Note: The original article mentioned a previously announced date of November 2022 for this feature to go public and the planned release date was eventually postponed to early 2024. Unfortunately, as of July 2023, this feature is no longer on the public Roadmap. We will continue monitoring to see if it gets added back to the roadmap in the future.
Microsoft Attempts to Solve the M&A Domain Sharing Challenge
If you are asked to configure shared email domains cross-tenant to support a merger, acquisition, or divestiture, then you might be aware that Microsoft has historically only allowed a domain to be added to one tenant at a time, requiring you to consider a third-party email rewrite service to provide domain sharing.
Fortunately, Microsoft acknowledged the need for a native solution and released Cross-Tenant Domain Sharing functionality to select customers for private preview (Microsoft roadmap item 67161), with plans to release it publicly in early 2024. Although this feature is no longer on the public roadmap, the need still exists and we can hope that Microsoft will add it back at a later date. If Microsoft proceeds with the planned development, then you will have a native domain sharing option similar to the Shared SMTP Namespace functionality available with on-Premises Exchange Servers.
Native Cross-Tenant Domain Sharing for Exchange Online
Microsoft provided some initial details to the public regarding this solution’s expected architecture and some of the configuration and management tasks you must perform when utilizing native cross-tenant domain sharing functionality. As long as Microsoft does not make any major changes before releasing it to the public, you will be able to follow the steps in the example below to enable cross-tenant domain sharing for a single SMTP domain.
The domain will be Authoritative in the Tenant where you perform the primary domain management. Once you enable the domain for cross-tenant domain sharing, you will be able to add the domain as an Internal Relay in additional tenants. Internal Relays are a new addition to Exchange Online but are a familiar concept if you have worked with an on-Premises Exchange Server.
Cross-Tenant Domain Sharing Configuration
You will start by enabling domain sharing for contoso.com in Tenant A so that you can assign contoso.com as a Primary SMTP address to the mailboxes in Tenant B.
- Add contoso.com as an Accepted Domain in Tenant A before adding it to other tenants
- Domain appears as Type: Authoritative
- Configure contoso.com in Tenant A to allow sharing with Tenant B
- Microsoft will provide full details for this task once the feature is public
- Add contoso.com as an Accepted Domain in Tenant B
- Domain appears as Type: Internal Relay
- Configure Inbound Connectors are in each tenant to trust the opposing tenant
- Tenant A connector configuration:
- SenderDomains={smtp:contoso.com;1}
- TrustedOrganizations={smtp:fabrikam.onmicrosoft.com;1}
- Tenant B connector configuration:
- SenderDomains={smtp:contoso.com;1}
- TrustedOrganizations={smtp:contoso.onmicrosoft.com;1}
- Tenant A connector configuration:
- MX Record for contoso.com points to Tenant A
- Inbound messages for all contoso.com addresses will deliver to Tenant A and then routed to Tenant B
Primary SMTP Address Assignment
With the cross-tenant domain sharing architecture in place, you can now start to assign contoso.com email addresses to mailboxes in Tenant B, which has fabrikam.com as an Authoritative Accepted Domain.
- Create a mailbox in Tenant B, which will have a UPN for a domain that is owned by Tenant B
- Example: bob@fabrikam.com
- Set the Primary SMTP on the mailbox in Tenant B to a unique contoso.com address
- Example: bob@contoso.com
- Microsoft will provide full details for this task once the feature is public
The user is now able to send emails from his mailbox in Tenant B as bob@contoso.com even though that domain is managed by Tenant A.
Cybersecurity Risk Management for Active Directory
Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.
Tenant to Tenant Migration Considerations
The release of native cross-tenant domain sharing will provide a much-needed solution for configuring long-term coexistence across multiple tenants, allowing you to enable consistent branding for users sending and receiving emails from separate tenants.
However, if you are also planning tenant-to-tenant migrations, enabling cross-tenant domain sharing will introduce some additional tasks and complexities to consider when it comes time to perform your mail migrations and SMTP domain migrations. Companies that provide third-party migration tools are expected to start including this scenario in their product development to help address these new complexities, which are described in more detail below.
Mail Migration Considerations
The first important consideration is that you will need to change the timing of moving the Primary SMTP address from a mailbox in one tenant to another for users that need to maintain their existing email identity.
Currently, you must complete this task as part of an SMTP domain migration event since the domain cannot be shared across tenants. However, once you implement cross-tenant domain sharing, you will need to perform this step as part of the mail migration event since the specific Primary SMTP address should not be assigned to more than one mailbox at a time. If your mail migration tool does not have an option to automatically update the source and target Primary SMTP addresses for mailboxes using shared domains, then you should include a task in your migration plan to perform these changes yourself.
