Cross-tenant synchronization
Summary
TLDRIn this video, Arvind, a Product Manager on the Azure AD team, introduces cross-tenant synchronization, a feature that enables organizations to automate the process of inviting users across different Azure AD tenants and maintaining their data in sync. The demonstration showcases how to set up cross-tenant access policies, establish trust, and configure synchronization between two tenants, ensuring that user changes are automatically reflected across all connected tenants. This allows for seamless access to resources and simplifies management across multiple organizations.
Takeaways
- 📝 The video is presented by Arvind, a Product Manager on the Azure AD team, focusing on cross-tenant synchronization.
- 🔄 Cross-tenant synchronization is a feature that allows for the sharing of resources across different Azure AD tenants, facilitating collaboration between merged or acquired companies.
- 💼 The example scenario involves Contoso, which uses M365 and Azure, and an acquired company with its own Azure AD tenant and resources.
- 🤝 Azure AD B2B enables inviting users from different tenants and assigning them the necessary access to resources.
- 📊 There's a demand for automating the process of inviting users across organizations and keeping their data synchronized across all tenants.
- 🛠️ Cross-tenant synchronization automatically invites B2B users across tenants and keeps them updated, including removing accounts when employees leave.
- 📱 The setup process involves configuring cross-tenant access policies and trust settings in the Azure portal.
- 🔑 Admins can consent on behalf of end users to avoid consent prompts when accessing resources for the first time.
- 🔄 The configuration for cross-tenant synchronization includes assigning users or groups, specifying the target tenant ID, and defining attribute mappings.
- 👤 The user type attribute can be set to 'B2B member' to provide a unified multi-tenant organization experience.
- 🔍 By setting the 'show in address list' attribute to true, users become searchable across tenants in the target tenant's gallery.
- ⚙️ On-demand provisioning allows for quick account creation in the target tenant, with updates and changes automatically reflected across all connected tenants.
Q & A
What is the main topic of the video presented by Arvind?
-The main topic of the video is cross-tenant synchronization in Azure AD B2B, which allows users from different tenants to access resources across their organizational boundaries.
What does Contoso initially use for collaboration and cloud resource management?
-Initially, Contoso uses M365 for collaboration and Azure to manage cloud resources and non-Microsoft apps like Adobe.
What is the scenario where cross-tenant synchronization becomes necessary for Contoso?
-Cross-tenant synchronization becomes necessary when Contoso acquires a new company with its own Azure AD tenant, and users from both companies need to access resources from the other tenant, like ServiceNow or Adobe.
How does Azure AD B2B facilitate access to resources across different tenants?
-Azure AD B2B allows you to invite users across tenants and assign them access to the necessary resources, automating the process and keeping their data in sync across all tenants.
What is the purpose of the Azure portal demonstration in the video?
-The purpose of the Azure portal demonstration is to show how to set up cross-tenant synchronization between two tenants, ZT Tire Company and Woodgrove.
What is the first step in setting up cross-tenant access policy in the Azure portal?
-The first step is to grab the tenant ID of one company and go into external identities in the other company's tenant to set up the cross-tenant access policy.
What does the 'consent prompt' setting in the trust settings tab allow an admin to do?
-The 'consent prompt' setting allows an admin to consent on behalf of end users in their organization, so they won't face a consent prompt when accessing resources in the target tenant for the first time.
How does the outbound policy work in the context of cross-tenant synchronization?
-The outbound policy allows the admin of one tenant to consent on behalf of users in their tenant, so those users won't have to face a consent prompt when accessing resources in the target tenant.
What is the significance of the user type attribute in cross-tenant synchronization?
-The user type attribute is significant because it determines whether the user is treated as a B2B guest or a B2B member, with the latter providing a full multi-tenant organization experience.
What does the 'show in address list' attribute do in cross-tenant synchronization?
-By setting the 'show in address list' attribute to true, all users will be visible in the target tenant's gallery, allowing admins to search for users across tenants.
How can an admin quickly provision a user account in the target tenant using on-demand provisioning?
-An admin can quickly provision a user account in the target tenant by using on-demand provisioning, which allows them to create a user account within a few seconds.
What happens to user accounts when they leave the company in the context of cross-tenant synchronization?
-When a user leaves the company, the changes, including their departure, will automatically be reflected across all tenants where the user was provisioned, without requiring manual action.
How can additional users be assigned access to necessary apps in cross-tenant synchronization?
