In 2022, alongside the introduction of shared channels for Teams, Microsoft unveiled Azure B2B Direct Connect. This innovative approach facilitates the connection of multiple tenants through a reciprocal trust mechanism. This trust is established and governed by cross-tenant access policies, shaping how tenants access each other’s resources. Cross-tenant synchronization, another capability determined by these access policies, enables a trusted relationship to synchronize directory objects between tenants.
The latest development from Microsoft is the preview release of Entra ID’s multi-tenant organization (MTO) solution. This Entra ID solution seamlessly connects a group of up to five tenants via cross-tenant access policies, streamlining directory synchronization. The MTO concept is tailored for organizations spanning multiple Microsoft 365 tenants, fostering information sharing and collaboration between connected tenants.
Initially, the enhanced collaboration benefits are exclusive to the new Teams 2.1 client. Users can now:
- Receive real-time notifications across all MTO tenants.
- Collaborate (chat, call, meet) with users from other MTO tenants without needing to switch tenants. Full chat features are available as users from MTO tenants are not treated as external entities.
- Set distinct statuses for each tenant.
The organization name of a user is also displayed on the Microsoft 365 user profile card. The blog for the Microsoft Teams development team provides more details on “seamless collaboration in Teams in a multi-tenant organization.”
For users to participate in MTOs when they become generally available, Entra ID Premium P1 licenses will be required. Given the enterprise focus of this feature, the license requirement is unlikely to pose a concern.
Creating a Multi-tenant Organization:
The structure of an MTO includes:
- An owning tenant initiates the creation of the MTO (a tenant can only belong to a single MTO).
- Up to four additional tenants can be added to the MTO.
- Each tenant establishes cross-tenant synchronization configurations with other tenants.
- Tenants retain control over which users from their directory are synchronized with other tenants.
- A maximum of 100,000 users can be synchronized from one tenant to another.
- Tenants retain the freedom to leave an MTO at any time. The MTO disbands if the owning tenant departs.
As this feature is currently in preview, only tenants set up for targeted release can partake in an MTO.
To establish a new MTO, navigate to the Org Settings section within the Microsoft 365 admin center. Select the Organization profile tab and opt for Multitenant collaboration to create an MTO. Subsequently, provide the name, description, and tenant identifiers (GUIDs) for the member tenants. It’s possible to begin by connecting with a single tenant (refer to Figure 1 for reference).
Figure 1: Creating multi-tenant organization
Subsequently, proceed to configure the synchronization settings for the connection between the owning tenant and the newly added member tenant. This process resembles the steps undertaken when establishing a cross-tenant synchronization configuration within the Entra ID admin center. However, the operation is now more streamlined and automated, rendering it simpler within the Microsoft 365 admin center.
The settings revealed in Figure 2 govern two crucial aspects:
User Synchronization: This setting orchestrates the synchronization of user information between the owning tenant and the member tenant. It ensures that user data remains up-to-date and consistent across both entities.
Consent Prompt Suppression: In traditional cross-tenant synchronization setups, users are usually prompted to provide support for their information to be shared across tenants. However, with this feature, consent prompts are suppressed, eliminating the need for users to explicitly grant consent. This helps streamline the synchronization process.
Refer to Figure 2 for a visual representation of these settings. These adjustments facilitate a seamless and automated synchronization experience, reducing the manual interactions required in traditional setups.
Figure 2: Configuring synchronization settings for the new multi-tenant organization
Proceed to the following screen to review the configured settings of the multi-tenant organization (MTO). Before finalizing the setup, you will encounter the prominent “Create multi-tenant organization” button. This button serves as the trigger for initiating the process of populating Entra ID with the required properties to facilitate seamless collaboration within the MTO. This encompasses the preparation of the selected member tenants for their inclusion in the MTO.
