This Post is about Multi Tenant Organization (MTO) in the Microsoft Ecosystem For sure you already know, that there’s a possibility to “connect” multiple tenants and use Identities from other tenants in the own tenant.In this post, I will tell you what you need to do, to implement MTO in the Microsoft Ecosystem. Scope The blog post is a hands-on about multi tenant organization with teams, sharepoint online and one drive for business. Hands-on for MTO in Defender is coming soon. The blog post is NOT about multi tenant apps and multi tenant in azure. Please make sure to read my first Post before this post Requirements Entra ID P1 License, only one License per user is required per employee per MTO At least 1 Entra ID P1 License per tenant Max 100 Tenant per MTO Tenants that are in a GDAP relationship cannot create or join MTO Tenants need to be in the same cloud environments (Azure Commercial, Goverment and so on.) MTO Config For demo reasons I have my personal tenant (m***.onmicrosoft.com) and a demo-tenant. I will add my personal tenant as the owner tenant and the demo-tenant as the member-tenant. The MTO-Setup is initiated in the M365 Admin Center. Owner Tenant In the owner tenant open admin.microsoft.com and open the organization settings.Under “Organization profile” open “Multitenant collaboration” and click on “get started:Click “create a new multitenant organization”:Fill in the required information as follows: MTO Name MTO Description Member Tenants (can be expanded in the future) In the next step tick both settings and click next: Then click “create MTO” to create the MTO and finish the wizard. Member Tenant In the member tenants you now process as follows: In the same wizard under Organization settings > Organization profile > Multitenant collaboration and again click “Get started” Then choose option “Join an exisiting multitenant organization” and enter the Tenant ID of the owner Tenant and again tick the two settings: Then click “join MTO” and finish the setup. Now you need to wait a typical cloud minute (15 minutes until 1 hour) and then the tenant is part of the MTO. Setup User Sync Now that your two (or more) tenants are part of the MTO you can configure the sync of the users. For that open the MTO-Settings again and click “share users” and select “select users for simplified sync”: Now the selected users are being synced into the partner-tenant. Do this for all users in both/any tenant. On the MTO-Settingspage you can see the outbound sync status “enabled”: B2B Member Note that Guest-Users invited earlier are migrated to Member-Users, the Guest Tag in Teams for example are being removed and the profile picture is shown in Teams Client. Cross-Tenant Access Settings The cross-tenant access settings are configured for every tenant in the MTO. Cross-Tenant synchronization The synchronization is being configured in the Entra ID Portal under “Cross-tenant synchronization”. There you can find the Sync Identities and manage all belongings to the cross-tenant sync. Under “manage” > “provisioning” > “mappings” and then “provision microsoft entra id users” you can manage the attributes (how they’re) being synced and how they’re mapped. Sync Identities Attribute Mapping MTO – Things to pay attention There are a few points yoiu should pay attention while migrating to MTO.These point are: There are Tenant labels which can be applied, to indicate from what Source Tenant the user is from You should pay attention to the attribute mapping between the tenants Also pay attention to the free/busy sharing in Exchange Online Look for existing contacts form the other MTO-tenants and remove them In Addition there are point which you need to be aware of: Old Chats from former guest users, which are converted to a member, are not migrated into the new chat, although the old chats are still visible, they’re not active any more (new messages in the old (guest) chat are blocked) MTO Users can create teams and invite guests form other tenants The profile Pictures are visible in the “partner” Tenants Status-quo: They’re only visible in the Teams client, not in other clients (yet) Teams and conference room bookings are not supported in MTO yet

This Post is about Multi Tenant Organization (MTO) in the Microsoft Ecosystem For sure you already know, that there’s a possibility to “connect” multiple tenants and use Identities from other tenants in the own tenant.In this post, I will tell you what for functions are, which to use in which case.In a follow-up post, I will tell you how you can implement the functionalities in your tenants and what to look after. Scope The blog post is about multi tenant organization with teams, sharepoint online and one drive for business. Hands-on for these settings as well as MTO in Defender are coming soon. The blog post is NOT about multi tenant apps and multi tenant in azure. Requirements Entra ID P1 License, only one License per user is required per employee per MTO At least 1 Entra ID P1 License per tenant Max 100 Tenant per MTO Tenants that are in a GDAP relationship cannot create or join MTO Tenants need to be in the same cloud environments (Azure Commercial, Goverment and so on.) Scenarios Conglomerates Merge and Acquire Multiple Clouds Multiple Geographical boundaries Test ond Staging Tenants Ways of doing There are multiple ways of creating multi tenant organizations. These are: Cross-Tenant access settings B2B Collaboration Users Cross-Tenant Synchronization Cross-Tenant access settings Cross-tenant access settings are for “trusting” between tenants.They manage how your tenant allows or blocks access from and to your tenants.There are outbound access settings and inbound access settings.Outbound settings define which Users, to which Application, Groups and so on can user the cross-tenant functionality.The inbound settings define which users, to which application, groups and so on under which trusted security measurements are allowed.Security Measurements means you can trust for example MFA, Device Compliance and -join claims from other Tenants can be trusted. B2B Direct Connect This functionality establishes a two-way trust with another tenant for seamless collaboration.In this case, users are NOT represented in the “partner” tenant. B2B Collaboration This functionality is often used without knowing. It enables access for external users.These users are represented in the “partner” tenant Cross-tenant synchronization This function automates creating and deleting B2B Collaboration asers across multiple tenants Multi Tenant People Search B2B Collaboration users are available as contacts in outlook. When users are elevated to the type Member, B2B Collaboration Member users are available in most Microsoft 365 applications. Note: Parameter “showInAddressList” for GAL need to be $trueAdditional needs userType == member for collaboration in most M365 Apps Facts A Multi tenant organization acts as a boundary around the individual tenants It uses invite-and-accept flow With B2B member provisioning the seamless collaboration experiences in Microsoft Teams and M365 Apps like Viva Engage are enabled  Existing B2B Collaboration Members will become multitenant organization members when MTO is created Improved Teams Collaboration relies on reciprocal provisioning of B2B collaboration member users To share SPO / ODFB Data to B2B Members, use “People in Company” link type Un-/Supported Applications Supported Teams Viva Engage SPO & ODFB Power BI Power Apps, Dynamics (restricted functionality) Unsupported M365 Admincenter Microsoft Forms Microsoft OneNote Microsoft Planner Purview Intune Features Teams & SPO B2B Members are accepted as internal users for Meeting Lobbies, Copilot access and so on B2B Guests will be matched to B2b Members, so no need to switch tenants in Teams Viva Engage Announcements and Communication across multiple tenants Storyline and Leadership vis Hub Tenant Share leadership announcements and storylines across tenants and get insights on network and conversation analytics in Viva Engage MTO Campaigns, Events and so on Required for this are: Native Mode Networks Full Trust between all tenants all users are required to have a viva suite or communications and communities license storyline is enabled on the hub tenant Now you know everything you need to know what MTOs are.Stay tuned for the hands on in the upcoming dayss.