Forum Discussion
Cross-tenant synchronization and resource access
Hello
My company is investigating options pertaining to the separation of a splitting a set of users into a separate Entra ID tenant. This is being driven from a political and governance perspective whereby a portion of the organisation is looking to split away from the conglomerate for their cloud identifies only (not the on-premises AD).
They effectively want their users and Entra ID identities to be moved to a new Entra ID tenant however still want to maintain access to the source tenant resources and applications for a period of time (potentially ongoing).
For the purpose of my questions, assume that:
- existing on-premises domain is orga.internal
- existing EntraID tenant is OrgA.onmicrosoft.com
- new EntraID tenant is OrgB.onmicrosoft.com
Ultimately the goal is to migrate user identities, their M365 license and mailbox to OrgB.onmicrosoft.com whilst still enabling them to access the cloud resources attached to OrgA.onmicrosoft.com.
Looking at the capabilities of the cross-tenant synchronisation service to sync users from OrgA.onmicrosoft.com to OrgB.onmicrosoft.com, I'm not sure if this will meet my requirements as it will effectively sync the users from OrgA.onmicrosoft.com to OrgB.onmicrosoft.com as B2B guests. Is that correct?
If my understanding is correct what we really need to do is:
- Migrate EntraId identities and mailboxes to OrgB.onmicrosoft.com, removing the OrgA.onmicrosoft.com account in the process
- Use cross-tenant synchronisation to sync the new OrgB.onmicrosoft.com identities back to OrgA.onmicrosoft.com as B2B guests whereby access to resources is provided to the guest account.
If this is correct then is it technically supported to have multiple instances of Entra ID Cloud Sync synchronsing a subset of the orga.internal users to Entra ID OrgB.onmicrosoft.com whilst another instance of the Cloud Sync continues to sync orga.internal users to the existing OrgA.onmicrosoft.com EntraID tenant? I can't seem to find any reference to this architecture in the MS doco.
I can see this scenario references in the legacy Cloud Connect doco but not the newer Cloud Sync agent doco.
Any advise is appreciated.
1 Reply
You can control the user type as part of the sync, they don't necessarily need to be synced as guests.
You can have multiple instances of Entra Connect to separate tenants, the supported topologies are listed here: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies
Cloud sync doesn't yet support this, afaik, here's the corresponding documentation: https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/plan-cloud-sync-topologies
Whether the solution outlined above will do depends on several factors, such as the workloads and applications involved. My advise is to spin some test tenants and try to replicate the current and intended configuration as close as possible in order to discover issues early in the process.
