Cross-tenant synchronization

00:00

>> [music]

00:09

>> Hi I’m Arvind and I’m a Product Manager on the

00:12

Azure AD team.

00:14

In this video, I’ll be talking to you about cross-tenant

00:16

synchronization. Let’s take a look at an example scenario.

00:21

Here I’ve got an organization, Contoso.

00:25

And today they’re using M365 for collaboration,

00:29

Azure to manage cloud

00:31

resources, and non-Microsoft apps

00:34

like Adobe. They’ve set up

00:37

single sign-on, and users in this

00:39

organization are easily able to access the apps that they need.

00:45

Over time they acquire a new company and that company

00:49

has its own Azure AD tenant with its M365 instance,

00:54

Azure resources, as well as

00:57

non-Microsoft apps like ServiceNow.

01:02

Over time these companies start to function more like

01:05

one and users, like User 1, needs to access ServiceNow

01:10

in the other tenant or User 2 needs to access Adobe

01:14

in the other tenant.

01:16

How do you enable these users to access resources across

01:19

the boundaries of their tenant?

01:22

Well, today with Azure AD B2B, you can invite these users

01:26

across tenants and assign them access to the resources

01:29

that they need. We’ve heard from you that you want

01:33

to automate this process and

01:35

invite users across organizations

01:38

and keep their data in sync, so when someone changes

01:41

their name, changes departments, leaves the company,

01:46

we’ve heard from you that you want that information

01:48

to get reflected across all the tenants that that user is

01:51

collaborating in. So we’ve invested in cross-tenant

01:55

synchronization which automatically invites these B2B

01:59

users across tenants in your organization, as well as keeps

02:03

them up to date and removes accounts when someone

02:06

leaves the company.

02:09

Let’s take a look at the Azure

02:12

portal and see how this is set up.

02:15

For this demo, I’ve got two tenants, ZT Tire Company

02:19

and Woodgrove. To get this

02:21

set up, I’ll first grab the tenant

02:24

ID of ZT Tire Company and go into external identities

02:28

in the Woodgrove tenant.

02:31

Here I can choose to add ZT Tire Company and set up the

02:35

cross-tenant access policy.

02:38

I’ve actually added them previously, so I can go into the

02:40

existing policy and click on the cross-tenant

02:44

synchronization tab.

02:46

Here, I as the admin of the Woodgrove tenant, can say that

02:50

I trust the ZT Tire Company to sync users into my tenant.

02:56

Once I’ve checked this

02:57

checkbox, I can switch over to the

03:00

trust settings tab, where I’ll see a new section

03:03

for consent prompt.

03:06

Here, I as the admin of Woodgrove, can consent

03:09

on behalf of end users in my organization so that when

03:13

they access resources in my tenant for the first time,

03:16

they won’t face a consent prompt.

03:20

With both those checkboxes selected, I’m actually done

03:23

on the Woodgrove or target side with setting

03:26

up cross-tenant sync.

03:30

Now let’s switch back to ZT Tires. Here I can go

03:34

into external identities. And I’ll set up an outbound policy

03:41

where I am also consenting on behalf of users in my

03:44

tenant so that way those users don’t have to face the

03:47

consent prompt when they access resources in the

03:50

Woodgrove tenant.

03:53

Now that that initial setup is done,

03:56

I can go into cross-tenant synchronization and choose

04:00

to add a new configuration. I’ll provide it a name.

04:05

We’ll call it ZTTire to Woodgrove and then create

04:14

the configuration. Now clicking on the configuration,

04:22

I can first assign a user or a group to the configuration.

04:28

Previously I created a user

04:29

called CrossTenantSynchronization,

04:32

so I’ll go ahead and assign them.

04:36

Now to set up cross-tenant sync, I will need the ID of the

04:39

target tenant. So here I’ll grab the Woodgrove tenant ID.

04:45

And then going into provisioning,

04:47

specify the target tenant

04:49

that I’d like to provision accounts into.

04:53

That’s it. No credentials or anything to manage.

04:55

Once I’ve provided the target tenant,

04:57

I can save the configuration. And our sync engine will

05:01

check to make sure that that cross-tenant access policy is

05:04

in place before syncing any users.

05:09

Now going into the attribute mappings, I can define which

05:12

attributes I want to synchronize. We’ve got a set

05:16

of defaults here. You can choose to delete these mappings,

05:19

add additional attributes. For example, if you need to sync

05:21

a directory extension, you’ll be able to choose that

05:24

from the list of attributes.

05:27

I’ll bring your attention to two attributes in particular.

05:30

First is the user type. Most of you are probably using the

05:35

B2B guest user type today. The default for cross-tenant

05:39

synchronization will be B2B member to provide that full

05:43

multi-tenant organization experience so that it feels like

05:46

these users are just part of one tenant.

05:52

If you’d like to update existing users from guest to member,

05:55

you can choose to change the mapping to always

05:58

and convert existing users.

06:02

We also have an attribute

06:04

here called show an address list.

06:06

By setting this as a constant where the value is true,

06:11

all users will then light up in the gallery in the target

06:15

tenant and you’ll be able to search for users across tenants.

06:22

Now let’s move back and transition to on-demand

06:27

provisioning where I can quickly provision this in a few

06:30

seconds and show that user account has been created.

06:35

Now I’ll search for the user CrossTenantSynchronization.

06:39

And in a few seconds, that account will get created in the

06:42

target tenant.

06:47

Switching over to the target tenant, I can search for the

06:51

user that I just created.

06:58

And here we can see that that account was created

07:01

and they’ve been created as a type member.

07:03

As we make updates to this user as they leave the company,

07:07

those changes will

07:08

automatically be reflected across

07:09

tenants without you having to take action.

07:14

Switching back to my previous tenant, I could choose

07:18

to assign additional users to this configuration

07:22

or, more likely, assign a group to the configuration.

07:25

And as users come into the group, they’ll get provisioned

07:28

automatically. As they leave the group,

07:31

they’ll get deprovisioned automatically and you can assign

07:34

those users access to all the apps that they need.

07:38

Thanks for watching this video and to learn more,

07:41

you can go to

07:42

aka.ms/CrossTenantSynchronization.

07:45

>> [music]