Eight things you should know about Azure AD Cross-tenant Synchronization

Reading Time: 3 minutes

Azure Active Directory

Collaboration helps organizations increase their effectiveness in their (supply) chain by allowing people in other organization to work together in shared functionality. In the Microsoft Cloud, specifically, it allows people with Azure AD accounts to access Microsoft 365 and Microsoft Azure functionality. With all the new settings, I've identified 100+ different ways to collaborate, but the Cross-tenant Synchronization feature stands apart from all the others. Let me explain why.


1. It's Generally Available

Per the May 2023 release notes for Azure Active Directory, the Cross-tenant Synchronization feature in Azure AD is now generally available (GA).

Cross-tenant synchronization allows organizations to set up a scalable and automated solution for users to access applications across tenants in your organization. It builds upon the Azure Active Directory B2B functionality and automates creating, updating, and deleting B2B users within tenants that your organization works with.


2. It doesn't require additional licenses for the first 50K MAU

On the Azure AD side of things licensing collaboration through Cross-tenant Synchronization is pretty straightforward: The first 50,000 monthly active users are included with every Azure AD tenant. When premium functionality is required, additional monthly active users are licensed at a fee per monthly active user. For Azure AD Premium functionality (multi-factor authentication, Conditional Access) the cost is $ 0,00325 per user per month., but a flat fee of $0.03 is billed for each SMS- and phone-based multi-factor authentication attempt. For Azure AD Premium P2 functionality, the cost is $ 0,01625 per user per month.

These costs are billed to an Azure subscription linked to the Azure AD tenant.

When sharing Microsoft 365 functionality, the 1:5 ratio applies. For every Microsoft 365 license, 5 external people can also use the functionality that is provided through that license.


3. You can share everything

Where Azure AD B2B Direct Connect is limited to Teams Shared Channels, Cross-tenant Synchronization works with all Microsoft Cloud functionality that allows guest access. This includes both Microsoft 365 and Microsoft Azure. Through the Azure AD Application Proxy, even on-premises web-based functionality can be shared.


4. It's built on trust

Microsoft aims the Cross-tenant Synchronization feature for collaboration between Azure AD tenants within the same organization. Using the feature may provide access to features and functionality not specifically targeted for collaboration. The potential collaboration surface is largely defined by the Guest user access restrictions and External collaboration settings.


5. All Users includes all guests, too

The All Users group in Azure AD include all external identities. This means that when a resource is accessible for all users, it is accessible for synchronized external users, too. By default, a lot of Microsoft 365 functionality is available to all users, including the organization-wide Teams channel. Creating an All Employees group and assigning permissions to its group members or limiting access to non group members is recommended. Removing the organization-wide Teams channel can also be recommended.


6. Synchronized users show up in the GAL, by default

The Global Address List (GAL) in the inviting Azure AD tenant includes the newly synchronized user objects, too. With different naming conventions for the display name between organizations collaborating, the GAL can look messy. Through the showInAddressList target attribute, this behavior can be altered in the inviting tenant by hiding synchronized user objects from the address list.


7. Once a guest, always a guest?

In Azure AD, synchronized user objects are guest objects, not member objects. In the inviting tenant, these guest objects can be converted through the member attribute. This way, specific synchronized users can be provided with the same privileges as regular users, regardless of the guest settings in Azure AD and Conditional Access policies based on the previously mentioned All Employees group. Of course, all-encompassing dynamic groups based on UPN suffix can be used to filter based on company identities.


8. You can check in any time, but…

With default settings, guests can leave organizations that they were invited to. However, when a guest leaves the organization where his/her/their user objects is synchronized to using the Cross-tenant Synchronization feature, a new guest user object is created automatically again during the next synchronization cycle. Just like in the Eagles' iconic song, you can check in any time, but you can never leave.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.