Cross Tenancy Synchronisation Setup

Prerequisites

• Any standalone or bundled licence that contains Entra ID Plan 1

• Tenant ID for the Source Tenant

• Tenant ID for the Destination Tenant

Steps - Target Tenant

Log into the Azure Portal for the Target Tenant

Go to Azure Active Directory > External Identities

Click on Cross-tenant access settings, then select Organisational settings when the page loads

Click Add organisation and then enter the Tenant ID of the Source Tenant

Once added, click on "Inherited from Default" under the Inbound access column of the newly created Organisation

Click on Cross-tenant sync > select Allow users sync into this tenant > scroll down and select Save

This should then give you a pop-up to accept the changes and enable Automatic Invitation Redemption.

Click on Trust settings to confirm that this has been enabled. It should be ticked and greyed out like the below screenshot:

Steps - Source Tenant

Log into the Azure Portal for the Source Tenant

Go to Azure Active Directory > Groups

Create a new Group that will contain the users to be synchronised to the Target Tenant. For Example SG-Entra-CTS-<Name_of_Tenant>. The membership of this group should only be users, as Enterprise Applications do not support nested groups when evaluating Application access.

Go to Azure Active Directory > External Identities

Click on Cross-tenant access settings, then select Organisational settings when the page loads !

Click Add organisation and then enter the Tenant ID of the Target Tenant

Once added, click on "Inherited from Default" under the Outbound access column of the newly created Organisation

Click on Trust settings and select the checkbox next to Automatically redeem invitations with the tenant <TenantName>

Go back to Azure Active Directory and then select Cross-tenant synchronisation

Select Configurations

At the top of the page, select New Configuration

Provide a name for the configuration and select Create

Click on the configuration when it appears in the list - you may need to refresh the page

Click Get Started

Change the provisioning mode to Automatic

Specify the Tenant ID of the Target Tenant > select Test Connection

If successful, click Save

Refresh the page and then you will see that you can configure Scope under Settings

Generally leaving this as Sync only assigned users and groups is acceptable.

Click on Users and groups and then add the group you created earlier

Click on Provision on demand and search for a user who is in the group you just added to the configuration > click Provision

If all of the setup is working, the provision should work

Click on Provisioning and then set Provisioning Status to On > save the Config

Go to back to Azure Active Directory > select Users. You should then see the synchronised account. It will be in the format of what we're used to seeing as a Guest user, but it will have the User type of "Member".