Cross-tenant synchronization (Preview)

Microsoft’s Cross-tenant storyline

Microsoft has a good road map so far on the Cross-tenant access features, no more External users or switching between Teams tenants when you need access to multiple ones and we all know we do need multiple of them.

If using with your own user account, the target tenant can allow to trust your MFA and you will be getting only one prompt. This will depend on whether the user is completing MFA in their home tenant or the resource tenant, different authentication techniques can fulfill authentication strength in external user scenarios. See in the below table the supported methods.

Only the claims indicated in the “Home tenant” column below will be accepted by the resource tenant for MFA if a resource tenant has chosen to trust claims from external Azure AD organizations. The external user must complete MFA in the resource tenant using one of the procedures provided in the “Resource tenant” column if the resource tenant has disabled MFA trust.

Authentication methodHome tenantResource tenant
SMS as second factor
Voice call
Microsoft Authenticator push notification
Microsoft Authenticator phone sign-in
OATH software token
OATH hardware token
FIDO2 security key
Windows Hello for Business

B2B direct connect

A feature of External Identities called Azure Active Directory (Azure AD) B2B direct connect enables you to establish a mutual trust connection with another Azure AD business to facilitate easy collaboration.

Teams Shared Channels

See overview on shared channels, they will be provisioned using B2B direct connect feature mentioned earlier.

And how to create them inside Teams

Cross-tenant access settings

Azure AD companies can employ External Identities cross-tenant access settings. You have fine-grained control over how external Azure AD organizations interact with you (inbound access) and how your users interact with external Azure AD organizations thanks to cross-tenant access settings (outbound access).

Cross-tenant User Data Migration

Microsoft released Cross-tenant user data migration last year. As an overview, you can migrate from tenant to tenant users mailboxes and OneDrive content.

You can read more on my previous blog concerning this feature.

So, cross-tenant has been a hot topic for a while now and now it’s time for next feature to the cross-tenant family.

What is Cross-tenant synchronization?

Creating, updating, and deleting Azure AD B2B collaboration users across tenants in an organization is automated through cross-tenant synchronization. Users may access applications and work together across tenants, and the organization can still develop thanks to it.

The following objectives of cross-tenant synchronization are crucial:

  • Collaboration that is seamless for a multi-tenant business
  • Automate B2B collaboration user lifecycle management in a multi-tenant company.
  • Delete B2B accounts instantly if a user leaves an organization.

What Azure cloud are supported?

  • Cross-tenant synchronization is supported within the commercial and Azure Government clouds.
  • Synchronization is only supported between two tenants in the same cloud.
  • Cross-cloud (such as public cloud to Azure Government) isn’t currently supported.

Who should use it?

Organizations have different needs from different reasons. Currently Microsoft advises only clients with the following to use this feature

  • Organizations that own multiple Azure AD tenants and want to streamline intra-organization cross-tenant application access.
  • Cross-tenant synchronization is not currently suitable for use across organizational boundaries.

Maybe in the future they will be more “supported” use cases for this excellent feature.

What you need for it?

What topologies are supported?

Cross-tenant synchronization can provide a flexible solution for collaboration by allowing users to share data and access resources across different tenants. However, it’s important to note that every organization has unique requirements and needs, and the configuration of cross-tenant synchronization should be tailored to fit those needs. Each cross-tenant synchronization configuration is one-way, meaning that it only synchronizes data in one direction between two Azure AD tenants. This allows for different topologies to be configured, such as:

  • Synchronizing users from one tenant to another
  • Synchronizing groups and group membership
  • Synchronizing resources such as calendars and contacts
  • Synchronizing attributes such as name, email address, and phone number

However, it’s important to keep in mind that cross-tenant synchronization can be a complex process and that it can have security, compliance and management implications. It’s important to be familiar with the tenants and the data, and to have a good understanding of the security and privacy requirements, before setting up cross-tenant synchronization.

Attributes of the feature:

  • Based on the Azure AD provisioning engine.
  • Is a push process from the source tenant, not a pull process from the target tenant.
  • Supports pushing only internal members from the source tenant. It doesn’t support syncing external users from the source tenant.
  • Users in scope for synchronization are configured in the source tenant.
  • Attribute mapping is configured in the source tenant.
  • Extension attributes are supported.
  • Target tenant administrators can stop a synchronization at any time.

Single source -> single target

The simplest topology where users in a single tenancy need access to the parent tenant’s applications is shown in the example below.

Single source -> multiple targets

The example below illustrates a central user hub tenant where users need access to programs in smaller resource tenants spread around your company.

Multiple sources -> single target

The example below illustrates freshly acquired tenants where users from various tenants require access to the parent tenant’s apps.

Mesh topology

Your company might have a mesh-like level of complexity. The topology in the example below depicts how users move between tenants inside their company. This topology is frequently used to provide scenarios for persons searches in which each user must be a part of each tenant in order to have a unified gallery.

