I saw this issue in July 2025 for the first time and worked around it but did not document it here. By November I had the pleasure of staffing the Microsoft Entra stand at the massive Microsoft Ignite conference in San Francisco answering any and all questions pass my way (that is good fun, and hello to you if I answered your questions). Within a few hours of being on the stand I had this question twice – organizations where setting up Multi-Tenant Organizations (MTO) and the sync was not working. More specifically when you go to start the sync you cannot as certain options that you need to select are greyed out. You can make a new sync, but the pre-created sync settings are broken.
The bottom line to this is that you can fix this issue by deleting the sync settings that MTO creates automatically and letting MTO create them again. Let’s walk through this process.
You start in the M365 Admin Center > Settings > Org Settings > Multitenant Collaboration. You create a new multitenant organization and you fill in the details for the tenant in your organization you want to connect to your current tenant.
On the second page of the setup wizard, select both the option to sync into this tenant and suppress consent prompts. The click Next and create the multitenant organization.
This will provide a link for you to send to the administrator of the other organization. They follow the link, or choose to join a multitenant organization and enter your tenant ID. They should then complete the settings as shown:
Once the multitenant organization is completely set up, the management page informs you to “Use the Share users button in the multitenant collaboration page to select users and groups you want to share across the organization.” So we are going to test our sync process from the child tenant (the second one added) to the parent tenant. For this we will use a group called “Sync To Parent Tenant” with just two users in (for testing).
The Share Users button will appear once all the MTO settings are in place. This typically takes 5 minutes:
Once the multitenant organization is fully synced in the background, clicking the “Share Users” button shows a flyout as follows:
As the current user scope is correct for my testing, I will click “Share current user scope” rather than edit the users and share a different set of users:
This configures the sync and sets up the sharing of users. This should work, and should return the following:
But if instead of sharing the default list of users, you choose “Edit the users for simplified sync”
If you edit the users here and click Save then the sync is set up in Entra and provisioned for you successfully. But if you go to the Entra ID portal > Cross-Tenant Synchronization page you will see your target tenant under Configurations but it will not be ready to use.
Change the provisioning mode to Automatic, expand the Admin Credentials section and click Test Connection.
This will break the ability for the sync tool to start. You need to start the user sync settings from the M365 Admin center, as that will fully configure the Entra ID Sync. Manually visiting this page will stop it working. So to fix if this has happened, is to close the above dialog and delete the cross-tenant sync in the Entra ID portal for this organization.
Once it has been deleted (hit refresh on the page a few times to confirm) and then return to the MTO page in the M365 Admin Center and fully refresh that browser page. This will trigger both the deletion and then recreation of the provisioning settings. This will take 20-30 minutes at most.
Whilst the sync configuration is broken, the “Share Users” flyout warns that “We can’t share with users or groups…”. Once it is fixed it does NOT warn that the configuration is not in place.
So from this view:
To this:
From here click either of the “Share current…” or “Edit users…” buttons to start the sync – don’t attempt to start it in the Entra ID admin portal. You can edit Entra ID sync from the Entra ID portal later, for example with the need to change the mapping for userType to “Member” and “All the time” (so external guests that are synced become external members) and optionally updating displayName to an expression:
Finally, other attributes to sync include Company Name, mobile, and usageLocation are good to include in the multi-tenant organization.
Photo by Landiva Weber from Pexels: https://www.pexels.com/photo/abstract-background-with-colorful-circles-27645908/
Leave a Reply