To Multitenant or not to Multitenant?

To Multitenant or not to Multitenant?

Microsoft in recent months has made leaps and bounds to support Multitenant organizations utilizing Cross-tenant Synchronization to attempt to build a seamless end-user experience. Have they succeeded? Almost! Let’s take a look in this last blogpost of the year.

Why even have multiple tenants?

In a perfect world, every organization would have its own Entra ID tenant as it ultimately makes it easiest to manage. However, organizations may happen to have multiple tenants whether by choice or happenstance.

Multiple tenants for global organizations can make sense in terms of segmentation, security, and management. In other instances, acquisitions or mergers may create the scenario where users from two or more different tenants are now required to collaborate and communicate with each other and access each other’s resources.

To aid in collaboration scenarios between different Entra tenants Microsoft initially developed the B2B collaboration and Direct Connect concepts. These allowed users from different tenants to either have guest accounts created in the target tenant upon invitation (in the case of B2B Collaboration) OR have the option to directly connect to resources without requiring a guest account (in the case of B2B Direct Connect).

While these options work great for the occasional ad-hoc collaboration, they both require a user from the source tenant to first invite the external user. Hardly a nice solution for users expecting to have the same access regardless of which tenant the user may belong to. To remedy this, Microsoft release cross-tenant synchronization:

Cross-tenant Synchronization

Just recently released into General Availability is cross-tenant synchronization which allows two tenants to synchronize their user identities in various configurations and topologies:

In essence it automates lifecycle management of B2B collaboration users but does little more than that. It helps in scenarios where traditionally invitations would be sent to individual users needing to collaborate between the two tenants. Instead of doing it on a user-by-user basis, cross-tenant synchronization allows specified groups of users (or the entire tenant) to be synchronized all at once.

Multitenant Organizations (MTO)

Currently in preview is Multitenant organizations (MTO) in Microsoft 365 which builds on top of cross-tenant synchronization (in fact, it creates similar configurations). In addition, MTO will also synchronize People Search enabling search and discovery of users across multiple tenants. This creates for a much more seamless experience between tenants for end users as they won’t have to know exactly who they need to collaborate with any longer.

The settings are managed within the M365 Admin portal instead of through Entra ID but still has many of the same pre-requisites as cross-tenant synchronization (since that’s what is used).

Configurations are made simpler when compared to the cross-tenant synchronization settings with the only configurations required is sending invitations to join the Multitenant collaboration to other tenants and setting up the users to be synchronized across.
Each Multitenant collaboration setup is made up of a single ‘Owner’ role with all other tenants being invited in by the owner to be ‘Members’.

When a member tenant accepts the invitation (which requires an administrator to do so from within the M365 Admin Portal) a cross-tenant synchronization configuration is made prepended with ‘MTO-Sync_’ followed by the tenant ID of the Owner tenant:

Advanced provisioning settings can be configured within the cross-tenant configuration if required such as mappings.

For the best experience in multitenant organizations, users need the new Microsoft Teams desktop client. With the new Teams desktop client, users can:

  • Receive real-time notifications from all the tenants in your multitenant organization.
  • Participate in chats, meetings, and calls across all of the tenants without dropping from a call or meeting to switch tenants.
  • Set their status for each account and organization individually.
  • User profile card shows organization name and email address.
  • Fixes performance limitations experienced while switching from tenant to tenant.

However, there are still quite a number of outstanding issues, especially with MTO and Teams. For example:

  • The Microsoft Teams audio and video call buttons will direct the call to the local tenant Teams instance and not the Teams instance target tenant causing confusion for end users.
  • The current experience provides limited information on the people card (basic contact information, job title and office location).
  • There is no external tag to differentiate synced users and internal users. For example, if there was a megan@fabrikam and megan@Contoso there’s no (External) tag to show that megan@fabrikam is a different user.
  • Converting an external guest into an external member or converting an external member into an external guest isn’t currently supported by Teams.

This is likely why the features are very much listed as a preview and its highly encouraged to test with a small number of users before pushing this out.

What about on-premise?

MTO does not support scenarios where access to on-premise resources is required for the synchronized users as there is currently no supported way to perform writeback from Entra ID to Active Directory. Microsoft discourages this practice stating: ‘Doing this can lead to the creation of a loop, where Microsoft Entra Connect can overwrite a change that was made by the provisioning service in the cloud. Microsoft is working on a dedicated capability for group or user writeback. Upvote the UserVoice feedback on this website to track the status of the preview. Alternatively, you can use Microsoft Identity Manager for user or group writeback from Microsoft Entra ID to Active Directory.’

Conclusion

In short, this blog post briefly covered cross-tenant synchronization and the Multitenant Organization (MTO) features that Microsoft is providing for organizations that require users from different tenants to be able to collaborate easily with each other.

Be sure to reach out to us if you’re looking implementation advice, we’re happy to help!
Merry Christmas and a Happy New Year!

+ posts

Security consultant with focus on cloud and Azure.

Table of Contents

Share this post
Search blog posts
Search
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.

Modern Workplace consultant and a Microsoft MVP in Windows and Devices.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & security specialist with focus on Microsoft 365.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

Modern workplace and infrastructure architect with a focus on Microsoft 365 and security.

follow us in feedly
Categories

Follow on SoMe