Entra ID Cross Tenant Synchronization: What, Why & How?

Entra ID Cross Tenant Synchronization: What, Why & How?

In a recent project, I got to work on implementation of Cross Tenant Synchronization - specifically on establishing synchronization between two Microsoft Entra ID tenants. Before delving into the technical intricacies and configuration steps, it's crucial to first address the fundamental question: Why Cross Tenant Synchronization?

This feature, introduced as a public preview in January 2023 (Microsoft 365 Roadmap ) and subsequently achieving general availability in the summer of 2023, presents a solution to streamline collaborative efforts across diverse organizational entities or Microsoft 365 tenants in simple terms.

The rationale behind Cross Tenant Synchronization becomes apparent when considering scenarios where organizations, each having a substantial user base, seek to provision access to resources such as Microsoft 365 Apps or other applications within their respective tenants. Some of the scenarios can be - large Organizations with Multiple Subsidiaries or Business Units, Mergers and Acquisitions, or simply two large organizations establishing shared user access for Microsoft 365 Apps and other apps hosted in their respective Entra ID tenants.

Why Cross Tenant Synchronization?

While the native method of employing B2B collaboration is functional, its practicality diminishes significantly when dealing with tenants boasting a substantial user base. The need to manually create guest user accounts for each user becomes a cumbersome task, especially in scenarios where frequent updates are essential. Moreover, the conventional approach, entailing frequent consent prompts and a redemption process in Entra ID B2B collaboration, can considerably impact the end-user experience when attempting to access cross - company resources.

What is Cross Tenant Synchronization?

Microsoft defines Cross Tenant Synchronization as -

Cross-tenant synchronization is a one-way synchronization service in Microsoft Entra ID that automates creating, updating, and deleting B2B collaboration users across tenants in an organization. Cross-tenant synchronization builds on the B2B collaboration functionality and utilizes existing B2B cross-tenant access settings. Users are represented in the target tenant as a B2B collaboration user object.

Here are the primary benefits with using cross-tenant synchronization:

  • Automatically create B2B collaboration users within your organization and provide them access to the applications they need, without creating and maintaining custom scripts.
  • Improve the user experience and ensure that users can access resources, without receiving an invitation email and having to accept a consent prompt in each tenant.
  • Automatically update users and remove them when they leave the organization.

One thing to note here is that Cross Tenant Synchronization supports the synchronization of users only and doesn't supports synchronization of groups, devices, or contacts. Some of other limitations or unsupported scenarios are mentioned here , but we will not be discussing those today.

Cross Tenant Synchronization supports various topologies like one-to-one synchronization, single source with multiple targets, multiple sources with single target, or a mesh.In this article, I will delve into the simplest of all - one-to-one synchronization.


Prerequisites for Cross Tenant Synchronization

License Requirements :

In the source tenant: Microsoft Entra ID P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant.

In the target tenant: relies on the Microsoft Entra External ID billing model. You will also need at least one Microsoft Entra ID P1 license in the target tenant to enable auto-redemption.

For configuration and administration you need the following roles assigned in Entra ID -

  • Security administrator – For configuring cross-tenant access settings??
  • Hybrid Identity administrator – To enable cross-tenant synchronization?
  • Cloud Application administrator or Application administrator – For assigning the users to a specific configuration and deleting a particular configuration.

Steps to configure

Now let us delve into the configuration details and the steps to configure Cross Tenant Synchronization. As discussed above, we will today be configuring cross tenant synchronization for one source to one target tenant i.e. a 1 :1 mapping.

Step 1 : Configuring the Target tenant

  1. Sign in to the Microsoft Entra admin center of the target tenant.
  2. Browse to Identity > External Identities > Cross-tenant access settings.
  3. On the Organization settings tab, select Add organization.
  4. Add the source tenant by typing the tenant ID or domain name and selecting Add.

5. Select the Cross-tenant sync tab.

6. Check the Allow users sync into this tenant check box.

7. Click on Save.

8. Now in the target tenant again, we need to set the automatic redeem invitation settings. In the target tenant, on the same Inbound access settings page, select the Trust settings tab and then Check the Automatically redeem invitations with the tenant <tenant> check box. This is to prevent Entra ID from sending email to synchronized users from the target tenant (or all tenants) by asking the user to consent for their account to be added to the target tenant.

Step 2: Configuring the Source tenant

Now we need to perform the same steps for the source tenant as above in the target tenant configuration to establish a two way mapping with achieving our goal of syncing users from each tenant to the other tenant.

Step 3: Configure Cross Tenant Synchronization in the Source tenant

In the source tenant, browse to Identity > External Identities > Cross-tenant synchronization and Select Configurations.

  1. At the top of the page, select New configuration.
  2. Provide a name for the configuration and select Create.

After creating the configurations, it's now time to test the connection to the target tenant.

In the source tenant, in the configuration list, select your configuration.

Select Get started. and set the Provisioning Mode to Automatic and then under the Admin Credentials section, change the Authentication Method to Cross Tenant Synchronization Policy.

In the Tenant Id box, enter the tenant ID of the target tenant and then select Test Connection to test the connection.


Step 4: Define who is in scope for provisioning

It is always a good idea to set the scope to Sync only assigned users and groups. In this manner we start small and test for any discrepancies. Also a good idea to set up the notification email address and accidental deletion threshold.

