,

Cross-tenant synchronization – is it for you?

Are you managing multiple tenants or having guests from other tenants?

Well, in that case, you might benefit from cross-tenant synchronization in Azure Active Directory.

Lets have a look at use-cases, trusting MFA/Compliance, security considerations and what about Cloud PCs like Windows 365?

Use-Cases

We wait and we wait for cross tenant features, and I get it, it is not the first priority for Microsoft to make customers multi-tenant or support cross tenant management.

But Microsoft recently released cross tenant synchronization, so if you don’t have a system in place to manage guest (b2b) accounts lifecycle, here is a possible option for us.

Cross tenant synchronization requires a two-way relation between the source tenant and the tenant receiving the guest accounts. Once that is in place, it is the source tenant that decides which users and properties are synchronized to the receiving tenant.

No alt text provided for this image
Add Organization on bought sides to create a relationship

Because it is controlled by the source tenant, it restricts the use-cases a bit. Because if you are managing the receiving tenant, you don’t have control over who becomes guests in your tenant. You do control the access they get, but the unwanted guest accounts shouldn’t be in your tenant at all.

No alt text provided for this image
Cross tenant synchronization use cases

Use-Case 1, is when you manage bought tenants and control bought sides of the synchronization. It can be useful when you develop services for customers in one tenant, and your org/developers/operators are hosted in a different tenant. You can then automatically synchronize developers and operators to the customer facing tenant.

Use-Case 2, is when you have a trusted partner and you can trust them to only synchronize users belonging to the team or users who should have guest access to your tenant. You might have out-sourced operations, and the team operating your platform can do the work as guests in your tenant.

Trust MFA and Compliant device

Paired with the tenant relationship necessary for cross tenant synchronization, the receiving tenant can also trust MFA and Compliant device status from the source tenant.

Trusting MFA (Azure MFA) will ease the guest users from another MFA setup and without the need to perform MFA when entering your receiving tenant, because you can trust that the guest has already performed MFA in their source tenant.

Trusting the compliant device status from the source tenant will allow you to continue using your conditional access rules, even if the guests devices are managed by their source tenant. You don’t have to make an exception from your rules.

No alt text provided for this image
Trust settings

Security

As mentioned before, if you only manage the receiving tenant, you only have an on and off switch for all or nothing being synchronized into your tenant.

That’s why Microsoft’s statement today is: “Cross-tenant synchronization is not currently suitable for use across organizational boundaries.”

Trusting MFA and Compliant device status is very user-friendly. But if your not managing bought tenants, trusting the Compliance status requires either trust in the source tenant administrators (agree on compliance settings) and maybe even an official documented agreement. This will also require you to do audit in order to make sure settings haven’t changed without your consent. It goes with the saying ‘trust, but verify’ as we use in zero trust architecture.

No alt text provided for this image
Cross-tenant sync setting at target tenant (inbound from source)

Cloud PCs

As a consultant I have access to customers tenant, but I would rather have guest access to a Cloud PC fully Managed by each customer.

I will always be compliant with each customers Security posture, and not ask my customers to accept my companies security. It doesn’t mean we don’t have good security, you just might meet a customer with more security enabled. Probably for good reasons, but we don’t all have the same risks to mitigate.

This works for me, because I don’t work with double digit number of customers at the same time. Its less confusing than browser profiles, etc. and will integrate with desktop switch in Windows.

So, to all Microsoft Employees and MVPs on the road to MVP Summit 2023, I am voting for guest access to Windows 365 and Azure Virtual Desktop. I know its not an easy one, so I am asking for a lot. Maybe for Christmas?

No alt text provided for this image

#Securitytip

One of the most necessary things to remember when implementing security, it has to be user-friendly. Otherwise users will find workarounds or start a movement against you. Usually if the security makes it harder for them to do their work. This will very often be enough when to many users report this to the leaders in your company.

Ehlo!

I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts