From Manual to Automatic: How Cross-Tenant Sync Transforms User Management

Organizations rarely operate in a single directory any more. Mergers, acquisitions, regulatory boundaries, or the need to separate workloads often force IT teams to manage multiple Microsoft Entra ID tenants. Keeping users in sync across these tenants so they can collaborate without barriers has traditionally required manual invitations or complex scripts. Cross‑tenant synchronization is a cloud‑native provisioning service that solves this problem. It automatically creates, updates, and deletes B2B collaboration users across tenants and, when combined with cross‑tenant access policies, gives users a seamless experience across environments. In this blog we explore why cross‑tenant synchronization matters, the different topologies it supports, new cross‑cloud capabilities, and how to get started.

Why cross‑tenant synchronization?

The service was designed to solve a simple but pervasive problem: keeping users synchronized across tenant boundaries. In a multi‑tenant organization there may be a single “parent” tenant where identities are mastered but several spoke tenants for different business units or regions. Cross‑tenant synchronization automates creating, updating and deleting B2B collaboration users so that employees can access apps and services in any tenant without receiving separate invitations. It also supports access to both Microsoft apps (Teams, SharePoint) and third‑party applications The result is:

• Seamless collaboration – users don’t need to accept consent prompts for every tenant; once synchronized they can simply sign in and work across tenants.
• Automated lifecycle management – accounts are provisioned when users join and removed automatically when they leave, eliminating stale guest accounts.
• Unified security controls – synchronized users benefit from the same conditional access, multifactor authentication and entitlement management policies as local users

Cross‑tenant synchronization is built on the Microsoft Entra provisioning engine and is a push process: administrators in the source tenant define the scope and attributes to synchronize; the target tenant simply receives objects. Only internal member accounts are synced from the source; external guest accounts in the source are not provisioned. Attribute mappings and extension attributes are fully supported, and target administrators can stop the job at any time.

Consent and automatic redemption

Normally, B2B collaboration requires guests to accept an invitation and a consent prompt the first time they access a resource. Cross‑tenant synchronization introduces an automatic redemption setting in each tenant. When both the source and target enable this setting, invitations are automatically redeemed and the consent prompt is suppressed. This makes collaboration truly seamless. The setting is optional but required for cross‑tenant synchronization to suppress invitations; B2B collaboration and
B2B direct connect can use it but do not require it

Topology options

Organizations rarely follow a single pattern, so the Entra team designed cross‑tenant synchronization to accommodate multiple topologies. The three models described in the documentation are hub‑and‑spoke, mesh and just‑in‑time.

Hub‑and‑spoke

In the hub‑and‑spoke topology, there is a central hub tenant and one or more spoke tenants. There are two common patterns:

• Application hub – commonly used applications are integrated into a central hub. During a merger or acquisition, employees from the acquired company can be provisioned into this hub on day one, giving them immediate access to SaaS and on‑premises applications. Access packages in the hub can provide time‑limited access to additional applications like Salesforce or AWS.

Image Source Microsoft

• User hub – alternatively, all users live in the hub tenant while resources are deployed in spoke tenants. Administrators establish centralized security and governance policies in the hub and provision users into the spoke tenants where specific resources live

Image Source Microsoft

Mesh

For organizations with a decentralized structure, where each business unit has its own tenant with dedicated applications or HR systems, a mesh topology may be more appropriate. In a partial mesh, each tenant provisions a subset of its users into partner tenants within the same parent company. This allows tenants to operate independently but still collaborate when necessary. 

Image Source Microsoft

In a full mesh deployment, every tenant provisions all users into every other tenant. This is common when business units collaborate closely, for example in shared Microsoft Teams channels. As new employees join or leave, the provisioning engine creates or removes the corresponding external accounts automatically.

Below is a conceptual mesh topology diagram showing bidirectional synchronization
between three tenants:

Image Source Microsoft

Just‑in‑time (JIT) collaboration

Not all collaboration scenarios require full‑time synchronization. In joint ventures or temporary projects involving separate legal entities, it may be preferable to provision users just in time. Entra’s connected organizations and entitlement management features allow a user from an external organization to request access to a package of resources. When approved, the user is provisioned and assigned the necessary permissions; when the project ends, access is removed. This model supports cross‑organization collaboration while respecting regulatory boundaries.