Now in Users and groups add the users or groups which you would like to sync to the target tenant. Again always a better idea to create a group and add it for provisioning instead of adding individual users to the sync.

Step 5: Review Attribute mappings

  • In the source tenant, select Provisioning and expand the Mappings section.
  • Select Provision Microsoft Entra users.
  • On the Attribute Mapping page, scroll down to review the user attributes that are synchronized between tenants in the Attribute Mappings section.The first attribute, alternativeSecurityIdentifier, is an internal attribute used to uniquely identify the user across tenants, match users in the source tenant with existing users in the target tenant, and ensure that each user only has one account. The matching attribute cannot be changed. Attempting to change the matching attribute or adding additional matching attributes will result in a schemaInvalid error.
  • Review the Constant Value setting for the userType attribute.This setting defines the type of user that will be created in the target tenant and can be one of the values in the following table. By default, users will be created as external member (B2B collaboration users). For more information, see Properties of a Microsoft Entra B2B collaboration user .For this sync I have kept the userType to be Guest which means a member in the source tenant will be treated as Guest user in the target tenant.

If you want the synchronized users to appear in the global address list of the target tenant for people search scenarios, you must set Mapping type to Constant and Constant Value to True.

Step 6: Test Provisioning on Demand

Now that we have a configuration, it's time to test on-demand provisioning with one of the users.

  1. In the source tenant, browse to Identity > External Identities > Cross-tenant synchronization.
  2. Select Configurations and then select the configuration.
  3. Select Provision on demand.
  4. In the Select a user or group box, search for and select one of the test users.

On the Provision on demand page, you can view details about the provision and have the option to retry.

As you can see above the test user was skipped when provisioned on demand. This is because the user already exists in the target tenant and no properties for the user were changed, so it was skipped.

Step 7: Start the provisioning job

The provisioning job starts the initial synchronization cycle of all users defined in Scope of the Settings section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running.

Step 8: Monitor Provisioning

To maintain the health of your Entra ID tenant and Cross Tenant Synchronization, it's crucial to regularly check the provisioning logs and audit logs. These logs offer valuable insights into any problematic provisioning situations that have been isolated, facilitating swift troubleshooting of issues. To stay updated on the status of your provisioning and synchronization activities, administrators can access and monitor these logs within the 'Activity' section of the configuration.

Provisioning Logs: It's essential to deliberately monitor provisioning logs to identify provisioned users. These logs are automatically filtered based on the service principal ID of the configuration.

As you can see above, most of the records are skipped because the user is already provisioned and exists in the target tenant with no change in properties. For the one with failure, it encountered an error as below. Since an user exists with the same email address / proxy address, we would need to delete the proxy address from the target tenant to enable the user to be synced via Cross Tenant Synchronization. Mark at the error is on action Update, so the user already exists in target tenant but any update action fails.

Audit Logs in the Source Tenant: For a comprehensive view of all logged events in Azure AD, administrators can refer to the Audit logs under the 'Activity' section in the source tenant. These logs provide details on activities such as adding or deleting provisioning configurations, imports, exports, and more. Information like date and time, status, status reason, service, category, and targets is included, helping to keep track of provisioning and synchronization activities in the source tenant.

Audit Logs in the Target Tenant: To ensure secure and efficient user management in the target tenant, regular review of Audit logs is essential. By navigating to the Microsoft 365 admin center, specifically Users and then Audit logs, administrators can easily monitor activities like updating user profiles, redeeming external user invitations, and other critical actions.

Provisioning insights:

You can view insights and metrics for all your Provisioning needs including Cloud Sync, Inbound Provisioning, and Outbound Provisioning. These insights can also be useful and provide you with an overview of the provisioning.

Final Thoughts

Thus to conclude, it can be seen that Cross Tenant Synchronization makes it easier to handle users in large multi-tenant organizations and gives an efficient way of moving away from the B2B collaboration.

I trust that this blog has provided you with an high level understanding of cross-tenant synchronization and its associated benefits. Please do share your experiences and thoughts in the comments section. Your insights can contribute to a valuable discussion and further enhance the collective understanding of this topic. Feel free to express any questions or reflections you may have regarding cross-tenant synchronization. Your engagement is appreciated!

Further reads and references for Cross Tenant Synchronization :

Richard Bergquist

Principal Consultant - Cloud and Identity

8 个月

Great post. I'm curious how the user in the target tenant can be added into an existing target tenant group. For example setting up x-tenant sync to only sync admins from the source tenant to be equivalent admins in the target tenant. Is this possible, or do the users in the target tenant still need to be assigned to the specific groups they need to perform their job in that tenant?

回复
Roman N Samuel

Azure Devops Engineer | Devops | Terraform | BICEP | CICD | Infrastructure as Code | Docker | Azure AI | Azure Kubernetes Service |

9 个月

what happens when we disable the cross tenant synchronization. will the synchronized users will be removed from target tenant ?

回复
Ravi Bakamwar

IAM, Cybersecurity, Cloud Infrastructure

11 个月

Excellent post! I am assuming any updates to the source user object (change in email id,upn or other attributes) will be synced to the target tenant?

Bhawarlal Chandak

RETIRED AS DGM at Small Industries Development Bank of India

11 个月

great. proud of you

要查看或添加评论,请登录

社区洞察

其他会员也浏览了