Connect up to Five Microsoft 365 Tenants in a Multi-Tenant Organization for Richer Collaboration
When Microsoft introduced shared channels for Teams in 2022, they also introduced Azure B2B Direct Connect, a method of connecting tenants together in a mutual trust arrangement. Cross-tenant access policies are the underpinning of the mutual trust between tenants. As the name suggests, the name dictates how tenants access each other’s resources. Cross-tenant synchronization is another capability controlled by cross-tenant access policies. In this case, it’s to define a trust relationship to synchronize directory objects between tenants.
Now Microsoft has multi-tenant organizations, a new Entra ID solution that’s available in preview. A multi-tenant organization (or MTO) is a set of up to five Entra ID tenants connected together by cross-tenant access policies to make directory synchronization seamless. The solution is directed at organizations that span multiple Microsoft 365 tenants that want to share a common directory and make it easier for users in the connected tenants to share information.
For now, the benefits of easier collaboration only extend to the new Teams 2.1 client, where Microsoft says that users:
- Receive real-time notifications from all tenants in the MTO.
- Don’t need to switch tenants before they can collaborate (chat, call, meet) with users in other MTO tenants. Teams supports federated chat with external people from other tenants. In an MTO, users from the tenants in the MTO are no longer considered external, so full chat features are available.
- Can set a separate status in each tenant.
In addition, the Microsoft 365 user profile card shows the organization name of a user. The Microsoft Teams development group’s blog gives more information about “seamless collaboration in Teams in a multi-tenant organization.”
When generally available, users participating in MTOs will require Entra ID Premium P1 licenses. Given that this is very much an enterprise play, the license requirement shouldn’t be an issue.
Creating a new Multi-tenant Organization
The structure of an MTO is:
- An owning tenant that creates the MTO. A tenant can only be a member of a single MTO.
- Up to four additional tenants added to the MTO.
- Each tenant connects to the other tenants with a cross-tenant synchronization configuration.
- Each tenant controls what users from their directory synchronizes with the other tenants.
- A maximum of up to 100,000 users can synchronize from one tenant to another.
- Tenants can leave an MTO at any time. The MTO is removed when the owning tenant leaves it.
Because this is currently a preview feature, only tenants configured for targeted release can participate in an MTO.
To create a new MTO, go to the Org Settings section of the Microsoft 365 admin center and select the Organization profile tab. Choose Multitenant collaboration to create a new MTO. You can then enter the name of the new MTO, a description, and the tenant identifiers (GUIDs) for the member tenants. I chose to start by connecting with a single tenant (Figure 1).
Next, configure the synchronization settings for the connection between the owing tenant and the new member tenant. This is similar to the steps taken to create a cross-tenant synchronization configuration in the Entra ID admin center. The operation is more automated and therefore easier in the Microsoft 365 admin center. The two settings exposed in Figure 2 control user synchronization and suppress consent prompts that users would otherwise have to give to allow their information to be shared through cross-tenant synchronization.
Move to the next screen to review the configuration of the MTO before clicking the big Create multitenant organization to launch the process of populating Entra ID with the necessary properties. This includes preparing the nominated member tenants to join the MTO. However, because tenants operate on a mutual trust arrangement, the administrators of each member tenant must take explicit action to join the MTO. Essentially, this action, executed through the same option in the Microsoft 365 admin center, accepts an invitation from the owner tenant to participate in the MTO (Figure 3).
Entra ID Settings
Microsoft 365 makes use of the information synchronized between directories, but Entra ID controls the synchronization. Go to the External Identities section of the Entra ID admin center and you’ll find that a cross-tenant synchronization configuration now exists named MTO_Sync_tenantidentifier (Figure 4)
Configuration settings dictate which users the tenant synchronizes to the other tenant and you can add users and security groups to the configuration to have them synchronize to the other tenant. I found that I had to change the synchronization setting from Manual to Automatic in some tenants, but apart from that, the configuration just worked.
Remember that the MTO is a Microsoft 365 feature built on top of Entra ID, so it’s easier to use the Share users option in the Multitenant collaboration section of the Microsoft 365 admin center to define the users that your tenant is willing to synchronize with all the other tenants in the MTO. In my case, I created a security group and populated it with all the member accounts from the tenant before adding it to the configuration (Figure 5). A dynamic security group also works and is easier to manage in terms of adding new accounts to the synchronize cycle.
If you want control at an individual tenant level (for instance, synchronize some users with one tenant and a different set with another), you can change the provisioning settings of the individual Entra ID configurations for each tenant. Before doing that, reflect that the idea behind the MTO is to have a common directory across the tenants in the MTO. That’s why the default is to synchronize the same users with all tenants.
Members Not Guests
When Entra ID synchronizes accounts from a source tenant to a target tenant, it creates the entries in the target tenant as member accounts, not guest accounts. If you examine the properties of a synchronized account, you can see that the user principal name looks like a guest account but the user type is the same as a regular user account:
Id : 8dd7fdd3-bc6f-4390-ae0a-5910ea577a7d DisplayName : Andy Ruth (Project Director) UserPrincipalName : Andy.Ruth_office365itpros.com#EXTfirstname.lastname@example.org Mail : Andy.Ruth@office365itpros.com UserType : Member
Creating synchronized accounts as members with a specific form of UPN means that apps can easily distinguish accounts from an MTO and treat them differently to guest accounts. Quite how that happens within the new Teams client serves a separate article.
At this point, the synchronized accounts have zero impact on other Microsoft 365 apps like Exchange, Planner, Viva Engage, or SharePoint Online. This might change in the future. From a user perspective, the synchronized accounts appear like other member accounts and can be treated as such.
The Start of the MTO Journey
The new multi-tenant organization is a preview feature. As such, we can expect that things might change between now and general availability. However, I don’t think the general structure will change and MTOs will work as described based on top of Entra ID cross-tenant synchronization configurations.
What will be interesting in the future is how this solution will affect ISVs that sell cross-tenant directory synchronization products. I think that MTOs remove the need for some of the needs satisfied by these products, so the market will probably shrink. I’m also interested to see how tenant-to-tenant migration vendors adapt to this new influence. Will MTOs replace the need for some tenant-to-tenant migrations or will an MTO be the opening step for others? We shall see.
And then there’s the question of Microsoft 365 apps. Teams has already said how it will take advantage of being able to distinguish between a synchronized user from a tenant within an MTO and other external accounts. We’ll have to wait and see how Outlook, Viva Engage, Planner, and other apps change, if at all. Overall, the MTO is an interesting prospect to contemplate.
For more information about Microsoft 365 multi-tenant organizations, read this article.