I would like to dedicate this post to writing something on a much-needed topic that personally got me to try a lot of methods and to be creative because this is one of the main tasks that an organization/ management is looking to get done from an IT Specialist.
The Day 1. More precisely the Day 1 after a Merger or an Acquisition. A lot of hard work is put into coming to agreements between two parties (organizations) and from a technical standpoint, one of the key topics is (or can be) Identity and Access. Identity and Access need to be done right so the employees of both ends can work seamlessly. Yet this is one of the things that will take some time to figure out. Access to resources – SharePoint/ Teams/ Documents/ Apps etc. I will be discussing this along with the new Azure AD Features which you can test today as some are still in Preview, which can surely help you to make Day 1 go smoothly.
Identity and Access have become one of the core denominators in today’s IT Eco System and before understanding the things you can make Day 1 go smoother, let’s see what things can go wrong. Given the fact that the organizations these days are connected to Azure AD and have the Identity synced via Azure AD Connect sync from the on-prem AD or directly created in Azure AD as in-cloud accounts.
- Access to SharePoint Document Libraries
- Multi-Factor Authentication issues
- Device Compliance
- App access
- Secondments from one Org to the other Org
- Manager changes
- Cross-business activities
- Access to mail distribution lists
To prepare for the above requirements as well as other unforeseen requirements/ issues, the backend infrastructure must be robust, prepared, and should be ready to go.
My personal experience/ struggle
Guest accounts are good, but not every time. Or maybe depends on the requirement. They are practical in some scenarios. When you need to give access to resources temporarily to someone outside the organization (tenant) or add an outsider (I’m not using the term “External” here because that gives a different meaning in Microsoft Teams) to a Team. However, when you need to allow access to a bunch of people at once, adding them as Guests can be a tedious process.
User Type issues (member Vs. guest), access to resources is limited, instructing what to do when they get the invitation email is another headache and chances they miss/ skip/ keep it unread are very high. Access to apps can be very limited if that app is not supporting Guest account type and they can flood your Azure AD tenant with stale accounts and very hard to keep a track of the lifecycle because when the Azure AD tenant that houses this account is deleted it will not get deleted from the Azure AD Tenant that has the Guest account record. There were no workflows to maintain the account lifecycle in both locations at once.
Yes, you can come up with other (3rd party) solutions where you can create your own workflows to manage accounts, but most likely you may have to pay another per-user license on top of what you are paying already, also managing another service to maintain accounts can be admin overhead.
Basically, I was looking for 3 things
- Auto redemption of the Guest invite
- Change UserType from Guest to Member – Tried several methods using the Azure AD PowerShell module
- Guest user lifecycle management – Auto deletion of the Guest account when the Source Tenant removed the account
Advancements of Azure AD B2B Collaboration
I have discussed this in one of the previous posts (linked below) of what Microsoft has done on that front. This is interesting as it eliminates some of the activities.
Further to that, the below settings will make the Azure AD of the trusting end honor the config of the other tenant.
Trust Settings
Consent Prompt
At the time of writing this is still in Public Preview. However, this is a “game changer” of a setting. The reason is, provided you have enabled this feature on both ends, Guests won’t have to provide consent when they accept the Guest invite. In fact, Guests can be added without any hassle. If you are concerned about security, well the idea behind this is both ends have already trusted the tenants of each other so this has been done as a result of a mutual understanding.
This can eliminate a step-by-step guide sent to the Guest user of the other tenant. That’s a win, right?
User Group Management
Trusting 2 Azure AD tenant doesn’t mean you need to sync all users in to the respective Azure AD. Well you can. Or if your requirement is to sync only a subset of users because they need to access an app published in the source Azure AD, this as the option of scoping your user groups.
But, is There a Best Case Scenario? Yes, There Is One
I’ve been looking for this unicorn for a while, wrote to people, checked for 3rd party products but left with nothing. So this sounds very tempting.
