When you configure a Multi-Tenant Organization in the Microsoft 365 Admin Center a number of changes occur across a number of services. These allow for features like member or guest sync, cross-tenant people search and different behaviours for joining meetings (treating people in other tenants as internal for meeting join).
You can put all these features together by hand, but the M365 Admin Center wizard will also do it for you. The admin center wizard is documented elsewhere, so this just looks at what gets changed.
Cross-Tenant Sync
Setting up a Multi-Tenant Organization (MTO) will enable user sync between all the tenants in the MTO. This requires the permission to allow other tenants to sync into your tenant and to remove the consent prompt at the first cross-tenant login. You will find these settings in the Entra ID Portal > External Identities > Cross-Tenant Access Settings, and in the row for each external tenant in the MTO you will find under Inbound both the Trust Settings > Automatically redeem invitations with company name. And under Cross-Tenant Sync > Allow user sync into this tenant.
In each tenant there will be synced the users from all the other tenants. In the above two pictures we have user Chandler created in the lower tenant, and synced to the upper tenant and the reverse for the user Monica.
People Search
Once the users are synced across you are able to search for them in applications like Teams, SharePoint and Exchange Online. Its not immediate, but they should turn up within a few days and Microsoft says to wait 7 days before raising a support request! Of course, the user needs to be synced for them to appear, so you need to ensure that new users are added to the sync scope in their home tenant.
People Search will show features such as display name, names, job title, and manager. The manager user needs to be synced for this to work but if it is, then the organization chart will be correctly populated in People Search. Though you can set a user to have a user in another tenant as your manager, after sync completes this will break as the user object in both tenants is known by a different ObjectID in each tenant. You can set a manager/direct report manually in all tenants. Also manager and direct report being in the same tenant and both in scope of sync will sync, but if manager and direct report are in separate tenants this will not sync (UnableToResolveReferenceAttributeValue is the error). Note that if the manager is different in different tenants this will keep resetting itself every 20 minutes to try and correct it as well.
Calendar
Calendar sync is a feature of Exchange Online that has existed for years. Multi-Tenant Organizations allows you to turn this on between your tenants with one click (per tenant). It is not enabled by default, and it will only work where mailboxes are located in a single place, i.e. Exchange Online and not some in Exchange Server and the rest in Exchange Online.
This setting under MTO is located in Manage Settings > Edit calendar settings. It can also be found in Exchange Online Admin Center > Organization > Sharing. Setting up the organization relationship under MTO when it already exists in Exchange Online will fail the config under MTO. So if it is already in place under Exchange Online, MTO will show an unticked box, though it is in place and working.
Calendar sharing is one way – you need to configure it on both sides separately.
MFA and Device Trust
MTO will not set up a trust for multi-factor authentication or devices, but now that you have Entra ID > External Identities > Cross-Tenant access settings > each tenant > Inbound > Configure > Trust Settings (or just configure the default) and then turn on each of the following as you require (and repeat in the other tenants):
- Trust multifactor authentication from Microsoft Entra tenants
- Trust compliant devices
- Trust Microsoft Entra hybrid joined devices
Labels
You can have a label under each user in each tenant (in Teams only at the time of writing) that shows either nothing (so not “External” which it will show by default) or a label per tenant (for example if you have a tenant per country, you could label each tenant “UK”, “NL” etc. Or you could have a single label per synced user. This can only be set by the MTO owner tenant, and only after some time (its not available immediately as I write this). Its also a preview feature, so that might be the reason too!
Sharing
Users from each tenant are synced as members when setting up MTO in the M365 Admin Center. You can change this via the Cross-Tenant Sync settings in the Entra ID portal (so users are guests in other tenants) but if users are members in other tenant they will have a more seamless collaboration experience. This includes access to files using “people in your organization” sharable links. You should consider using sensitivity labels if you need to limit who can access a file with a “people in your organization” link.)
Sharing settings can be adjusted individually per site in the SharePoint Online admin center, or globally in a number of places, but as we are in SharePoint Online Admin Center its under Policies > Sharing.
Sensitivity Labels, as with sharing policies, are not changed by MTO and so you adjust these via the Compliance Admin Center.
Meetings
You can join meetings in Teams as a synced member or a synced guest. If you are a guest user then the Guest Access policies apply (https://admin.teams.microsoft.com/company-wide-settings/guest-configuration), but if you are a member account then the standard policies (Global by default) will apply. If you want different policies to apply to synced users, create a dynamic group and then one or more Teams policy that applies to members of that group.
Leave a Reply