However, it’s crucial to note that the collaboration among these tenants operates on the foundation of mutual trust. As such, the administrators of each designated member tenant must actively take specific actions to join the MTO. This is executed through the same option available within the Microsoft 365 admin center. By opting for this action, administrators accept an invitation extended by the owning tenant to partake in the multi-tenant organization.
For a visual representation of this process, refer to Figure 3. This pivotal step solidifies the collaborative arrangement, establishing a cooperative framework among the involved tenants within the MTO.
Figure 3: A member tenant joins a multi-tenant organization
Entra ID Configuration and Synchronization
Within the realm of Microsoft 365, synchronized data is integral, yet Entra ID assumes control over this synchronization process. By navigating to the External Identities section within the Entra ID admin center, you will encounter the existence of a cross-tenant synchronization configuration titled “MTO_Sync_tenantidentifier,” depicted in Figure 4.
Figure 4: The cross-tenant synchronization configuration created in Entra ID
Configuration settings delineate the specific users and security groups that a tenant intends to synchronize with another tenant. This inclusion can be achieved by adding users and security groups to the configuration, prompting them to synchronize across tenants. Although a manual-to-automatic synchronization setting adjustment was necessary in some instances, the overall configuration process proved smooth.
Remember that the Multi-Tenant Organization (MTO) is essentially a feature layered atop Entra ID. For greater convenience, utilize the “Share users” option found within the Multitenant collaboration segment of the Microsoft 365 admin center. This enables you to specify the users your tenant is inclined to synchronize across all MTO tenants. In practice, you might create a security group encompassing member accounts and then integrate it into the configuration, as shown in Figure 5. Dynamic security groups can also be beneficial, simplifying the management of account additions to the synchronization cycle.
Figure 5: Configuring users to synchronize within the multi-tenant organization
Should you desire distinct control at the individual tenant level – perhaps to synchronize certain users with one tenant while diverging with another – you possess the flexibility to adjust the provisioning settings of individual Entra ID configurations per tenant. However, bear in mind that the core purpose of the MTO is to establish a shared directory across all MTO tenants. Consequently, the default operation involves synchronizing the same users with all interconnected tenants.
Membership over Guest Status
Entra ID’s synchronization process introduces accounts as member accounts in the target tenant, rather than guest accounts. Despite the guest-like appearance of user principal names (UPNs), the user type corresponds to that of a regular user account. This approach simplifies the differentiation of MTO accounts from guest accounts by applications. The precise workings of this distinction within the new Teams client require a separate exploration.
At present, synchronized accounts exert no influence on other Microsoft 365 applications such as Exchange, Planner, Viva Engage, or SharePoint Online. This dynamic might evolve in the future. From a user perspective, synchronized accounts blend seamlessly with other member accounts, warranting equivalent treatment.
Embarking on the MTO Journey
This new multi-tenant organization feature exists in preview, signifying the possibility of alterations before reaching general availability. Nonetheless, the core structure is unlikely to change, with MTOs functioning as outlined, built atop Entra ID’s cross-tenant synchronization configurations.
Of intrigue moving forward is the impact on Independent Software Vendors (ISVs) offering cross-tenant directory synchronization products. MTOs potentially render some of the functions of these products obsolete, potentially leading to market contraction. Similarly, the influence on tenant-to-tenant migration vendors is noteworthy. Will MTOs negate the need for certain migrations, or will they serve as a precursor to such migrations? Time will provide the answers.
The trajectory of Microsoft 365 apps is another area to watch. Teams have already elucidated how it will capitalize on the ability to distinguish synchronized users within an MTO from external accounts. Outlook, Viva Engage, Planner, and other applications’ responses, if any, remain to be seen. Altogether, the MTO introduces a captivating dimension for consideration and exploration.
Our skilled professionals possess the knowledge and experience to guide you through these intricate procedures, ensuring a seamless and efficient implementation. Feel free to reach out to ITAdOn for comprehensive solutions tailored to your specific needs. Your journey towards effective directory management and multi-tenant organization establishment begins with us.