Microsoft has recently announced the Public Preview of one of the most anticipated features. The Azure AD Cross-Tenant Synchronization feature.
You can see the feature under the External Identities in the Entra Portal today.
This is using the above-mentioned B2B Collaboration Feature and with the new features, now you have the ability to run automated syncs/ on demand syncs and the Guest user lifecycle will be completely taken care of by the configuration.
In a very high-level, you can refer to below diagram to understand how the relation between two or more tenants will work
Cross-Tenant Sync Topologies
As you can see below, the synchronization is very flexible and they have covered all scenarios. It’s just a matter of creating the Configuration Settings/ Setting the inbound and outbound settings and you are off to the races. I have taken the below diagrams from the Microsoft Learn article.
Single Resource with a single target
Single tenant with multiple targets
Multiple sources with a single target
Mesh peer-to-peer
UserType Attribute Member Vs. Guest
This is another interesting change. UserType attribute for a standard Guest account was simply guest.(userType == Guest). This has limitations when you are trying to provide access to resources and some apps won’t support the userType being Guest. Of course you can run a script to call Azure AD PowerShell module and change the user type to be as Member. But this means you need to setup a listener type service so whenever you add a Guest account and if that Guest’s domain is “.xyz” then convert the user type.
Well, I’m glad Microsoft has automated this part. This can be now easily done because there is an attribute mapping in the Sync Config. This part will be taken care of when creating the Guest.
Behavior of the Global Address List
Another challenge most probably a lot of organizations went through/ going through. We have 2 ore more Azure AD tenants, new acquisition or a merger happened. Now we need both ends to see each other in their Global Address Lists for Emails. Well this was something I personally struggled. Creating contacts, changing attributes etc etc.
With the below Attribute mapping, this will be totally taken care of. The Guest user will start appearing in the GAL of the other Exchange Online Environment. Easy done!
Result as below
See how my demo user Bo Katan and Din are coming from the emsroute.com is showing up in the 3gty1x.onmicrosoft.com GAL
Behavior of Teams and Microsoft 365 in general
Without going to much detail, I’m directing to Microsoft’s comment on this
From Microsoft text
Users created by cross-tenant synchronization will have the same experience when accessing Microsoft Teams and other Microsoft 365 services as B2B collaboration users created through a manual invitation. The userType property on the B2B user, whether guest or member, does not change the end-user experience. Over time, the member userType will be used by the various Microsoft 365 services to provide differentiated end user experiences for users in a multi-tenant organization.
Clean Up to Get Ready?
Yes. I meant that. Now that this feature is very future proof and already answering many questions that organizations who are dealing with multiple Azure AD tenants.
As workarounds you may have adopted 3rd party products/ DIY scripts to automate things or maybe as simple as creating batches of mail contacts.
To test with a pilot batch of users the current setup may be alright to continue AS IS. Also this feature is still in Preview, meaning that there is a chance that Microsoft will enhance the functionalities when its going on GA and provide the standard support etc.
The good thing is if and when you are heading this path, your current Guest users from the desired Azure AD Tenant can be converted. I will talk about the technical steps in an upcoming post.
Wrapping up
This is a GREAT start towards connecting Azure AD tenants together when you need that seamless connectivity, prepare things for the Day 1 and to address in the collaboration going forward. I’m looking forward to write about the technical nitty gritty about this feature soon!
Until then.
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 
If you use teams, right now cross-tenant-sync is going to cause you issues. The sync works great for Outlook, Sharepoint, ad, etc but with Teams its a cluster F. If you add someone from the other org in your teams with the synced account info, the other user gets an invite to ware they have to sign-in onto your tennant Teams and they don’t get the message into there running teams, and have to switch in teams to each others org. If you paste in the other person’s email address in teams and chose to search globally, then you will get the correct link to add in the user and they will receive your message right into there running teams instance and not be forced to login to your Teams tenant.
see: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad/ms-teams-in-cross-tenant-synchronization/m-p/3782720
Good luck!
LikeLike