SOLVED

Sync users from tenant A to tenant B both ways

%3CLINGO-SUB%20id%3D%22lingo-sub-2276071%22%20slang%3D%22en-US%22%3ESync%20users%20from%20tenant%20A%20to%20tenant%20B%20both%20ways%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2276071%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20trying%20to%20find%20an%20easy%20solution%20for%20the%20following%20scenario%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20have%20%3CSTRONG%3Etenant%3C%2FSTRONG%3E%20%3CSTRONG%3EA%3C%2FSTRONG%3E%20and%20%3CSTRONG%3Etenant%20B%3C%2FSTRONG%3E.%3CBR%20%2F%3EI%20would%20like%20to%20sync%20or%20copy%20all%20the%20users%20from%20tenant%20A%20to%20tenant%20B%20as%20guests.%20Easy%20so%20far.%3CBR%20%2F%3EThe%20main%20problem%20is%20that%20I%20would%20need%20that%20%3CSTRONG%3Eevery%20time%20when%20a%20user%20from%20tenant%20A%20is%20removed%20to%20automatically%20be%20removed%20from%20tenant%20B%20as%20well%3C%2FSTRONG%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EDoes%20anyone%20have%20any%20idea%20of%20how%20this%20could%20be%20achieved%20in%20an%20easy%20way%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%2C%3CBR%20%2F%3ERamona%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2276071%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2277969%22%20slang%3D%22en-US%22%3ERe%3A%20Sync%20users%20from%20tenant%20A%20to%20tenant%20B%20both%20ways%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2277969%22%20slang%3D%22en-US%22%3EThanks%20a%20lot%20for%20the%20recommendation%20and%20help%2C%20David%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2277940%22%20slang%3D%22en-US%22%3ERe%3A%20Sync%20users%20from%20tenant%20A%20to%20tenant%20B%20both%20ways%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2277940%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20personally%20avoid%20using%20the%20%22resource%20tenant%22%20pattern%20if%20there%20are%20only%20two%20tenants%20in%20the%20picture%2C%20I%20like%20simplicity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20aware%20of%20any%20plans%20to%20decommission%20MIM%20as%20a%20product%20but%20anyway%2C%20if%20I%20were%20you%2C%20I%20would%20explore%20the%20Scripted%20collaboration%20option%20and%20use%20e.g.%20Azure%20Functions%20(PowerShell)%20to%20implement%20this%20%22push%22%20automation%20using%20Delta%20Query.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2277922%22%20slang%3D%22en-US%22%3ERe%3A%20Sync%20users%20from%20tenant%20A%20to%20tenant%20B%20both%20ways%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2277922%22%20slang%3D%22en-US%22%3EHi%20again%20David%2C%3CBR%20%2F%3E%3CBR%20%2F%3ENo%20advanced%20feature%20for%20M365%20needed%2C%20the%20use%20case%20is%20very%20simple%2C%20just%20user%20sync%20between%20two%20different%20tenants.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20thought%20global%20tenant%20topology%20would%20be%20shorter%20in%20time%20to%20implement%2C%20but%20I%20think%20MIM%20is%20a%20tool%20that%20will%20be%20deprecated%20at%20some%20point%20or%20out%20of%20support%20anyways%20-%20found%20some%20article%20mentioned%20the%20end%20of%20this%20year.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20maybe%2C%20the%20scripted%20solution%20is%20indeed%20the%20only%20accessible...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2277762%22%20slang%3D%22en-US%22%3ERe%3A%20Sync%20users%20from%20tenant%20A%20to%20tenant%20B%20both%20ways%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2277762%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1020586%22%20target%3D%22_blank%22%3E%40ramonabadea%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20that%20AAD%20Connect%20uses%20MIM%20synchronization%20engine%20%22under%20the%20hood%22%20but%20the%20tool%20doesn't%20work%20for%20cross%20AAD%20tenant%20sync.%20If%20you%20choose%20to%20use%20MIM%2C%20as%20long%20as%20you%20have%20AAD%20P1%20or%20P2%20licenses%20(and%20a%20Windows%20Server%20OS%20license)%2C%20you%20should%20be%20able%20to%20use%20it%3A%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Factive-directory%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Factive-directory%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20%22Multi-tenant%20User%20Collaboration%20Patterns...%22%20whitepaper%20talks%20about%20three%20distinct%20scenarios%20with%20different%20solutions.%20From%20your%20initial%20description%20I%20would%20think%20that%20the%20%22Scripted%20collaboration%22%20scenario%20(with%20Delta%20Queries%2C%20and%20MS%20Graph)%20would%20be%20a%20good%20fit%20for%20you%2C%20unless%20you%20require%20more%20advanced%20feature%20for%20M365.%26nbsp%3BOr%20have%20you%20concluded%20you%20need%20those%20advanced%20features%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2277510%22%20slang%3D%22en-US%22%3ERe%3A%20Sync%20users%20from%20tenant%20A%20to%20tenant%20B%20both%20ways%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2277510%22%20slang%3D%22en-US%22%3EHi%20Vasil%2C%20David%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20a%20lot%20for%20your%20answers!%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20have%20any%20points%20to%20add%20also%20for%20the%20more%20difficult%20scenario%2C%20such%20as%20the%20synchronized%20collaboration%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20found%20a%20short%20description%20in%20the%20following%20article%20on%20global%20tenant%20topology%20when%20using%20synchronized%20collaboration%20on%20B2B%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmulti-tenant-users%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fmulti-tenant-users%3C%2FA%3E%20but%20they%20mention%20a%20sync%20engine%20such%20MIM%20is%20used.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20hope%20I%20understand%20correctly%2C%20but%20now%20that%20you've%20mentioned%20Azure%20Connect%20metaverse%2C%20are%20you%20by%20any%20chance%20aware%20if%20it%20could%20be%20used%20for%20sync%20between%20cloud%20only%20tenants%20as%20sync%20engine%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2276220%22%20slang%3D%22en-US%22%3ERe%3A%20Sync%20users%20from%20tenant%20A%20to%20tenant%20B%20both%20ways%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2276220%22%20slang%3D%22en-US%22%3EThe%20biggest%20challenge%20for%20%22Do%20it%20yourself%22%20scenario%20is%20to%20detect%20new%20or%20deleted%20objects%20in%20those%20two%20directories%2C%20especially%20for%20deleted%20objects.%20You%20either%20have%20a%20separate%20%22internal%22%20store%20that%20keeps%20track%20of%20objects%20(accounts)%20you%20synchronized%20previously%20(like%20Azure%20AD%20Connect%20has%20%22metaverse%22)%20or%20you%20always%20need%20to%20query%20all%20objects%20and%20compare%20them%20across%20the%20directories.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20are%20looking%20for%20a%20simple%20solution%2C%20I%20agree%20with%20Vasil%20you%20should%20look%20for%20a%20third-party%20tool.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2276175%22%20slang%3D%22en-US%22%3ERe%3A%20Sync%20users%20from%20tenant%20A%20to%20tenant%20B%20both%20ways%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2276175%22%20slang%3D%22en-US%22%3EThe%20easy%20way%20would%20be%20to%20use%20third-party%20tools%20that%20specialize%20in%20this%20scenario.%20Those%20of%20course%20cost%20some%20%24%24%24%2C%20so%20you%20might%20do%20it%20yourself%20instead%20via%20scheduled%20PowerShell%20scripts%2C%20Azure%20functions%20or%20whatever%20you%20preferred%20automation%20method%20is.%3C%2FLINGO-BODY%3E
New Contributor

