In the today’s cloud world is quite common that a company A has its own AD tenant with Microsoft 365 applications, Azure, Dynamics 365 apps and third-party applications.
Company A sometimes can acquire a new company called Company B (or strictly collaborate with it) and Company B has itw own AD tenant with Microsoft 365 applications, Azure, Dynamics 365 apps and third-party applications.
Now imagine that a user of one of these companies needs to access resources on the other tenant.
How do you enable these users to access resources across the boundaries of their tenant?
Today, with Azire B2B you can invite these users across tenants and assign them access to the needed resources. But a common request on that was to have the possibility to automate this process and invite users across organizations by keeping their data in sync (if a user change name or department or something else, these changes must be reflected across all the tenants that the user is collaborating in).
This is where the new cross-tenant synchronization comes in. This new feature permits to maibtain all the users informations in synch across tenants and if a user leaves a company, their accounts are removed on the other AD tenants as well.
Cross-tenant synchronization lets you automate creating user accounts across tenants in your organization. Users created by the synchronization process continue to authenticate in the same way they do on their primary tenant and each application can assign conditional access policies as appropriate. So now, users across your organization can access applications regardless of the tenant where they are hosted, including Microsoft applications and non-Microsoft applications like ServiceNow, Adobe, and hundreds more SaaS apps. Behind the scenes and transparent to the user, the sync process leverages the Azure AD B2B functionality and is fully integrated with Azure AD’s security and governance capabilities such as conditional access, cross-tenant access settings, and entitlement management.
How does that works?
To enable cross-tenant synchronization between tenants A and B, you need to have the tenant ID of the company (Azure AD tenant) that you want to collaborate with (for example company A).
Then from the Azure Portal in company B, go to Azure Active Directory and select External Identities:
Now select Cross-tenant access settings, click on Add organization and insert the tenant ID of the company that you want to add (tenant ID of the company A in this example):
Then you can add a conditional access policies to the added tenant:
For example, if you click on Inbound access you can specify the cross-tenant sync inbound rules. In this case by selecting the Allow users sync into this tenant option I (as the admin of company B) trust company A to sync users into my tenant:
NOTE: You need Azure AD Premium to configure trust settings and target select users, groups and applications in cross-tenant access settings.
Once the Allow users sync into this tenant option is checked, you can switch over to the Trust settings tab where there’s a new section called Consent Prompt and here you need to check the Suppress consent prompts for users from the other tenant when they access apps and resources in my tenant option:
Now switch to company A tenant, select Azure Active Directory and then Cross-tenant access settings (like explained before). Then from here you need to specify an outbound policy where you enable the Suppress consent prompts for users from the other tenant when they access apps and resources in the other tenant option:
When all is done, from the company B Azure Active Directory blade you can select the Cross-tenant synchronization menu:
and from here select Configuration|New configuration.
Provide a name for the configuration (for example B to A) and save:
When the configuration is created, select it and assign uses and groups:
Here I have selected a demo user:
Grab the tenant Id of the target tenant and go into Provisioning specifying the target tenant ID that you would like to provision accounts to and save:
Then scroll down into the Mappings section and here you can define what attributes you want to synchronize:
This is the place where you can add your additional attributes or where you can delete standard mappings.
One of the listed attributes is called showInAddressList. If you click on this attribute and you specify the property Constant Value tro TRUE, all users will then automatically light up in the gallery in the target tenant and you will be able to search for users across tenants:
Now, in your cross-tenant synchronization instance previously saved, select the Provision on demand option, select your user to synch (here called CrossTenantSynchronization) and in few seconds that acount will get created in the target tenant:
In the target tenant you now will be able to select the Users menu in the Azure Portal and here you will see that the new users is added as User Type = Member.
From now, every changes to that user will be then reflected to the target tenant without doing nothing.
Obviously, you can do all the above steps by wrking with AD groups instead of working with a single user account. If you use groups, all the users added to or removed from the selected group will then be reflected on the target tenant accordingly.
The sync interval is currently fixed to start at 40-minute intervals.
- Internal members can be synchronized from source tenants. Internal guests can’t be synchronized from source tenants.
- Users can be synchronized to target tenants as external members (default) or external guests.
- If you have existing collaboration users, cross-tenant synchronization will match the user and make any necessary updates to the user, such as update the display name. By default, the UserType attribute won’t be updated from guest to member, but you can configure this in the attribute mappings.
If you are an organization that owns multiple Azure AD tenants and want to streamline intra-organization cross-tenant application access, this is a great feature to start exploring.