User synchronization

When an application uses automatic user provisioning, Azure AD automatically creates and updates user accounts in the app based on criteria like user and group assignment at predetermined intervals, usually every 40 minutes and this time is what Cross-tenant synchronization uses and it can’t be currently changed.

See more on App based provisioning

How to setup?

Target tenant setup

Currently there is no direct menu to go Inside Entra. For this reason I will show the setup with old style Azure portal.

You will find the solution from https://portal.azure.com/#view/Microsoft_AAD_Connect_Provisioning/CrossTenantSynchronizationMainMenuBlade/~/Configurations

From there you can create a configuration (App registration)

Give it a descriptive name. I will add App in the name and soon you will see why

And during the setup there will be a reminder that the feature is still in preview, just refresh your screen an it will be fine

Once refreshed, you see the created configuration

Once you open the configuration, you will see the following configurable options under it

Under provisioning you can change from Manual to Automatic but during Preview you cannot change it back. I will keep it manual for now.

Let’s jump to Entra and I will show you why I named it as application. Open App registrations under Entra and you will see an familiar App registration.

And we can see it also under Enterprise applications, just wanted to share this so you understand what we are dealing with

Again jumping back to Azure portal and now under https://portal.azure.com/#view/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/~/CrossTenantAccessSettings

Choose “Allow users sync into this tenant” to allow sync

And under the organizational config open Trust settings

Suppress consent setting must be checked in both the source tenant (outbound) and target tenant (inbound)

Source tenant setup

Add users that you want to sync to App registration as users, either in the configuration or under Enterprise applications

In the source add cross-tenant sync application and switch mode to Automatic

And the copy Tenant ID of the target tenant, you can do this with Entra, Azure portal or with the following page

Then click on “Test connection” and you will be presented with an error or success, my case success!

Once test is done, hit save and you will see more menus under the application

For mapping (that you can edit) and for notification email and threshold for deletion

Mappings

You can remove mapping or add new ones

See more from Microsoft on the mapping and how it works

And you have advanced options like request additional attributes, use expression builder and review your schema as JSON.

Schema export allows you to edit or download your schema

Provisioning

You can test out the provisioning from Provision on demand with 5 selected users at the time

Once you select the users and run demand provisioning, you will see the following error if the user isn’t attached to the app registration

Once the user is added, you can see them inside the provisioning page

And the will be provisioned, you can see the details at attribute level and the data flow on what attributes have been provisioned

Once you are done, switch that sync to On to schedule it every 40 mins.

And start the initial sync

Provisioning logs

Once the user is provisioned, you will the status of the different parts inside the status page and the provisioning logs are one the left side

When you open the logs, you will see skipped and successful syncs

Application owners can view logs for their own applications. The following roles are required to view provisioning logs:

  • Reports Reader
  • Security Reader
  • Security Operator
  • Security Administrator
  • Application Administrator
  • Cloud Application Administrator
  • Global Administrator
  • Users in a custom role with the provisioningLogs permission

What isn’t supported?

  • Restoring a previously soft-deleted user in the target tenant
  • Synchronizing groups, devices, and contacts into another tenant
  • Synchronizing users across clouds
  • Synchronizing photos across tenants
  • Synchronizing contacts and converting contacts to B2B users
  • An external user from the source (home) tenant can’t be provisioned into another tenant. Internal guest users from the source tenant can’t be provisioned into another tenant.
  • Provisioning manager attributes isn’t supported.
  • Configuring synchronization from the target tenant
  • Directory extensions and the appRoleAssignmentsuserType, and accountExpires attributes aren’t supported as scoping filters.
  • Provisioning passwords isn’t supported.
  • Provisioning nested groups isn’t supported.
  • Provisioning to B2C tenants isn’t supported because of the size of the tenants.

And the limitations

  • It’s possible for synchronized users to appear in the global address list (GAL) of the target tenant for people search scenarios, but it isn’t enabled by default. In attribute mappings for a configuration, you must update the value for the showInAddressList attribute.
  • B2B users are unable to manage certain Microsoft 365 services in remote tenants (such as Exchange Online), as there’s no directory picker.
  • Unable to change provisioning mode back to manual
  • The attributes SamAccountName and userType aren’t available as a source attribute by default
  • Source attribute dropdown missing for schema extension
  • Null attribute can’t be provisioned
  • Attribute-mapping expressions can have a maximum of 10,000 characters.
  • Multivalued directory extensions can’t be used in attribute mappings or scoping filters.
  • The Global Reader role is unable to read the provisioning configuration. Create a custom role with the microsoft.directory/applications/synchronization/standard/read permission in order to read the provisioning configuration from the Azure portal.

Closure

Cross-tenant story keep expanding and these are really useful features in the world of acquisitions and mergers.

Try it out for our self and give feedback to Microsoft if something isn’t right or shout it out in social. These things are developed for us all to have easier life as Cloud professionals.

Have a good one!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *