Multi-Tenant Organizations: What Configuration Changes

When you configure a Multi-Tenant Organization in the Microsoft 365 Admin Center a number of changes occur across a number of services. These allow for features like member or guest sync, cross-tenant people search and different behaviours for joining meetings (treating people in other tenants as internal for meeting join).

You can put all these features together by hand, but the M365 Admin Center wizard will also do it for you. The admin center wizard is documented elsewhere, so this just looks at what gets changed.

Cross-Tenant Sync

Setting up a Multi-Tenant Organization (MTO) will enable user sync between all the tenants in the MTO. This requires the permission to allow other tenants to sync into your tenant and to remove the consent prompt at the first cross-tenant login. You will find these settings in the Entra ID Portal > External Identities > Cross-Tenant Access Settings, and in the row for each external tenant in the MTO you will find under Inbound both the Trust Settings > Automatically redeem invitations with company name. And under Cross-Tenant Sync > Allow user sync into this tenant.

Trust Settings
Cross-Tenant Sync
Cross-Tenant Sync
Users in Entra ID portal showing different source Identities
Other tenant – synced users are those from the other tenant(s)

In each tenant there will be synced the users from all the other tenants. In the above two pictures we have user Chandler created in the lower tenant, and synced to the upper tenant and the reverse for the user Monica.

The MTO Status in the M365 Admin Center (only one tenant shown)
The synced user, with synced attributes present that have been copied across via sync from the other tenant so that People Search can work
Changes to properties sync within 20 minutes (Job Title) and if you also sync the user who is referenced in Manager, the manager property is also updated.

People Search

Once the users are synced across you are able to search for them in applications like Teams, SharePoint and Exchange Online. Its not immediate, but they should turn up within a few days and Microsoft says to wait 7 days before raising a support request! Of course, the user needs to be synced for them to appear, so you need to ensure that new users are added to the sync scope in their home tenant.

People Search will show features such as display name, names, job title, and manager. The manager user needs to be synced for this to work but if it is, then the organization chart will be correctly populated in People Search. Though you can set a user to have a user in another tenant as your manager, after sync completes this will break as the user object in both tenants is known by a different ObjectID in each tenant. You can set a manager/direct report manually in all tenants. Also manager and direct report being in the same tenant and both in scope of sync will sync, but if manager and direct report are in separate tenants this will not sync (UnableToResolveReferenceAttributeValue is the error). Note that if the manager is different in different tenants this will keep resetting itself every 20 minutes to try and correct it as well.

The People Card


Calendar sync is a feature of Exchange Online that has existed for years. Multi-Tenant Organizations allows you to turn this on between your tenants with one click (per tenant). It is not enabled by default, and it will only work where mailboxes are located in a single place, i.e. Exchange Online and not some in Exchange Server and the rest in Exchange Online.

Enabling sharing of free/busy information for calendars

This setting under MTO is located in Manage Settings > Edit calendar settings. It can also be found in Exchange Online Admin Center > Organization > Sharing. Setting up the organization relationship under MTO when it already exists in Exchange Online will fail the config under MTO. So if it is already in place under Exchange Online, MTO will show an unticked box, though it is in place and working.

Calendar sharing is one way – you need to configure it on both sides separately.

MFA and Device Trust

MTO will not set up a trust for multi-factor authentication or devices, but now that you have Entra ID > External Identities > Cross-Tenant access settings > each tenant > Inbound > Configure > Trust Settings (or just configure the default) and then turn on each of the following as you require (and repeat in the other tenants):

  • Trust multifactor authentication from Microsoft Entra tenants
  • Trust compliant devices
  • Trust Microsoft Entra hybrid joined devices
Cross-tenant trust for Conditional Access rules


You can have a label under each user in each tenant (in Teams only at the time of writing) that shows either nothing (so not “External” which it will show by default) or a label per tenant (for example if you have a tenant per country, you could label each tenant “UK”, “NL” etc. Or you could have a single label per synced user. This can only be set by the MTO owner tenant, and only after some time (its not available immediately as I write this). Its also a preview feature, so that might be the reason too!


Users from each tenant are synced as members when setting up MTO in the M365 Admin Center. You can change this via the Cross-Tenant Sync settings in the Entra ID portal (so users are guests in other tenants) but if users are members in other tenant they will have a more seamless collaboration experience. This includes access to files using “people in your organization” sharable links. You should consider using sensitivity labels if you need to limit who can access a file with a “people in your organization” link.)

Sharing settings can be adjusted individually per site in the SharePoint Online admin center, or globally in a number of places, but as we are in SharePoint Online Admin Center its under Policies > Sharing.

Sensitivity Labels, as with sharing policies, are not changed by MTO and so you adjust these via the Compliance Admin Center.


You can join meetings in Teams as a synced member or a synced guest. If you are a guest user then the Guest Access policies apply (, but if you are a member account then the standard policies (Global by default) will apply. If you want different policies to apply to synced users, create a dynamic group and then one or more Teams policy that applies to members of that group.






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.