-Additional users can be assigned to a configuration, and as they join or leave the group associated with the configuration, they will be provisioned or deprovisioned automatically, with access to all the apps they need.
Outlines
🔗 Introduction to Cross-Tenant Synchronization
Arvind, a Product Manager on the Azure AD team, introduces the concept of cross-tenant synchronization. He presents a scenario where an organization, Contoso, uses M365 and Azure for collaboration and resource management, including non-Microsoft apps like Adobe. After acquiring a new company with its own Azure AD tenant and resources, they face the challenge of enabling users to access resources across different tenants. Arvind explains how Azure AD B2B can be used to invite users across tenants and assign them access to necessary resources. He also discusses the need for automation in this process to keep user data synchronized across all tenants, which is addressed by cross-tenant synchronization. Arvind then proceeds to demonstrate the setup process in the Azure portal using two example tenants, ZT Tire Company and Woodgrove.
🛠️ Setting Up Cross-Tenant Synchronization
The video script details the process of setting up cross-tenant synchronization in Azure AD. It begins with obtaining the tenant ID and navigating to external identities to add a new tenant and set up a cross-tenant access policy. The admin configures trust settings, including consent prompts, to streamline the user experience. The script then moves on to setting up an outbound policy from the source tenant to the target tenant, which involves consenting on behalf of users to avoid consent prompts when accessing resources. After the initial setup, the script describes creating a new configuration for cross-tenant synchronization, assigning users or groups to the configuration, and specifying the target tenant for provisioning accounts. The attribute mappings are explained, emphasizing the user type attribute, which defaults to B2B member for a seamless multi-tenant experience. The script also highlights how to enable users to appear in the address list of the target tenant. The video concludes with a demonstration of on-demand provisioning, showing how user accounts are quickly created in the target tenant and automatically updated or deprovisioned as users join or leave groups in the source tenant. Arvind wraps up the video with a resource link for further information.
Mindmap
Keywords
💡Azure AD
💡Cross-tenant synchronization
💡M365
💡Single sign-on (SSO)
💡B2B
💡Azure portal
💡External identities
💡Consent prompt
💡Provisioning
💡Attribute mapping
💡On-demand provisioning
Highlights
Introduction to cross-tenant synchronization by Arvind, a Product Manager on the Azure AD team.
Example scenario involving Contoso organization using M365 and Azure for collaboration and resource management.
Contoso's acquisition of a new company with its own Azure AD tenant and M365 instance.
Challenge of enabling users to access resources across different tenants.
Azure AD B2B's capability to invite users across tenants and assign access to necessary resources.
Need for automation in inviting users across organizations and keeping data in sync.
Investment in cross-tenant synchronization to automate user invitations and data updates.
Demonstration of setting up cross-tenant synchronization in the Azure portal.
Procedure to add a tenant and set up cross-tenant access policy in external identities.
Explanation of trust settings and consent prompt for cross-tenant access.
Setting up outbound policy in ZT Tires to avoid consent prompt for users accessing Woodgrove resources.
Configuration process for cross-tenant synchronization, including naming and assigning users/groups.
Provisioning accounts into the target tenant without the need for additional credentials.
Attribute mappings for synchronization, including user type and show in address list.
On-demand provisioning to quickly create user accounts in the target tenant.
Automatic updates and deprovisioning of user accounts as they leave the company or change groups.
Conclusion and invitation to learn more about cross-tenant synchronization.
Transcripts
>> [music]
>> Hi I’m Arvind and I’m a Product Manager on the
Azure AD team.
In this video, I’ll be talking to you about cross-tenant
synchronization. Let’s take a look at an example scenario.
Here I’ve got an organization, Contoso.
And today they’re using M365 for collaboration,
Azure to manage cloud
resources, and non-Microsoft apps
like Adobe. They’ve set up
single sign-on, and users in this
organization are easily able to access the apps that they need.
Over time they acquire a new company and that company
has its own Azure AD tenant with its M365 instance,
Azure resources, as well as
non-Microsoft apps like ServiceNow.
Over time these companies start to function more like
one and users, like User 1, needs to access ServiceNow
in the other tenant or User 2 needs to access Adobe
in the other tenant.
How do you enable these users to access resources across
the boundaries of their tenant?
