Connect up to Five Microsoft 365 Tenants in a Multi-Tenant Organization for Richer Collaboration

When Microsoft introduced shared channels for Teams in 2022, they also introduced Azure B2B Direct Connect, a method of connecting tenants together in a mutual trust arrangement. Cross-tenant access policies are the underpinning of the mutual trust between tenants. As the name suggests, the name dictates how tenants access each other’s resources. Cross-tenant synchronization is another capability controlled by cross-tenant access policies. In this case, it’s to define a trust relationship to synchronize directory objects between tenants.

Now Microsoft has multi-tenant organizations, a new Entra ID solution that’s available in preview. A multi-tenant organization (or MTO) is a set of up to five Entra ID tenants connected together by cross-tenant access policies to make directory synchronization seamless. The solution is directed at organizations that span multiple Microsoft 365 tenants that want to share a common directory and make it easier for users in the connected tenants to share information.

For now, the benefits of easier collaboration only extend to the new Teams 2.1 client, where Microsoft says that users:

  • Receive real-time notifications from all tenants in the MTO.
  • Don’t need to switch tenants before they can collaborate (chat, call, meet) with users in other MTO tenants. Teams supports federated chat with external people from other tenants. In an MTO, users from the tenants in the MTO are no longer considered external, so full chat features are available.
  • Can set a separate status in each tenant.

In addition, the Microsoft 365 user profile card shows the organization name of a user. The Microsoft Teams development group’s blog gives more information about “seamless collaboration in Teams in a multi-tenant organization.”

When generally available, users participating in MTOs will require Entra ID Premium P1 licenses. Given that this is very much an enterprise play, the license requirement shouldn’t be an issue.

Creating a new Multi-tenant Organization

The structure of an MTO is:

  • An owning tenant that creates the MTO. A tenant can only be a member of a single MTO.
  • Up to four additional tenants added to the MTO.
  • Each tenant connects to the other tenants with a cross-tenant synchronization configuration.
  • Each tenant controls what users from their directory synchronizes with the other tenants.
  • A maximum of up to 100,000 users can synchronize from one tenant to another.
  • Tenants can leave an MTO at any time. The MTO is removed when the owning tenant leaves it.

Because this is currently a preview feature, only tenants configured for targeted release can participate in an MTO.

To create a new MTO, go to the Org Settings section of the Microsoft 365 admin center and select the Organization profile tab. Choose Multitenant collaboration to create a new MTO. You can then enter the name of the new MTO, a description, and the tenant identifiers (GUIDs) for the member tenants. I chose to start by connecting with a single tenant (Figure 1).

Creating a new multi-tenant organization
Figure 1: Creating a new multi-tenant organization

Next, configure the synchronization settings for the connection between the owing tenant and the new member tenant. This is similar to the steps taken to create a cross-tenant synchronization configuration in the Entra ID admin center. The operation is more automated and therefore easier in the Microsoft 365 admin center. The two settings exposed in Figure 2 control user synchronization and suppress consent prompts that users would otherwise have to give to allow their information to be shared through cross-tenant synchronization.

Configuring synchronization settings for the new multi-tenant organization
Figure 2: Configuring synchronization settings for the new multi-tenant organization

Move to the next screen to review the configuration of the MTO before clicking the big Create multitenant organization to launch the process of populating Entra ID with the necessary properties. This includes preparing the nominated member tenants to join the MTO. However, because tenants operate on a mutual trust arrangement, the administrators of each member tenant must take explicit action to join the MTO. Essentially, this action, executed through the same option in the Microsoft 365 admin center, accepts an invitation from the owner tenant to participate in the MTO (Figure 3).

 A member tenant joins a multi-tenant organization
Figure 3: A member tenant joins a multi-tenant organization

Entra ID Settings

Microsoft 365 makes use of the information synchronized between directories, but Entra ID controls the synchronization. Go to the External Identities section of the Entra ID admin center and you’ll find that a cross-tenant synchronization configuration now exists named MTO_Sync_tenantidentifier (Figure 4)

The cross-tenant synchronization configuration created in Entra ID
Figure 4: The cross-tenant synchronization configuration created in Entra ID

Configuration settings dictate which users the tenant synchronizes to the other tenant and you can add users and security groups to the configuration to have them synchronize to the other tenant. I found that I had to change the synchronization setting from Manual to Automatic in some tenants, but apart from that, the configuration just worked.

Remember that the MTO is a Microsoft 365 feature built on top of Entra ID, so it’s easier to use the Share users option in the Multitenant collaboration section of the Microsoft 365 admin center to define the users that your tenant is willing to synchronize with all the other tenants in the MTO. In my case, I created a security group and populated it with all the member accounts from the tenant before adding it to the configuration (Figure 5). A dynamic security group also works and is easier to manage in terms of adding new accounts to the synchronize cycle.

