This Post is about Multi Tenant Organization (MTO) in the Microsoft Ecosystem
For sure you already know, that there’s a possibility to “connect” multiple tenants and use Identities from other tenants in the own tenant.
In this post, I will tell you what you need to do, to implement MTO in the Microsoft Ecosystem.
Scope
The blog post is a hands-on about multi tenant organization with teams, sharepoint online and one drive for business.
Hands-on for MTO in Defender is coming soon.
The blog post is NOT about multi tenant apps and multi tenant in azure.
Please make sure to read my first Post before this post
Requirements
- Entra ID P1 License, only one License per user is required per employee per MTO
- At least 1 Entra ID P1 License per tenant
- Max 100 Tenant per MTO
- Tenants that are in a GDAP relationship cannot create or join MTO
- Tenants need to be in the same cloud environments (Azure Commercial, Goverment and so on.)
MTO Config
For demo reasons I have my personal tenant (m***.onmicrosoft.com) and a demo-tenant. I will add my personal tenant as the owner tenant and the demo-tenant as the member-tenant.
The MTO-Setup is initiated in the M365 Admin Center.
Owner Tenant
- MTO Name
- MTO Description
- Member Tenants (can be expanded in the future)
In the next step tick both settings and click next:
Then click “create MTO” to create the MTO and finish the wizard.
Member Tenant
In the member tenants you now process as follows:
In the same wizard under Organization settings > Organization profile > Multitenant collaboration and again click “Get started”
Then choose option “Join an exisiting multitenant organization” and enter the Tenant ID of the owner Tenant and again tick the two settings:
Then click “join MTO” and finish the setup.
Now you need to wait a typical cloud minute (15 minutes until 1 hour) and then the tenant is part of the MTO.
Setup User Sync
Now that your two (or more) tenants are part of the MTO you can configure the sync of the users.
For that open the MTO-Settings again and click “share users” and select “select users for simplified sync”:
Now the selected users are being synced into the partner-tenant.
Do this for all users in both/any tenant.
On the MTO-Settingspage you can see the outbound sync status “enabled”:
B2B Member
Note that Guest-Users invited earlier are migrated to Member-Users, the Guest Tag in Teams for example are being removed and the profile picture is shown in Teams Client.
Cross-Tenant Access Settings
The cross-tenant access settings are configured for every tenant in the MTO.
Cross-Tenant synchronization
The synchronization is being configured in the Entra ID Portal under “Cross-tenant synchronization”.
There you can find the Sync Identities and manage all belongings to the cross-tenant sync.
Under “manage” > “provisioning” > “mappings” and then “provision microsoft entra id users” you can manage the attributes (how they’re) being synced and how they’re mapped.
Sync Identities
Attribute Mapping
MTO – Things to pay attention
There are a few points yoiu should pay attention while migrating to MTO.
These point are:
- There are Tenant labels which can be applied, to indicate from what Source Tenant the user is from
- You should pay attention to the attribute mapping between the tenants
- Also pay attention to the free/busy sharing in Exchange Online
- Look for existing contacts form the other MTO-tenants and remove them
In Addition there are point which you need to be aware of:
- Old Chats from former guest users, which are converted to a member, are not migrated into the new chat, although the old chats are still visible, they’re not active any more (new messages in the old (guest) chat are blocked)
- MTO Users can create teams and invite guests form other tenants
- The profile Pictures are visible in the “partner” Tenants
- Status-quo: They’re only visible in the Teams client, not in other clients (yet)
- Teams and conference room bookings are not supported in MTO yet