Image Source Microsoft

Cross‑cloud synchronization (public preview)

Until recently, cross‑tenant synchronization worked only within a single cloud (for example, commercial to commercial or government to government). In June, 2025 Microsoft announced cross‑cloud synchronization in public preview. This feature automates user lifecycle management across Microsoft’s commercial, US Government, and China clouds. It is off by default and must be explicitly enabled by administrators.

• Supported pairs – commercial → US Government, US Government → commercial, and commercial → China
• Licensing – each synchronized user in the source tenant must have a Microsoft Entra ID Governance or Entra Suite license. This is an add‑on to Entra ID P1 or P2. Target tenants do not need additional licenses

Organizations considering cross‑cloud synchronization should ensure their environment meets the requirements for the cloud pairs they plan to use and review the known limitations and licensing guidance.

License requirements

Licensing depends on whether you are synchronizing within the same cloud or across clouds. For same‑cloud synchronization, each user in the source tenant must have a Microsoft Entra ID P1 license. For cross‑cloud synchronization, each synchronized user must have a Microsoft Entra ID Governance or Entra Suite license. Target tenants do not need licenses for cross‑tenant synchronization, but additional licenses may be needed for features like External ID billing or advanced security controls.

Configure cross-tenant synchronization

Image Source Microsoft

Planning your deployment

Planning is key to a successful cross‑tenant synchronization deployment. Before turning the feature on, consider the following:

• Define your topology – decide whether a hub‑and‑spoke, mesh or JIT model fits your organization. You can mix models; for example, use a hub for line‑of‑business apps and a mesh for Teams collaboration.
• Identify scope – choose which users need to be synchronized and which attributes to include. You control the scope and attribute mapping in the source tenant. You can also apply scoping filters to include or exclude certain users or groups.
• Enable in the target tenant first – administrators must enable cross‑tenant synchronization and the B2B automatic redemption setting in the target tenant. This is a simple checkbox in the Entra portal and can also be configured via Graph API.
• Configure the source tenant – in the source tenant, enable the automatic redemption setting and define the cross‑tenant synchronization job: select the target tenant, set the provisioning scope, and map attributes.
• Test and monitor – start with a small set of users to validate that attributes map correctly and that users can access the right resources. Provisioning logs and audit logs provide visibility into synchronization activity. The sync engine runs every 40 minutes by default and initial cycles may take longer.

Enable User Synchronization in the Target Tenant

To allow users from another tenant to be synchronized into your environment, follow these steps from the target tenant:

Sign in to the Microsoft Entra admin center using an account in the target tenant.

Navigate to Entra ID > External Identities > Cross-tenant access settings.Under the Organization settings tab, click Add organization.

Enter the tenant ID or domain name of the source tenant (the one you want to sync users from), then click Add.

For the newly added organization, under Inbound access, click Inherited from default

Switch to the Cross-tenant sync tab Make sure Allow users sync into this tenant checked, click Save. 

Now Go to Trust Settings Menu and Choose Automatically redeem invitations with the tenant <Tenant name>

Configure Automatically Redeem Invitations in the Source Tenant

To enable automatic redemption of invitations for users in the source tenant, follow these steps:

Sign in to the Microsoft Entra admin center using an account in the source tenant.
Navigate to Entra ID > External Identities > Cross-tenant access settings.

On the Organization settings tab, click Add organization.

Enter the tenant ID or domain name of the target tenant (the one where users are being synchronized to), and then click Add.

In the newly added target organization, under Outbound access, ensure the setting is set to Inherited from default, select that and open Outbound access settings

Switch to the Trust settings tab. Check the box labeled Automatically redeem invitations with the tenant <tenant>.

⚠️ Important:
If you're configuring one-way synchronization from the source tenant to the target tenant only, ensure that in the Cross-Tenant Sync settings of the source tenant, the option "Allow users sync into this tenant" is unchecked.

