Multi-tenant Organization in Microsoft Entra ID

Multi-tenant Organization in Microsoft Entra ID

Are you part of a dynamic organization looking to optimize collaboration across multiple tenants within the Microsoft 365 ecosystem? The introduction of the multi-tenant organization in Azure AD, which is currently in preview, will make your life a lot easier! This development not only enhances your experience with the new Microsoft Teams but also streamlines navigation between the interconnected tenants. 

First, let’s get familiar with the various terminologies used in multi-tenant organizations. 

Multi-tenant Organization Vocabulary 

  • Tenant – A tenant is an instance of Azure AD where one organization keeps all its important stuff, like user accounts, groups, devices, and even applications. 
  • Multi-tenant – A multi-tenant organization has more than one instance of Azure AD. It enables you to form a tenant group within your organization. 
  • Cross-tenant – Tenant-to-tenant relationship. 
  • Cross-tenant access settings – Collaboration settings for specific Microsoft Entra ID tenants. 
  • Cross-tenant synchronization – A one-way synchronization service that simplifies the management of B2B collaboration users across different organizations by automating the creation, updating, and removal of these users. 
  • Pending tenant – A tenant that is yet to join a multi-tenant organization. This tenant is hidden from an end user’s view of a multi-tenant organization. 
  • Active tenant – When pending tenants join the multi-tenant organization, they become active tenants. 
  • Owner tenant – Owner tenant is the one tenant that creates the multi-tenant organization. They can add/remove tenants from the multi-tenant org. 
  • Member tenant – Active tenants that are joined with the multi-tenant org become members. Members can join/leave the multi-tenant org. 

To get a clear picture, utilize the life cycle given below. 

Life Cycle of Multi-tenant Organizations in Microsoft 365 

Consider two tenants A and B, 

 A creates multi-tenant -> A becomes owner -> A adds tenant B into multi-tenant organization ->B becomes pending tenant ->B joins the multi-tenant ->B changes from pending to active tenant -> B becomes member. 

What is a Multi-tenant Organization in Azure AD? 

With Multi-tenant Organization in Microsoft Entra ID, admins can form a tenant group within your organization. In a multi-tenant organization, different tenants will share access to each other. To make this work, you need to use Azure AD cross-tenant synchronization or another system for external identities. 

What are the benefits? 

  • Differentiate in-organization and out-of-organization external users. 
  • It allows seamless collaboration across different tenants in the new Microsoft Teams desktop app and enables multi-tenant organization people search.  
  • You can configure cross-tenant access settings for each pair of tenants within the group, enabling you to manage B2B or cross-tenant synchronization between them.  

Who Can Create a Multi-tenant Organization in Microsoft Entra ID? 

A tenant administrator/global administrator can create a multi-tenant organization in Microsoft Entra ID. Each tenant administrator stays in control of their tenant and their membership in the multi-tenant organization.

License Requirement for Multi-tenant Organization Tenants? 

You can utilize this feature if you have an Azure AD Premium P1 license or higher in all the multi-tenant organization. 

Configure Multi-tenant Collaboration in Microsoft 365 

After planning for multi-tenant organizations in Microsoft 365, follow the steps given below to create multi-tenant organizations in Microsoft 365. 

Set Up a New Multi-tenant Organization 

Step 1: Sign into the Microsoft 365 admin center
Step 2: Select Settings > Org settings. 
Step 3: Select Multitenant collaboration from the Organization profile tab > Get started. 

Set up a Multi-tenant organization
Setting up a multi-tenant organization in Microsoft 365

Step 4: Create a new multi-tenant organization by giving the name and description. 
Step 5: Enter the tenant IDs of any that you want to invite and give ‘Next’. 

Multi-tenant organization details page
Multi-tenant organization details page

Step 6: Select the checkboxes as shown in the below image -> Create multitenant operation -> Done. These settings are necessary to make your tenant ready to sync with other tenants in the organization.

Multi-tenant organization sync settings
Multi-tenant organization sync settings

Add a Tenant to Multi-tenant Organization 

To add a tenant to your multi-tenant organization, reach out to, 

M365 admin center -> Settings -> Org settings -> Organization profile tab -> Multitenant collaboration -> Add new tenants -> Enter tenant IDs -> Done. 

Join or Leave a Multi-tenant Organization 

For joining, on the Multitenant collaboration page, select Join an existing multi-tenant organization -> Enter the tenant ID -> Next -> Done. A joiner can also send a join request to join the multi-tenant organization. 

For leaving a multi-tenant organization, on the Multitenant collaboration page, Select the check box next to the tenant you want to remove -> Remove tenant

Synchronize Users to Multi-tenant Organizations in Microsoft 365. 

After performing the above-mentioned operations, for users in your tenant to be able to collaborate with other tenants, you must synchronize users to the other tenants. In multi-tenant organizations, they use Azure AD B2B collaboration to share users between different tenants. However, instead of being labeled as “guests,” they are treated as regular “members” in the multi-tenant organization. 

Cross-tenant Access Settings in Azure AD 

How multi-tenant organization work in Azure AD
How multi-tenant organization work in Azure AD

As seen earlier, cross tenant access settings are required for each tenant-to-tenant relationship. Tenant administrators can explicitly configure the following policies or cross-tenant sync settings as required. 

Cross-tenant Access Settings Templates 

To simplify the process of setting up cross-tenant access settings for partner tenants within a multi-tenant organization, each administrator of the multi-tenant organization can create customized templates for cross-tenant access settings, that are specific to that organization.  

Additionally, organizations that own multiple Azure AD tenants can make use of the cross-tenant synchronization in Azure AD to automate the process of creation, updating, and removal of users. 

Limitations of Multi-tenant Organization in Azure Active Directory

  • Each multi-tenant organization can have a maximum of five active tenants. 
  • Each active tenant can have up to 100,000 internal users when they join the organization. 
  • Any given tenant can only create or join a single multi-tenant organization. 
  • Every multi-tenant organization must have at least one active tenant who is an owner. 
  • All active tenants must allow cross-tenant access to each other. 
  • Any active tenant may leave a multi-tenant organization by removing themselves from it. 
  • If the only remaining active tenant (who is an owner) leaves, the multi-tenant organization will be deleted. 

Closing Thoughts

Thanks for reading. I hope that this blog will help you understand what a multi-tenant organization in Azure AD is and its related topics. If you got any queries, feel free to reach us through the comments. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Multi-tenant Organization in Microsoft Entra ID

time to read: 4 min
Follow us!