Forum Discussion
Evaluating Azure Cross-Tenant Synchronization: Benefits and Concerns
We’re looking into this Azure feature and how it would benefit the 4 tenants we manage. Reading MS learn and other articles, they highlight many of the benefits, but what about the got chas?
Several areas of concern right off the bat are:
- How are users affected with devices not in Intune from one tenant (child - them) accessing a tenant with active CAPs (primary - us) that require compliant enrolled devices? Does the sync take precedence over the CAPs (Conditional Access Policies)?
- Are there any effects on guest user (b2b) access?
- How does this affect established SharePoint/OneDrive sharing access. Are the SP/OD sharing settings still in affect?
- When you sync identities, do you have granular control what gets synced and to what resources?
- Known issues brings up an issue with special characters. Our child tenants are in the EU, Africa, and in China that use them. Has anyone had issues?
Thank you in advance sharing your experiences with this.
3 Replies
Worth to take a look at this as well:
Azure resource organization in multitenant solutions - Azure Architecture Center | Microsoft Learn
Please try the below steps.
1. Device Compliance and CAPs - Users from a child tenant must meet the primary tenant's CAPs. If devices are not Intune-enrolled, access might be denied unless trust settings are configured to accept compliance claims from the child tenant.
2. Guest User Access - B2B guest access is unaffected, but cross-tenant access settings need to align with policies to avoid unintended access.
3. SharePoint/OneDrive Sharing - Existing sharing settings remain intact, but ensure external domains are included in collaboration settings to avoid invite issues.
4. Granular Control - You can control which users and attributes sync, ensuring only necessary data is shared.
5. Special Characters - Sync issues may occur with special characters in user attributes. Test with sample accounts and check Microsoft’s known issues for updates.
Reference URL:https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration
https://learn.microsoft.com/en-us/entra/external-id/authentication-conditional-access/
https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview
Shared channels appear to work as expected, but how about direct chat post MTO? User A in tenant A can find User B in tenant B inside Teams, User B has the correct synced details etc.
However, User B must switch tenants to reply to the chat message, is this expected ?