Well, today with Azure AD B2B, you can invite these users
across tenants and assign them access to the resources
that they need. We’ve heard from you that you want
to automate this process and
invite users across organizations
and keep their data in sync, so when someone changes
their name, changes departments, leaves the company,
we’ve heard from you that you want that information
to get reflected across all the tenants that that user is
collaborating in. So we’ve invested in cross-tenant
synchronization which automatically invites these B2B
users across tenants in your organization, as well as keeps
them up to date and removes accounts when someone
leaves the company.
Let’s take a look at the Azure
portal and see how this is set up.
For this demo, I’ve got two tenants, ZT Tire Company
and Woodgrove. To get this
set up, I’ll first grab the tenant
ID of ZT Tire Company and go into external identities
in the Woodgrove tenant.
Here I can choose to add ZT Tire Company and set up the
cross-tenant access policy.
I’ve actually added them previously, so I can go into the
existing policy and click on the cross-tenant
synchronization tab.
Here, I as the admin of the Woodgrove tenant, can say that
I trust the ZT Tire Company to sync users into my tenant.
Once I’ve checked this
checkbox, I can switch over to the
trust settings tab, where I’ll see a new section
for consent prompt.
Here, I as the admin of Woodgrove, can consent
on behalf of end users in my organization so that when
they access resources in my tenant for the first time,
they won’t face a consent prompt.
With both those checkboxes selected, I’m actually done
on the Woodgrove or target side with setting
up cross-tenant sync.
Now let’s switch back to ZT Tires. Here I can go
into external identities. And I’ll set up an outbound policy
where I am also consenting on behalf of users in my
tenant so that way those users don’t have to face the
consent prompt when they access resources in the
Woodgrove tenant.
Now that that initial setup is done,
I can go into cross-tenant synchronization and choose
to add a new configuration. I’ll provide it a name.
We’ll call it ZTTire to Woodgrove and then create
the configuration. Now clicking on the configuration,
I can first assign a user or a group to the configuration.
Previously I created a user
called CrossTenantSynchronization,
so I’ll go ahead and assign them.
Now to set up cross-tenant sync, I will need the ID of the
target tenant. So here I’ll grab the Woodgrove tenant ID.
And then going into provisioning,
specify the target tenant
that I’d like to provision accounts into.
That’s it. No credentials or anything to manage.
Once I’ve provided the target tenant,
I can save the configuration. And our sync engine will
check to make sure that that cross-tenant access policy is
in place before syncing any users.
Now going into the attribute mappings, I can define which
attributes I want to synchronize. We’ve got a set
of defaults here. You can choose to delete these mappings,
add additional attributes. For example, if you need to sync
a directory extension, you’ll be able to choose that
from the list of attributes.
I’ll bring your attention to two attributes in particular.
First is the user type. Most of you are probably using the
B2B guest user type today. The default for cross-tenant
synchronization will be B2B member to provide that full
multi-tenant organization experience so that it feels like
these users are just part of one tenant.
If you’d like to update existing users from guest to member,
you can choose to change the mapping to always
and convert existing users.
We also have an attribute
here called show an address list.
By setting this as a constant where the value is true,
all users will then light up in the gallery in the target
tenant and you’ll be able to search for users across tenants.
Now let’s move back and transition to on-demand
provisioning where I can quickly provision this in a few
seconds and show that user account has been created.
Now I’ll search for the user CrossTenantSynchronization.
And in a few seconds, that account will get created in the
target tenant.
Switching over to the target tenant, I can search for the
user that I just created.
And here we can see that that account was created
and they’ve been created as a type member.
As we make updates to this user as they leave the company,
those changes will
automatically be reflected across
tenants without you having to take action.
Switching back to my previous tenant, I could choose
to assign additional users to this configuration
or, more likely, assign a group to the configuration.
And as users come into the group, they’ll get provisioned
automatically. As they leave the group,
they’ll get deprovisioned automatically and you can assign
those users access to all the apps that they need.
Thanks for watching this video and to learn more,
you can go to
aka.ms/CrossTenantSynchronization.
>> [music]
浏览更多相关视频
Guide To Renting Out Your Condo
Acronis Cyber Protect Cloud: Tip 6 - How to Move a Tenant
Data Federation with Unity Catalog
What My 10,000 Tenants Reveal About The Economy
Mars Hill Partner Club: Tenant Program | Property Management in Northern Virginia and Central Texas
Day-16 | Infrastructure as Code | #terraform #IaC
5.0 / 5 (0 votes)