SMTP Domain Migration Considerations
The second important consideration is the impact that cross-tenant domain sharing can have on migrating SMTP domains from one tenant to another.
Microsoft will not let you remove a domain from a tenant until you remove the domain from all objects where it is used as a UPN or email attribute. If you enable cross-tenant domain sharing, then objects in other tenants are also using the domain being moved. It will become very important to understand exactly where the shared domain is being used across all tenants when performing your SMTP domain migration planning.
After you complete a domain migration for a shared domain, you will also need to reconfigure your tenant domain sharing relationships and possibly reconfigure the individual objects using the shared domain. Once the native cross-tenant domain sharing functionality is fully released to the public, you can expect domain migration tools to report on all shared objects and to provide guidance for any tasks that cannot be automated and would need to be performed manually.
Comparing to Third-Party Solutions
As Microsoft continues to release features like cross-tenant domain sharing and Teams shared channels, you gain access to new options for solving your merger, acquisition, and divestiture needs. You might also identify opportunities to reduce reliance on third-party products. Native cross-tenant domain sharing is expected to be a viable alternative to third-party email rewrite services for meeting long-term coexistence needs with simple setup and management.
For overall tenant-to-tenant migration planning, you should evaluate and test the standalone native features against third-party solutions to determine whether you can benefit from the task automation and integration that comes with a comprehensive tenant-to-tenant product. Often, your migration project’s answer is a balanced combination of both.
Join Becky at TEC 2022 in Atlanta for More!
Tenant-to-tenant migrations are not for the faint of heart. If you have a migration on the horizon or are in an acquisition-hungry environment, join the tenant migration experts at The Experts Conference 2022 to get a head start. Join Practical 365 author Becky Cross as she delivers the “5 Trends with M&A Cross-Tenant Coexistence.” Check out her session abstract:
Cross-Tenant coexistence services have been static for a fairly long period, consisting primarily of limited GAL sync and free/busy services and maybe Domain sharing using address rewrite technologies. However, some emerging technologies will soon change much of what tenant administrators normally do to prepare their Microsoft 365 environments for collaboration during an M&A project. This session will help you prepare for them.
Hello Becky, any idea if this still on the table?
Jakke, it is not on any upcoming roadmaps, but I imagine that Microsoft is still considering it, since it remains a highly desired feature and they have been releasing many other features to support multi-tenant organizations.
As Portwajn suggested below, you should consider it off the table for now and look into third-party Domain Rewrite solutions to meet any immediate or upcoming needs. Perhaps we will see a native solution preview again in a few years.
Are there any 3rd party tools that could help with cross tenant sharing of email domain names? Quest? Proofpoint?
Yes, Quest and Proofpoint are two solutions that I’m aware of, both of which utilize matching between source and target accounts to rewrite message headers, described at a high-level in the following article – https://practical365.com/using-email-address-rewrite-to-alleviate-domain-sharing-challenges/.
I don’t have details regarding Proofpoint’s solution, but I’ve talked to a few existing Proofpoint customers that used it successfully. Quest has a standalone product called ODM Domain Rewrite that is used by many companies, which you can find more info about on Quest’s website – https://www.quest.com/products/on-demand-migration/domain-rewrite.aspx
FYI: Becky’s video presentation from TEC 2022 is available. Watch the full video or jump to timestamp 22:20 for details on this topic. Well done, Becky.
https://www.quest.com/video/5-trends-with-ma-crosstenant-coexistence/
Unfortunately, this item is now postponed indefinitely, which in my book means we may stop considering it in our plans and roadmaps (at least until it’s updated with some new ETA). Sigh, well, move along, nothing to watch here.
Correct – the item was now completely removed from the roadmap.
This is what I call “the arrogance of power” – but also “Pride comes before a fall”.
In our case – a merger of a dozen smaller companies into a holding with 1.500 employees – we decided to switch to slack business. Exactly because Microsoft is so obviously indifferent to the needs of its customers.
Well, it’s February now and still no update on the MS Roadmap page, fingers crossed.
Thanks for the clear article !
It seems it is now postponed to 02/23 🙁
Thanks for the update; hopefully it doesn’t push out much further. I know a lot of folks are ready to start testing this.
Great wirte-up Becky.. Thank you.
This is awesome
[link to Blog 1] missing
Peter, thank you for letting me know about the missing link. It is corrected and now routes to the article that discusses email rewrite services.