Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Seamless Application Access and Lifecycle Management for Multi-tenant Azure AD Organizations
Published Jan 31 2023 09:00 AM 38.5K Views
Microsoft

Hello, 


Today I'm thrilled to announce that cross-tenant synchronization is in public preview!  

 

Your organization may have recently acquired a new company, merged with another company, or restructured based on newly formed business units. As your organization evolves, your IT team adapts to meet the changing needs. This often includes integrating with an existing Azure Active Directory (Azure AD) tenant or forming a new one. Regardless of how your identity infrastructure is managed, we know how critical it is that end users have a seamless experience accessing resources and collaborating across tenants. Cross-tenant synchronization enables organizations to provide seamless access and collaboration experiences in your multi-tenant environment. 

 

Today, you may be using custom scripts or on-prem solutions to stitch the tenants together and provide a seamless experience across tenants. You have told us, when it comes to collaboration within your organization, you want to: 

 

  1. Ensure users can seamlessly access applications, even when the applications are hosted in different tenants within your organization. 
  2. Minimize user friction by enabling admins to consent, on behalf of users, to share data across tenants in an organization. 
  3. Automatically keep accounts in sync across tenants and remove them when users leave the organization, all without custom scripts or homegrown solutions. 

We’ve heard you and you can now enable these scenarios with built-in Azure AD features. Cross-tenant synchronization lets you automate creating user accounts across tenants in your organization. Users created by the synchronization process continue to authenticate in the same way they do on their primary tenant and each application can assign conditional access policies as appropriate. So now, users across your organization can access applications regardless of the tenant where they are hosted, including Microsoft applications and non-Microsoft applications like ServiceNow, Adobe, and hundreds more SaaS apps.   

 

Behind the scenes and transparent to the user, the sync process leverages our robust Azure AD B2B functionality and is fully integrated with Azure AD’s security and governance capabilities such as conditional access, cross-tenant access settings, and entitlement management.  

 

Get started with cross-tenant synchronization, in three easy steps  

 

Let’s walk through an example of how an organization, Contoso, uses cross-tenant synchronization to provide users access to applications across tenants in the organization. 

 

Contoso is a manufacturing company based out of the US. They recently acquired companies in Europe and Asia to expand their global presence, each with an existing Azure AD tenant. Users from the Contoso US tenant need to access applications integrated with the newly acquired Contoso EMEA and Contoso APAC tenants.  To facilitate collaboration, the IT admins at Contoso had manually created custom scripts to automate the creation of B2B users across tenants. Unfortunately, the scripts are error prone and only one person at Contoso knows how they work.  

 

Contoso hears about the out of the box cross-tenant synchronization feature and enabled synchronization in an afternoon, allowing them to remove the custom scripts. Here’s how they did it. 

 

Trevor_Rusher_0-1675110619710.png 

 

Step 1 - Enable cross-tenant synchronization and auto-redemption in the target tenants 

The admins of Contoso APAC and Contoso EMEA already have existing cross-tenant access policies, trusting multifactor authentication (MFA) from the Contoso US tenant. The admins simply navigate to the cross-tenant access policy experience and click a checkbox to enable cross-tenant synchronization and auto-redemption. With a click of a checkbox, the target tenant admins are done!  

 

No more managing app credentials and rotating secrets as they did previously with their custom script.  

 

 

Trevor_Rusher_0-1675128160765.png

 

Trevor_Rusher_1-1675128195845.png

 

 

Step 2 – Enable cross-tenant synchronization in the source tenant 

The admin of Contoso US enables cross-tenant synchronization and specifies the following:  

 

  • Which users to synchronize (based on group membership). 
  • What attributes to synchronize (name, department, directory extensions, etc.). 
  • Any desired transformations, such as adding the domain to the end of the display name. 

 

New users are automatically provisioned across tenants and able to access the applications they need, without facing any consent prompts when they access resources in a new tenant for the first time. Existing B2B users created by their old script are updated, according to the rules specified above.  

 

Step 3 – Monitor cross-tenant synchronization 

The admin of Contoso US monitors all the users created across the tenants in their organization using the provisioning logs and even creates a custom dashboard to visualize the data using Azure Monitor. In the dashboard below, the admin from Contoso US can see all the tenants that a user, Nestor, from the Contoso US tenant has access to. Nestor has access to two tenants (Contoso EMEA and Contoso APAC) alongside some applications (ServiceNow and Zscaler two) that he was previously provisioned into. Now that the admin of Contoso can see that cross-tenant sync is working, they can decommission their custom scripts! 

 

 

Trevor_Rusher_2-1675128239141.png

 

 

What customers are saying 

DB Systel, IT subsidiary and digital partner of German Rail, drives the digitalization of all DB AG companies. The company develops customized solutions and consulting services based on highest IT standards and innovative topics. To do this, DB Systel applies its substantial railway and IT expertise.

 

“Cross-tenant sync allows us to connect the different tenants of our company and enables a more seamless way of interaction for our employees across all Microsoft products. We therefore reduce operational costs and increase our tenant security, as no dedicated on-premises accounts are necessary. We fully rely on Azure AD’s multi-tenant collaboration capabilities.” 

 

Automating the creation of user accounts across tenants in your organization, at its core, is about freeing your time to pursue other ways to improve your organization. With cross-tenant synchronization in public preview, we’re eager for your feedback on how to improve it even further.  

 

Go enable cross-tenant synchronization today. We love hearing from you, so share your feedback on these new features through the Azure forum or by tagging @AzureAD on Twitter.  
 

Joseph Dadzie, Partner Director of Product Management

Linkedin: @joedadzie

Twitter: @joe_dadzie

 

 

Learn more about Microsoft identity: 

15 Comments
Version history
Last update:
‎Feb 01 2023 01:38 PM
Updated by: