This Post is about Multi Tenant Organization (MTO) in the Microsoft Ecosystem
For sure you already know, that there’s a possibility to “connect” multiple tenants and use Identities from other tenants in the own tenant.
In this post, I will tell you what for functions are, which to use in which case.
In a follow-up post, I will tell you how you can implement the functionalities in your tenants and what to look after.
Scope
The blog post is about multi tenant organization with teams, sharepoint online and one drive for business.
Hands-on for these settings as well as MTO in Defender are coming soon.
The blog post is NOT about multi tenant apps and multi tenant in azure.
Requirements
- Entra ID P1 License, only one License per user is required per employee per MTO
- At least 1 Entra ID P1 License per tenant
- Max 100 Tenant per MTO
- Tenants that are in a GDAP relationship cannot create or join MTO
- Tenants need to be in the same cloud environments (Azure Commercial, Goverment and so on.)
Scenarios
- Conglomerates
- Merge and Acquire
- Multiple Clouds
- Multiple Geographical boundaries
- Test ond Staging Tenants
Ways of doing
There are multiple ways of creating multi tenant organizations. These are:
- Cross-Tenant access settings
- B2B Collaboration Users
- Cross-Tenant Synchronization
Cross-Tenant access settings
Cross-tenant access settings are for “trusting” between tenants.
They manage how your tenant allows or blocks access from and to your tenants.
There are outbound access settings and inbound access settings.
Outbound settings define which Users, to which Application, Groups and so on can user the cross-tenant functionality.
The inbound settings define which users, to which application, groups and so on under which trusted security measurements are allowed.
Security Measurements means you can trust for example MFA, Device Compliance and -join claims from other Tenants can be trusted.
B2B Direct Connect
This functionality establishes a two-way trust with another tenant for seamless collaboration.
In this case, users are NOT represented in the “partner” tenant.
B2B Collaboration
This functionality is often used without knowing. It enables access for external users.
These users are represented in the “partner” tenant
Cross-tenant synchronization
This function automates creating and deleting B2B Collaboration asers across multiple tenants
Multi Tenant People Search
B2B Collaboration users are available as contacts in outlook. When users are elevated to the type Member, B2B Collaboration Member users are available in most Microsoft 365 applications.
Note:
Parameter “showInAddressList” for GAL need to be $true
Additional needs userType == member for collaboration in most M365 Apps
Facts
- A Multi tenant organization acts as a boundary around the individual tenants
- It uses invite-and-accept flow
- With B2B member provisioning the seamless collaboration experiences in Microsoft Teams and M365 Apps like Viva Engage are enabled
- Existing B2B Collaboration Members will become multitenant organization members when MTO is created
- Improved Teams Collaboration relies on reciprocal provisioning of B2B collaboration member users
- To share SPO / ODFB Data to B2B Members, use “People in Company” link type
Un-/Supported Applications
Supported
- Teams
- Viva Engage
- SPO & ODFB
- Power BI
- Power Apps, Dynamics (restricted functionality)
Unsupported
- M365 Admincenter
- Microsoft Forms
- Microsoft OneNote
- Microsoft Planner
- Purview
- Intune
Features
Teams & SPO
- B2B Members are accepted as internal users for Meeting Lobbies, Copilot access and so on
- B2B Guests will be matched to B2b Members, so no need to switch tenants in Teams
Viva Engage
- Announcements and Communication across multiple tenants
- Storyline and Leadership vis Hub Tenant
- Share leadership announcements and storylines across tenants and get insights on network and conversation analytics in Viva Engage
- MTO Campaigns, Events and so on
- Required for this are:
- Native Mode Networks
- Full Trust between all tenants
- all users are required to have a viva suite or communications and communities license
- storyline is enabled on the hub tenant
Now you know everything you need to know what MTOs are.
Stay tuned for the hands on in the upcoming dayss.