Create a Cross-Tenant Sync Configuration in the Source Tenant

To define how users are synchronized from the source tenant, follow these steps:

In the source tenant, go to the Microsoft Entra admin center.
Navigate to Entra ID > External Identities > Cross-tenant synchronization.

Select the Configurations tab. At the top of the page, click New configuration.

Enter a name for the configuration that clearly identifies its purpose (e.g., "Sync to Demo Tenant").
Click Create.

Note: It may take up to 15 seconds for the new configuration to appear in the list.

Once your configuration is created in the source tenant, complete the setup as follows:

You should now see your new configuration listed. If it’s not visible yet, wait a few seconds and refresh the page if needed.
In the configuration list, click on your configuration and then select Get started.

Set the Provisioning Mode to Automatic.

In the Admin Credentials section: Make sure

 Authentication Method selected as Cross-tenant synchronization policy. In the Tenant ID field, enter the Tenant ID of the target tenant.

Click Test Connection to verify the setup.

You should see a confirmation message stating that the supplied credentials are authorized for provisioning.

Select Save to apply your changes.

After saving, the Mappings and Settings sections will become available for further configuration.

You can now close the Provisioning page.

Now, let’s move on to selecting the users you want to provision into the target tenant:

In the source tenant, go to your cross-tenant sync configuration and open the Users and groups section.
Click Add users.
Choose the users you want to sync into the target tenant, then select Select to confirm.

Note: Currently, only user objects are supported for provisioning. Group provisioning is not yet available as of August 2025.

Once added, these users will be provisioned into the target tenant based on your configuration settings.

Even if you selected a broader scope earlier, you can further narrow down which users get synchronized by applying attribute-based scoping filters.

Here’s how to configure it: In the source tenant, go to your cross-tenant provisioning configuration. Select Provisioning, then expand the Mappings section.

Click on Provision Microsoft Entra ID Users to open the Attribute Mapping page.Under Source Object Scope, select All records.

On the Source Object Scope page, click Add scoping filter.

Define your scoping filter based on attributes (e.g., department, extensionAttribute, etc.) to include only specific users. Click OK, then select Save to apply the changes.

Note: If you add or modify a filter, you'll receive a prompt indicating that all assigned users will be re-synchronized, which may take time depending on the directory size.

Confirm by selecting Yes, then close the Attribute Mapping page.

Attribute mappings

Define how user data flows from the source tenant to the target tenant. Here's how to review and optionally customize them: In the source tenant, go to your cross-tenant provisioning configuration.

Select Provisioning, then expand the Mappings section.

Click on Provision Microsoft Entra ID Users to open the Attribute Mapping page.

Scroll down to the Attribute Mappings section to view the list of user attributes being synchronized between tenants.

Note on Matching Attributes:

The first attribute listed—alternativeSecurityIdentifier—is an internal identifier used to:

• Uniquely identify users across tenants
• Match existing users in the target tenant
• Prevent duplication of user accounts

You can customize how certain attributes (like displayName) are synchronized by applying transformation expressions.

To do this: On the Attribute Mapping page, select the attribute you want to transform (e.g., displayName).

Set the Mapping type to Expression.

In multi-tenant synchronization scenarios, it’s often helpful to clearly indicate the origin of a user account , especially when managing users from multiple source tenants in a shared environment.

To make this visible at a glance, you can customize the displayName attribute by appending the domain name (e.g., acmebh.com) during provisioning.

In the Expression box, enter your custom transformation logic.
Expression Used:

Join(" ", [displayName], "(acmebh.com)")

This transformation retains the user’s original display name and adds the source domain in parentheses.

Example:

If the original displayName is Anil Kumar, the transformed result will be:
Anil Kumar (acmebh.com)

This small but effective customization improves clarity for administrators, end users, and access reviews across tenants — especially in shared directories, PIM-eligible roles, and cross-tenant Teams collaboration scenarios.

After setting up attribute mappings and scoping filters, it’s important to configure notification and safety options to ensure smooth and secure synchronization.

Follow these steps in the source tenant:

Go to your cross-tenant Provisioning configuration. Expand the Settings section. Email Notifications for Failures

Check the box labeled Send an email notification when a failure occurs.
In the Notification Email field, enter the email address of the person or group who should receive alerts.