Hi everyone,

I am trying to find an easy solution for the following scenario:

I have tenant A and tenant B.
I would like to sync or copy all the users from tenant A to tenant B as guests. Easy so far.
The main problem is that I would need that every time when a user from tenant A is removed to automatically be removed from tenant B as well.

Does anyone have any idea of how this could be achieved in an easy way? 

Thank you,
Ramona

7 Replies
The easy way would be to use third-party tools that specialize in this scenario. Those of course cost some $$$, so you might do it yourself instead via scheduled PowerShell scripts, Azure functions or whatever you preferred automation method is.
The biggest challenge for "Do it yourself" scenario is to detect new or deleted objects in those two directories, especially for deleted objects. You either have a separate "internal" store that keeps track of objects (accounts) you synchronized previously (like Azure AD Connect has "metaverse") or you always need to query all objects and compare them across the directories.

If you are looking for a simple solution, I agree with Vasil you should look for a third-party tool.
Hi Vasil, David,

Thanks a lot for your answers!

Do you have any points to add also for the more difficult scenario, such as the synchronized collaboration?

I have found a short description in the following article on global tenant topology when using synchronized collaboration on B2B https://aka.ms/multi-tenant-users but they mention a sync engine such MIM is used.

I hope I understand correctly, but now that you've mentioned Azure Connect metaverse, are you by any chance aware if it could be used for sync between cloud only tenants as sync engine?

Hi @ramonabadea ,

 

I believe that AAD Connect uses MIM synchronization engine "under the hood" but the tool doesn't work for cross AAD tenant sync. If you choose to use MIM, as long as you have AAD P1 or P2 licenses (and a Windows Server OS license), you should be able to use it: https://azure.microsoft.com/en-us/pricing/details/active-directory/

 

The "Multi-tenant User Collaboration Patterns..." whitepaper talks about three distinct scenarios with different solutions. From your initial description I would think that the "Scripted collaboration" scenario (with Delta Queries, and MS Graph) would be a good fit for you, unless you require more advanced feature for M365. Or have you concluded you need those advanced features?

Hi again David,

No advanced feature for M365 needed, the use case is very simple, just user sync between two different tenants.

I thought global tenant topology would be shorter in time to implement, but I think MIM is a tool that will be deprecated at some point or out of support anyways - found some article mentioned the end of this year.

So maybe, the scripted solution is indeed the only accessible...
best response confirmed by ramonabadea (New Contributor)
Solution

I would personally avoid using the "resource tenant" pattern if there are only two tenants in the picture, I like simplicity.

 

I am not aware of any plans to decommission MIM as a product but anyway, if I were you, I would explore the Scripted collaboration option and use e.g. Azure Functions (PowerShell) to implement this "push" automation using Delta Query.

Thanks a lot for the recommendation and help, David :)