This post examines the Azure AD cross-tenant synchronization feature that allows an Azure IT admin to sync users between different Azure AD tenants.
Cross-tenant synchronization feature supplements and upgrades Azure B2B collaboration, allowing users to join their tenant without sending an invitation to other users across tenants to share access to services and resources.
A common scenario in which this feature could be used is the acquisition of one organization by another.
What are the benefits for an organization to use the Cross-tenant synchronization feature?
-
Collaboration for multi-tenant organizations
-
Multi-tenant B2B collaboration lifecycle management
-
Removing B2B accounts automatically after a user leaves
Prerequisites
- Both tenants (Source & Target) must have Azure AD Premium P1 | P2 license.
- Both tenants (Source & Target) needed the Security Administrator role to configure cross-tenant access.
Cross-tenant synchronization configuration
At this point, you will read how you can configure both tenants to use the cross-tenant synchronization feature via the Azure Portal, but you can do the configuration via PowerShell or Graph API.
Step 1. Enable synchronization in the target tenant
Select Azure Active Directory > External Identities > Cross-tenant access settings
From the “Source Tenant” copy the Tenant ID, and on the “Target Tenant“, select + Add organization,
paste the ID and click Add.
A few seconds later, you will be able to view one new organization (Source Tenant), as the image below depicts.
Underneath Inbound access, select inherited from default
select the Cross-tenant sync tab and check the “Allow users sync into this tenant”
then on the Trust settings tab, check the “Automatically redeem invitations with the tenant Source Tenant”
Step 2. Enable synchronization in the source tenant
Select Azure Active Directory > External Identities > Cross-tenant access settings
From the “Target Tenant” copy the Tenant ID, and on the “Source Tenant“, select + Add organization,
Underneath Outbound access, select inherited from default
Select the Trust settings tab, check the “Automatically redeem invitations with the tenant Target Tenant”
On the Source Tenant, select Manage > Cross-tenant synchronization
Now, type a name for the configuration, i.e. Target Tenant and select Create
then on the left-hand side blade, select Manage > Provisioning, specify the Target Tenant ID and press the Test Connection button.
If the Test Connection is successful, you will see a message like the image below,
and you will be able to view the Status as “Enabled”
Try Provisioning Users
Approaching the end of the AAD cross-tenant configuration you have to try to provision a few users for testing purposes. To do so, on the configuration left-hand side blade, go to Manage > Users and groups and select + Add user/group.
To assign the user, click None Selected > type the user’s name in the Search textbox, select the user, and click Assign, as the image below depicts.
Now, click the Provision on demand button
Select the user that you want to provision, i.e. test
and select Provision.
Upon successful provisioning, your user will be added to the target tenant a few seconds later.
Navigating to the target tenant will show you the user from the source tenant.
Attribute Mapping
In cross-tenant synchronizations, attributes from the user object in Azure AD are synced, including displayName, userPrincipalName, directory extensions, etc., but cannot synchronize attributes such as photos, custom security attributes, managers, and user attributes outside of the directory.