Multi Tenant Organization in the Microsoft Ecosystem

This Post is about Multi Tenant Organization (MTO) in the Microsoft Ecosystem

For sure you already know, that there’s a possibility to “connect” multiple tenants and use Identities from other tenants in the own tenant.
In this post, I will tell you what for functions are, which to use in which case.
In a follow-up post, I will tell you how you can implement the functionalities in your tenants and what to look after.

Scope

The blog post is about multi tenant organization with teams, sharepoint online and one drive for business.

Hands-on for these settings as well as MTO in Defender are coming soon.

The blog post is NOT about multi tenant apps and multi tenant in azure.

Requirements

  • Entra ID P1 License, only one License per user is required per employee per MTO
  • At least 1 Entra ID P1 License per tenant
  • Max 100 Tenant per MTO
  • Tenants that are in a GDAP relationship cannot create or join MTO
  • Tenants need to be in the same cloud environments (Azure Commercial, Goverment and so on.)

Scenarios

  • Conglomerates
  • Merge and Acquire
  • Multiple Clouds
  • Multiple Geographical boundaries
  • Test ond Staging Tenants

Ways of doing

There are multiple ways of creating multi tenant organizations. These are:

  • Cross-Tenant access settings
  • B2B Collaboration Users
  • Cross-Tenant Synchronization

Cross-Tenant access settings

Cross-tenant access settings are for “trusting” between tenants.
They manage how your tenant allows or blocks access from and to your tenants.
There are outbound access settings and inbound access settings.
Outbound settings define which Users, to which Application, Groups and so on can user the cross-tenant functionality.
The inbound settings define which users, to which application, groups and so on under which trusted security measurements are allowed.
Security Measurements means you can trust for example MFA, Device Compliance and -join claims from other Tenants can be trusted.

B2B Direct Connect

This functionality establishes a two-way trust with another tenant for seamless collaboration.
In this case, users are NOT represented in the “partner” tenant.

B2B Collaboration

This functionality is often used without knowing. It enables access for external users.
These users are represented in the “partner” tenant

Cross-tenant synchronization

This function automates creating and deleting B2B Collaboration asers across multiple tenants

Multi Tenant People Search

B2B Collaboration users are available as contacts in outlook. When users are elevated to the type Member, B2B Collaboration Member users are available in most Microsoft 365 applications.

Note: 
Parameter “showInAddressList” for GAL need to be $true
Additional needs userType == member for collaboration in most M365 Apps

Facts

  • A Multi tenant organization acts as a boundary around the individual tenants
  • It uses invite-and-accept flow
  • With B2B member provisioning the seamless collaboration experiences in Microsoft Teams and M365 Apps like Viva Engage are enabled
  •  Existing B2B Collaboration Members will become multitenant organization members when MTO is created
  • Improved Teams Collaboration relies on reciprocal provisioning of B2B collaboration member users
  • To share SPO / ODFB Data to B2B Members, use “People in Company” link type

Un-/Supported Applications

Supported

  • Teams
  • Viva Engage
  • SPO & ODFB
  • Power BI
  • Power Apps, Dynamics (restricted functionality)

Unsupported

  • M365 Admincenter
  • Microsoft Forms
  • Microsoft OneNote
  • Microsoft Planner
  • Purview
  • Intune

Features

Teams & SPO

  • B2B Members are accepted as internal users for Meeting Lobbies, Copilot access and so on
  • B2B Guests will be matched to B2b Members, so no need to switch tenants in Teams

Viva Engage

  • Announcements and Communication across multiple tenants
  • Storyline and Leadership vis Hub Tenant
  • Share leadership announcements and storylines across tenants and get insights on network and conversation analytics in Viva Engage
  • MTO Campaigns, Events and so on
  • Required for this are:
    • Native Mode Networks
    • Full Trust between all tenants
    • all users are required to have a viva suite or communications and communities license
    • storyline is enabled on the hub tenant

Now you know everything you need to know what MTOs are.
Stay tuned for the hands on in the upcoming dayss.

The author

Mika

Engineer | Blogger | Evangelist

All Posts of the Author

Placeholder

© 2024 Created with ❤ by Mika Kreienbühl