing users to access resources from multiple tenants without the need for multiple logins.

With Azure AD, users can access resources from different tenants using a single set of credentials, making it easier to collaborate and share information across tenants.

Azure AD B2B collaboration enables users to invite guests from other tenants to access specific resources, streamlining the process of sharing information and resources with external partners or customers.

By leveraging Azure AD, organizations can simplify their identity management and access control, reducing the complexity and administrative burden associated with managing multiple identities and access permissions.

Enabling Cross Tenant Azure involves several prerequisites. To access cross-tenant synchronization as a source tenant, you need to have an Azure AD Premium P1 or P2 license and be assigned one of the following roles.

To enable cross-tenant synchronization in the target tenant, you'll need to decide on the configuration and add the source tenant. This involves selecting the way you want to structure cross-tenant synchronization from the four types of configurations discussed above.

To add the source tenant, follow the path: Microsoft Entra admin center > External Identities > Cross-tenant access settings > Organizational settings > Add organization. Enter the tenant ID or domain name of the source tenant and select Add.

Here's a summary of the steps to enable cross-tenant synchronization in both the source and target tenants:

Microsoft has made Azure AD cross-tenant collaboration settings available in preview on February 7.

This means users can authenticate in their home tenant and access resources in other tenants, subject to collaboration settings.

Azure AD cross-tenant access is part of Azure AD B2B Direct Connect, which allows users to use their home tenant credentials to access resources in other tenants.

Organizations can control how users collaborate with other Azure AD organizations through inbound and outbound controls.

These controls are available on a tenant-wide, group, or application basis, giving organizations flexibility in managing access.

Security claims from external organizations, such as multi-factor authentication and device compliance, can be trusted by organizations using the new settings.

To enable cross-tenant Azure, you need to meet certain prerequisites. You must have an Azure AD Premium P1 or P2 license to access cross-tenant synchronization as a source tenant.

To access cross-tenant synchronization as a target tenant, you need to have the role of Security administrator in the organization. Additionally, licenses of the external identities billing model are required.

There are different roles that can access cross-tenant synchronization as a source tenant, including Azure AD Premium P1 or P2 license holders with specific roles.

Azure Active Directory (AD) Settings provide a range of features to manage cross-tenant collaboration, including the External Identities Settings. This section allows you to define settings for individual Azure AD tenants you want to collaborate with, while also defining default settings to apply to Azure AD tenants in general.

You can add or remove applications from the inbound access settings to control which applications can be used for collaboration. By default, any user can connect with your organization, but you can also define exactly whom from another organization can collaborate with people in your organization.

The outbound access settings give you control over the people in your organization you want to collaborate outside your tenant. Again, the default is to allow everyone to collaborate with external organizations, but you can manage who connects with specific tenants if needed.

To configure Azure AD settings for cross-tenant collaboration, you'll need to enable cross-tenant synchronization in the target tenants, configure trust settings in source and target tenants, and enable cross-tenant sync in the source tenants.

Here's a step-by-step guide to configuring cross-tenant synchronization:

By following these steps, you can set up cross-tenant synchronization and enable seamless collaboration between multiple tenants in Azure AD.

Security and Access is a crucial aspect of cross-tenant Azure, and it's great to see Microsoft making strides in this area.

Azure AD organizations apply the same fundamentals of authentication to allow users access to resources, making sense to accept that a process performed for one tenant is valid for connection to another.

You can define the set of security claims made by another tenant you are willing to accept in the Trust settings tab. For example, if the other tenant enforces MFA for all users, you can accept that the tenant has validated the user's identity with MFA.

By default, Azure AD accepts connections from another tenant based on that tenant's assessment of MFA, compliant devices, and hybrid Azure AD joined devices. You can enable or disable each of these claims.

Removing some friction from MFA challenges is a good thing, as it reduces the necessity for multiple MFA challenges, which can be a major source of user irritation.

According to Microsoft, Azure AD customers secure only 22% of Azure AD accounts with MFA, which is a horrible statistic, but it shows steady growth over the past few years.

MFA helps accounts resist 99% of brute-force attacks designed to crack passwords, so this is an area where Microsoft 365 tenants need to do better.

Cross-tenant access won't mean that guest accounts will go away anytime soon, as many valid scenarios exist to demonstrate the usefulness of guest accounts.

To configure cross-tenant synchronization in Azure AD, you'll need to follow these steps. First, enable cross-tenant synchronization in the target tenants by navigating to the Microsoft Entra admin center, External Identities, Cross-tenant access settings, Inbound access, and then Trust settings.

To configure the trust settings, you'll need to enable both inbound and outbound access, which can be done by checking the box "Suppress consent prompts for users from the other tenant when they access apps and resources in my tenant." This setting must be enabled in both the source and target tenants.

To create a configuration in the source tenant, browse to Identity > External Identities > Cross-tenant synchronization, select Configurations, and then New configuration. Provide a name for the configuration and select Create. It can take up to 15 seconds for the configuration to appear in the list.

To enable cross-tenant synchronization in the source tenants, add the organization by using the path below: Microsoft Entra admin center > External Identities > Cross-tenant access settings > Organizational settings > Add organization. Then, select the Cross-tenant sync option and tick the checkbox "Allow users sync into this tenant."

To create a configuration for cross-tenant synchronization, you need to navigate to the Identity section in the Azure portal. From there, browse to External Identities > Cross-tenant synchronization.

You can also access this section by going to Microsoft Entra ID > Manage > Cross-tenant synchronization. Once you're in the correct section, select Configurations and then click on New configuration.

Give your configuration a name and select Create. It may take up to 15 seconds for the configuration to appear in the list.

Here are the steps to create a configuration in the source tenant:

After creating the configuration, you can specify an email address for receiving sync error notifications, activate the feature to prevent accidental deletion, and select either to synchronize all users and groups (not recommended) or to limit it to the designated users and groups (recommended).

The structure of Microsoft Cross-Tenant Synchronization is actually quite straightforward once you understand the four main configurations.

In one-to-one synchronization, a single target tenant collaborates and accesses applications from a source tenant. This is the simplest configuration, but it's worth noting that you can only synchronize in one-way for each cross-tenant synchronization between two Azure AD tenants.

Multiple target tenants can access resources from a single source tenant in a single source with multiple targets configuration. This is a common setup for Office 365 users.

A single target Azure AD tenant can use resources from multiple source tenants in a multiple sources with a single target configuration. This can be beneficial for businesses with multiple subsidiaries.

The mesh peer-to-peer configuration is the most complex, but it allows for multiple directions of synchronization.

To plan your provisioning deployment, start by defining how you would like to structure the tenants in your organization. This will help you determine the scope of your provisioning.

You should also learn about how the provisioning service works, as this will give you a better understanding of what to expect during the deployment process.

Determine who will be in scope for provisioning, as this will help you identify which users and groups will be affected by the provisioning process.

To ensure a smooth deployment, determine what data to map between tenants. This includes identifying the attributes that need to be synchronized and the relationships between them.

Here's a checklist to help you plan your provisioning deployment:

If you're experiencing issues with cross-tenant Azure, start by checking the Azure Active Directory (AAD) configuration in your tenant.

Make sure you have the correct permissions set up to access resources in other tenants.

The Azure Portal provides a troubleshooting guide to help you identify and resolve common issues.

Verify that your Azure subscriptions are linked correctly to the correct directory.

You can also use Azure Monitor to track and diagnose issues in real-time.

If you're still having trouble, try checking the Azure service status to see if there are any known issues with the service.

Don't forget to review the Azure documentation for specific troubleshooting steps for your scenario.

In some cases, you may need to contact Azure support for further assistance.