Configuring users to synchronize within the multi-tenant organization
Figure 5: Configuring users to synchronize within the multi-tenant organization

If you want control at an individual tenant level (for instance, synchronize some users with one tenant and a different set with another), you can change the provisioning settings of the individual Entra ID configurations for each tenant. Before doing that, reflect that the idea behind the MTO is to have a common directory across the tenants in the MTO. That’s why the default is to synchronize the same users with all tenants.

Members Not Guests

When Entra ID synchronizes accounts from a source tenant to a target tenant, it creates the entries in the target tenant as member accounts, not guest accounts. If you examine the properties of a synchronized account, you can see that the user principal name looks like a guest account but the user type is the same as a regular user account:

Id                : 8dd7fdd3-bc6f-4390-ae0a-5910ea577a7d
DisplayName       : Andy Ruth (Project Director)
UserPrincipalName : Andy.Ruth_office365itpros.com#EXT#@o365maestro.onmicrosoft.com
Mail              : Andy.Ruth@office365itpros.com
UserType          : Member

Creating synchronized accounts as members with a specific form of UPN means that apps can easily distinguish accounts from an MTO and treat them differently to guest accounts. Quite how that happens within the new Teams client serves a separate article.

At this point, the synchronized accounts have zero impact on other Microsoft 365 apps like Exchange, Planner, Viva Engage, or SharePoint Online. This might change in the future. From a user perspective, the synchronized accounts appear like other member accounts and can be treated as such.

The Start of the MTO Journey

The new multi-tenant organization is a preview feature. As such, we can expect that things might change between now and general availability. However, I don’t think the general structure will change and MTOs will work as described based on top of Entra ID cross-tenant synchronization configurations.

What will be interesting in the future is how this solution will affect ISVs that sell cross-tenant directory synchronization products. I think that MTOs remove the need for some of the needs satisfied by these products, so the market will probably shrink. I’m also interested to see how tenant-to-tenant migration vendors adapt to this new influence. Will MTOs replace the need for some tenant-to-tenant migrations or will an MTO be the opening step for others? We shall see.

And then there’s the question of Microsoft 365 apps. Teams has already said how it will take advantage of being able to distinguish between a synchronized user from a tenant within an MTO and other external accounts. We’ll have to wait and see how Outlook, Viva Engage, Planner, and other apps change, if at all. Overall, the MTO is an interesting prospect to contemplate.

For more information about Microsoft 365 multi-tenant organizations, read this article.

On Demand Migration

Migrate all your workloads and Active Directory with one comprehensive Office 365 tenant-to-tenant migration solution.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. VirEl

    Hello Tony – long time no see, hope you’re doing great (as always).

    Quick question: beside fact that our Tenants users have that External logo beside their name ( I understand the logic behind this), in Chats MTO doesn’t give an option to the Members for uploading files, screen sharing, or to use apps or … pretty much anything except sending goofy gify stuff – can this be overridden? Any settings hidden somewhere … anything?

    It’s kind of funny that Guest users have full chat capability while Members are totally restricted. We hoped MTO would give us better than what we had with classic Azure B2B cross tenant config, but we ended up in a frustration.

    It sounded so cool in that Microsoft document.

      1. VirEl

        You were right, as always. It was the configuration issue. You’re a shrine. Thanks

  2. Jeff

    is there any information on how MTO introduced accounts affect MS Secure Score. It appears that Secure Score looks at all users including those synchronized via MTO

  3. Evan

    You state: “If you want control at an individual tenant level (for instance, synchronize some users with one tenant and a different set with another), you can change the provisioning settings of the individual Entra ID configurations for each tenant.”

    Is this still accurate now that you’ve dug further into MTO since you wrote this article? I’m wondering if MTO is a good fit for a parent company/subsidiaries structure where the parent company tenant would sync user with each subsidiary tenant, but there is no need for the subsidiary tenants to sync with each other (ie. hub/spoke vs full mesh)

  4. Federico

    Hello Tony
    When is the official release planned for everyone?

  5. Bertrand

    Great article thanks. Would that make accessing users easier (finding Guests) and collaborating in Teams sites better in any way?

  6. Stefan

    MTO is for five tenants only ? If I whant to connect like 50 tenants to form a MTO, what should I use then ?

    1. SenG

      It is unlikely to happen because shared channel & multi-tenant features touch the commercial licensing border of independent 365 org licenses. That’s why shared channels are limited when sharing with external people and guests.

      Connecting 50 tenants appear to have org design issue. You may redesign your organisation to live within limits & ecosystem or consider another platform that aligns with your expectations.

      1. Jetze Mellema

        There is a process to increase the limits of having more than 100k users in a tenant or to add more than 5 tenants in an MTO. Open a ticket with support AND allow ample time for Microsoft to put the change through their internal approval process and consequently roll-out to the global environment.

