If your organization uses Microsoft 365, Azure AD is the centralized identity management platform that controls access to all your business applications and data. A tenant is a dedicated instance of Azure AD, one that represents a single organization or department with its own isolated cloud architecture.
That said, there are many reasons your company may need more than one tenant for your entire organization. Here are a few common use cases where having multiple tenants makes sense:
- During corporate transitions, each entity might have to maintain its original tenant.
- To address data sovereignty, tenants can be allocated per region or country.
- Distinct departments or units could operate under their own tenants for improved access control.
- A dedicated tenant can isolate development and testing activities from the production environment.
- Customer data can be segregated from internal data by using a distinct tenant.
- MSPs might assign each client a unique tenant for clearer separation and access management.
- Specific regulatory needs, such as geographical data storage, may require the establishment of dedicated tenants.
Whatever the use case, multi-tenant synchronization can be a complex endeavor in Azure AD and Microsoft 365. You need a DevOps strategy that carefully addresses issues like configuration consistency, audit trails, and security vulnerabilities.
That's where automation comes in. Imagine not having to go through hundreds of separate screens each time you want to set up a new tenant or clone configuration changes from one tenant to another. In fact, imagine having a centralized dashboard that allows you to oversee each tenant, along with fully-featured audit trails and drift detection. With the right stack of tools and techniques, that's all completely possible. This guide will show you how.
Using Azure AD Cross-Tenant Synchronization
Cross-tenant synchronization in Azure Active Directory (Azure AD) is a feature that allows organizations to automate the process of provisioning and de-provisioning Business-to-Business (B2B) users across different Azure AD tenants. This feature is particularly useful for organizations that have multiple Azure AD tenants and need to manage users across these tenants.
- Start by planning your provisioning deployment. This involves deciding how you want to structure the tenants in your organization, understanding how the provisioning service works, identifying who will be included in the provisioning, and determining what data you want to map between tenants.
- Next, you need to enable user synchronization in the target tenant. To do this, log into the Azure portal as an administrator in the target tenant, navigate to Azure Active Directory > External Identities > Cross-tenant access settings, add the source tenant, and turn on user sync.
- The third step is to automatically redeem invitations in both the target and source tenants. This ensures that users from the source tenant don't have to manually accept the consent prompt.
- After that, create a configuration in the source tenant. Simply provide a name for the configuration and select 'Create'.
- Now, test the connection to the target tenant. This is to ensure that the credentials you've provided are authorized to enable provisioning.
- The next step is to define who will be included in the provisioning. You can do this based on assignment to the configuration or based on user attributes.
- Review the attribute mappings. These mappings allow you to define how data should flow between the source tenant and target tenant.
- Specify additional provisioning settings. These settings include options like sending an email notification when a failure occurs and preventing accidental deletion.
- Test provision on demand with one of your users.
- Start the provisioning job. This begins the initial synchronization cycle of all users defined in the scope of the settings section.
- Once you've started a provisioning job, monitor its status.
- Finally, configure the leave settings. If you want to prevent users from removing themselves from your organization, you'll need to configure the External user leave settings.
- The process of provisioning and de-provisioning users is automated, reducing the manual effort required to manage users across multiple tenants.
- User attributes are kept synchronized between the source and target tenants, ensuring consistency of user data.
- The feature can handle many users, making it scalable for large organizations.
- The feature adheres to Azure AD's authentication protocols, ensuring the safe handling of user data.
- The setup and configuration process can be complex and requires a good understanding of Azure AD.
- The feature requires an Azure AD Premium P1 or P2 license, which may increase costs for some organizations.
- There are some limitations on the types of users that can be provisioned and the services they can access.
Using PowerShell Scripts and Microsoft Graph API
PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. PowerShell can be used to automate and streamline the management of system tasks and the generation of system insights.
Microsoft Graph API, on the other hand, is a unified programmability model that provides a cohesive way to access data across Microsoft 365, which includes Office 365, Enterprise Mobility, and Security and Windows 10. It's a RESTful web API that can be used to access a variety of resources, including mail, calendar, contacts, documents, directory, and more.
