Are you part of a dynamic organization looking to optimize collaboration across multiple tenants within the Microsoft 365 ecosystem? The introduction of the multi-tenant organization in Azure AD, which is currently in preview, will make your life a lot easier! This development not only enhances your experience with the new Microsoft Teams but also streamlines navigation between the interconnected tenants.
UPDATE: Multi-Tenant Organization capabilities in Microsoft 365 is now generally available! Several features like People Search, Microsoft Teams, Viva Engage, and Defender XDR, now work across organizations.
First, let’s get familiar with the various terminologies used in multi-tenant organizations.
Multi-tenant Organization Vocabulary
- Tenant – A tenant is an instance of Azure AD where one organization keeps all its important stuff, like user accounts, groups, devices, and even applications.
- Multi-tenant – A multi-tenant organization has more than one instance of Azure AD. It enables you to form a tenant group within your organization.
- Cross-tenant – Tenant-to-tenant relationship.
- Cross-tenant access settings – Collaboration settings for specific Microsoft Entra ID tenants.
- Cross-tenant synchronization – A one-way synchronization service that simplifies the management of B2B collaboration users across different organizations by automating the creation, updating, and removal of these users.
- Pending tenant – A tenant that is yet to join a multi-tenant organization. This tenant is hidden from an end user’s view of a multi-tenant organization.
- Active tenant – When pending tenants join the multi-tenant organization, they become active tenants.
- Owner tenant – Owner tenant is the one tenant that creates the multi-tenant organization. They can add/remove tenants from the multi-tenant org.
- Member tenant – Active tenants that are joined with the multi-tenant org become members. Members can join/leave the multi-tenant org.
To get a clear picture, utilize the life cycle given below.
Life Cycle of Multi-tenant Organizations in Microsoft 365
Consider two tenants A and B,
A creates multi-tenant -> A becomes owner -> A adds tenant B into multi-tenant organization ->B becomes pending tenant ->B joins the multi-tenant ->B changes from pending to active tenant -> B becomes member.
What is a Multi-tenant Organization in Azure AD?
With Multi-tenant Organization in Microsoft Entra ID, admins can form a tenant group within your organization. In a multi-tenant organization, different tenants will share access to each other. To make this work, you need to use Azure AD cross-tenant synchronization or another system for external identities.
What are the benefits?
- Differentiate in-organization and out-of-organization external users.
- It allows seamless collaboration across different tenants in the new Microsoft Teams desktop app and enables multi-tenant organization people search.
- You can configure cross-tenant access settings for each pair of tenants within the group, enabling you to manage B2B or cross-tenant synchronization between them.
Who Can Create a Multi-tenant Organization in Microsoft Entra ID?
A tenant administrator/global administrator can create a multi-tenant organization in Microsoft Entra ID. Each tenant administrator stays in control of their tenant and their membership in the multi-tenant organization.
License Requirement for Multi-tenant Organization Tenants?
To utilize the multitenant organization capability, only one Microsoft Entra ID P1 license is required per employee per multitenant organization. Additionally, at least one Microsoft Entra ID P1 license is necessary for each tenant.
Configure Multi-tenant Collaboration in Microsoft 365
After planning for multi-tenant organizations in Microsoft 365, follow the steps given below to create multi-tenant organizations in Microsoft 365.
Set Up a New Multi-tenant Organization
Step 1: Sign into the Microsoft 365 admin center.
Step 2: Select Settings > Org settings.
Step 3: Select Multitenant collaboration from the Organization profile tab > Get started.
Step 4: Create a new multi-tenant organization by giving the name and description.
Step 5: Enter the tenant IDs of any that you want to invite and give ‘Next’.
Step 6: Select the checkboxes as shown in the below image -> Create multitenant operation -> Done. These settings are necessary to make your tenant ready to sync with other tenants in the organization.
Add a Tenant to Multi-tenant Organization
To add a tenant to your multi-tenant organization, reach out to,
M365 admin center -> Settings -> Org settings -> Organization profile tab -> Multitenant collaboration -> Add new tenants -> Enter tenant IDs -> Done.
Join or Leave a Multi-tenant Organization
For joining, on the Multitenant collaboration page, select Join an existing multi-tenant organization -> Enter the tenant ID -> Next -> Done. A joiner can also send a join request to join the multi-tenant organization.
For leaving a multi-tenant organization, on the Multitenant collaboration page, Select the check box next to the tenant you want to remove -> Remove tenant.
Synchronize Users to Multi-tenant Organizations in Microsoft 365.
After performing the above-mentioned operations, for users in your tenant to be able to collaborate with other tenants, you must synchronize users to the other tenants. In multi-tenant organizations, they use Azure AD B2B collaboration to share users between different tenants. However, instead of being labeled as “guests,” they are treated as regular “members” in the multi-tenant organization.
Cross-tenant Access Settings in Azure AD
As seen earlier, cross tenant access settings are required for each tenant-to-tenant relationship. Tenant administrators can explicitly configure the following policies or cross-tenant sync settings as required.
Cross-tenant Access Settings Templates
To simplify the process of setting up cross-tenant access settings for partner tenants within a multi-tenant organization, each administrator of the multi-tenant organization can create customized templates for cross-tenant access settings, that are specific to that organization.
Additionally, organizations that own multiple Azure AD tenants can make use of the cross-tenant synchronization in Azure AD to automate the process of creation, updating, and removal of users.
Limitations of Multi-tenant Organization in Azure Active Directory
- Each multi-tenant organization can have a maximum of five active tenants.
- Each active tenant can have up to 100,000 internal users when they join the organization.
- Any given tenant can only create or join a single multi-tenant organization.
- Every multi-tenant organization must have at least one active tenant who is an owner.
- All active tenants must allow cross-tenant access to each other.
- Any active tenant may leave a multi-tenant organization by removing themselves from it.
- If the only remaining active tenant (who is an owner) leaves, the multi-tenant organization will be deleted.
Closing Thoughts
Thanks for reading. I hope that this blog will help you understand what a multi-tenant organization in Azure AD is and its related topics. If you got any queries, feel free to reach us through the comments.