        I’m not sure what the level of pushback is when you actually want to do this for 50 tenants, but I have experience with the exception process to allow this for a tenant with more than 100k users.

  7. charles.s.howe@gmail.com

    How would licensing work for the various functions, would a person/user need to be licensed per tenant? Would a sync pull in that person as a member with licenses from the setup of the “home” tenant?

  8. Mark Lawton

    Hi Tony – have you seen anything in the pipeline that will allow an org to have 2 separate O365 Tenants, but use a single domain/MX (e.g. if they want to manage in-region but keep a single domain across the org). I do recall something in the roadmap but seems to have gone quiet.

    Mark

    1. Woody

      Not with multiple tenants, but consider a multi-geo tenant and/or using Administrative Units.

  9. sica

    So, it seems cross tenant sync is just a method to sync attribute and MTO is a complete solution. Is my understanding correct? Cross tenant sync will remain but MTO is a completer solution?

    1. SenG

      It depends on how you want the communication structure to appear between two organisations, how closely you wish to share the details with each other, and who will own the data in the conversations. In cross-tenants, the conversation is shared between two orgs through shared channels. You need to share each channel.

      In a multi-tenant org (MTO), each org owns its data, and the user’s user’s principal name (UPN) reflects the org’s domain. Channels are set up in the tenant’s own teams, so the history (and shared files) would appear only there.

      If you invite a vendor to help you with your org for a limited time and during the early stages of trust building, separate would be fine.

      If you are working with a strong collaboration for the long term on a specific topic/idea/innovation and share high trust, cross-origin will make sense.

      Tenants don’t need to be always external people. You may even structure your big org into several tenants as it suits the communication structure, data sharing and trust levels.

  10. Fede Massa

    Is that feautere will replace the Cross-tenant synchronization or it’s totally different? Witch is better to enable for a customer with two separated M365 Tenant?

    1. SenG

      No, they are not. MTO works in a different degree of collaboration than cross-domain. They have a different purpose. You may check my other comment to identify which is suitable for a given situation.

  11. John

    Hey Tony,
    Do you know if this does anything to address the synced objects appearing the the Teams address book but being not routable, so when choosing it to message, it sends to the internal tenant object which isnt checked?

    Ive raised it with my CSAM and trying to get in touch with the dev team but its slow, its addressed here and a pretty popular issue: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad/ms-teams-in-cross-tenant-synchronization/m-p/3913738/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMWFJCSEhHU1E2RkFSfDM5MTM3Mzh8U1VCU0NSSVBUSU9OU3xoSw#M8715

    Anything that you could suggest?

    1. Avatar photo

      The basic issue here is that the original cross-tenant synchronization mechanism wasn’t tailored to support Microsoft 365 apps. The MTO is explicitly engineered to support Microsoft 365, so it looks (from initial tests) that the use objects synchronized to another tenant a) appear in the GAL and b) are routable because their SMTP mail address is valid.

  12. Nathan T W Smith

    Will this allow users from one tenant to log in to computers on another tenant?

  13. Gediminas

    I guess custom domains stills needs to be unique in each tenant..🤔

  14. Joseph Moran

    This is interesting. I manage two tenants for subsidiary companies that were originally conceived as separately operating entities, but over time have increasingly tried to operate as a single organization.

    I set up Cross-Tenant Sync back when it was in preview, and it’s been very helpful in simplifying sharing of OneDrive/SharePoint and some other stuff across tenants.

    Alas, I thought it was a panacea until I realized some of the limitations, such as the fact that when creating a M365 group in tenant A, tenant B users can be members but can’t directly access the group mailbox and calendar.

    Really hoping that MTO will address issues like this. Otherwise, joining the two tenants is where I’m ultimately headed, a task I do not relish…

    1. Travis H

      Do you think the limit of 5 will increased?

      1. SenG

        It won’t since the relaxation would have financial impact on Microsoft’s licensing. Please check my other comment

      2. Jetze Mellema

        This is not a hard limit, there is an exception process to allow more than 5 tenants. Open a support ticket to start the process…

  15. Charlie

    Are there plans for cross-cloud (GCCH Commercial) support for MTO?

  16. Jakke

    Would this MTO principle also work in a Hybrid environment?

  17. Skip

    I am unable to find “Multitenant collaboration” in my tenant as an option to enable. Wondering if this feature hasn’t rolled out yet to some tenants ?

      1. Francois

        Hi Tony, do you know if the tenant as to be in “targeted release for everyone” or would “targeted release for select users” would do the trick ? I only have a few admin account in that state.

        1. Erick

          Targeted release for select users works as long as the admin doing the configuration is included in that targeted release group.

  18. KP

    Very interesting question .. 🙂

    Will MTOs replace the need for some tenant-to-tenant migrations or will an MTO be the opening step for others?

  19. Bueschu

    Very interesting and helpfull.

Leave a Reply