Together, PowerShell and Graph API can be used to automate the process of synchronizing multiple tenants in Azure AD. This involves using PowerShell scripts to call Graph API endpoints, which in turn perform the necessary actions to synchronize user data across tenants.
- Start by signing into the target tenant using PowerShell or the Microsoft Graph Explorer tool. You'll need to consent to certain permissions during this step.
- Next, create a new partner configuration within the target tenant. This configuration establishes a cross-tenant access policy between the target tenant and the source tenant. Once this is done, enable user synchronization.
- Set up the system to automatically accept invitations and suppress consent prompts for inbound access in the target tenant.
- Sign into the source tenant using PowerShell or the Microsoft Graph Explorer tool. During this step, you'll also need to consent to certain permissions.
- Set up the system to automatically accept invitations and suppress consent prompts for outbound access in the source tenant.
- Add an instance of a configuration application from the Azure AD application gallery into your tenant. You'll also need to retrieve the service principal ID and app role ID.
- The ability to synchronize users, groups, and other objects across multiple Azure AD tenants.
- Simplified administration through a single location.
- The potential for automation using scripts, which can save time and effort.
- It requires a good understanding of PowerShell and the Graph API, which may not be within the skill set of all administrators.
- The setup and management can be complex, particularly for larger organizations with many tenants.
- There may be potential security risks if not properly configured, such as unauthorized access to data.
Using Third-Party Platforms Like Simeon Cloud
Simeon Cloud is a cloud configuration platform designed to automate and manage Microsoft 365 configurations. It's particularly useful for managing modern digital workplaces using Office 365, Intune, and Azure AD.
- Simeon provides detailed audit trails of your Microsoft 365 environments in a single view. It allows you to restore configurations to a desired state.
- It helps establish baselines for best practices, track drift, and align configurations to the desired state.
- Simeon offers holistic reporting on your Microsoft 365 environments in a single view and alerts you to changes before they become problems.
- It can sync configurations across your non-production and production environments, promoting lifecycle changes with advanced approval workflows.
- Simeon Cloud allows you to manage multiple tenants with a single set of policies, improving scale and standardization.
- It enables you to reuse, edit, and deploy app packages between tenants and to multiple tenants in bulk, eliminating countless hours of manual work.
- Simeon also allows you to deploy Microsoft 365 environments from customizable templates with a single click for improved scale, automation, and consistency.
- Saves time and effort in managing configurations across multiple Azure AD tenants.
- Helps maintain uniformity across multiple tenants.
- Automates many tasks, reducing manual work and potential errors.
- Provides comprehensive monitoring and reporting features.
- There are costs associated with using this paid solution.
- New users may need some time to learn how to use all of its features.
- Introduces dependence to a third-party solution.
How to Choose the Right Way to Sync Multiple Tenants in Azure AD
To summarize, there are three main options for syncing multiple tenants in Azure AD:
- Azure AD Cross-Tenant Synchronization: This is a built-in feature of Azure AD that automates the syncing of B2B collaboration users across tenants. It's a straightforward option that doesn't need additional tools or scripting knowledge.
- PowerShell and Graph API: This method provides a high level of control and flexibility, but requires a good understanding of PowerShell scripting and the Graph API.
- Simeon Cloud: This is a cloud configuration platform that simplifies the process of syncing multiple tenants in Azure AD. It's user-friendly and automates many tasks, making it a good choice for those without extensive scripting knowledge.
When choosing the right method, consider your technical expertise, timeline, resources you have available, the scale of your operation, and any cost implications. Each method has its advantages, so the best choice depends on the specific needs and circumstances of your organization.
But, if you're looking for a user-friendly, efficient, and automated solution, Simeon Cloud is the only third-party platform that automates end-to-end configuration management for Microsoft 365. It offers access to premium support, has automated drift detection, and comes with its own security baseline for compliance purposes.
Want to know more? Sign up for a demo with our sales team today!