Email alerts are triggered within 24 hours if the provisioning job enters a quarantine state due to persistent errors. 

Prevent Accidental Deletion

Check the Prevent accidental deletion option to safeguard against mass user removals.
Set a threshold value , the default is 500. If the number of deletions in a sync run exceeds this limit, the provisioning job will be paused automatically.
Click Save to apply all changes.

Start the Provisioning Job

Under Provisioning Status, switch the toggle to On to start the provisioning process.

Once enabled, the system will begin synchronizing users from the source tenant to the target tenant based on your defined settings.

The initial provisioning run has completed successfully. The two users that were assigned in the configuration have been automatically provisioned into the target tenant as expected.

This confirms that the cross-tenant synchronization is working correctly and the setup is functioning as intended.
In the target tenant, if we navigate to the Users section, we can see that the two users have been successfully created. Their display names have been transformed as configured , with the source domain (acmebh.com) appended, making it easy to identify their origin.

This confirms that both the provisioning and attribute transformation logic are functioning correctly.

By default, Cross-Tenant Synchronization runs automatically every 40 minutes. However, if you need to trigger provisioning manually , for example, after adding new users or making configuration changes ,you can use the On-Demand Provisioning option.

To run a manual sync: Go to your provisioning configuration in the source tenant. Select Provision on demand. Choose a user from the list , these are users already assigned in the Users and Groups section. Start the provisioning process immediately for the selected user(s), without waiting for the next scheduled sync cycle.

This is especially useful for testing or urgent updates that shouldn't wait for the next 40-minute interval.

Provisioning Logs

The Provisioning Logs section provides detailed visibility into the status of each provisioning cycle. Here, you can:

• View the overall status of provisioning runs (success, in progress, or failure)
• Identify and troubleshoot errors with clear messages and recommended actions
• Review a summary of operations performed during each cycle
• See the modified attributes for each user that was provisioned or updated

This section is essential for verifying sync behavior and ensuring users are being provisioned as expected across tenants.

Important :

if users are provisioned into the target tenant, they can still manually remove themselves. If they do and remain in scope, they'll be re-provisioned in the next sync cycle.

To prevent this: Go to Entra ID > External Identities > External collaboration settings in the target tenant. Under External user leave settings, set the option to No. 

This blocks external users , including B2B collaboration and B2B direct connect users , from leaving the organization on their own.

Troubleshooting Tips

1. Why is the “Automatically redeem invitations” checkbox disabled?

Symptom:
When configuring cross-tenant synchronization, the Automatic redemption checkbox is grayed out.

Cause:
Your tenant doesn't have the required Microsoft Entra ID license.

Solution:
Ensure your tenant is licensed with Microsoft Entra ID P1 or P2 to enable trust settings and automatic redemption.

2. Why isn’t a recently deleted user in the target tenant restored during the next sync?

Symptom:
A synchronized user soft-deleted in the target tenant is not restored on the next sync.
In some cases, re-syncing manually creates duplicate users.

Cause:
Restoring soft-deleted users automatically via provisioning is not supported.

Solution:
Manually restore the soft-deleted user from the Deleted users section in the target tenant.

3. Why are some users skipped during synchronization?

Symptom:
Users are unexpectedly excluded from sync. Logs show: Filter external users.alternativeSecurityIds EQUALS 'None'

Cause:
These users have SMS sign-in enabled, which interferes with provisioning.

Solution:
Disable SMS sign-in for affected users in the source tenant before syncing.

4. Why do users fail to provision with the error “AzureActiveDirectoryForbidden”?

Symptom:
Provisioning fails for users in scope with the following error: Guest invitations not allowed for your company

Cause:
The Guest invite settings in the target tenant are set to the most restrictive level: “No one in the organization can invite guest users, including admins.”

Solution:
In the target tenant, change the Guest invite settings to a less restrictive level (e.g., allow admins or specific users to invite guests).

Conclusion

Cross‑tenant synchronization is a powerful capability that brings order to multi‑tenant chaos. It enables seamless collaboration, automates user lifecycle management and maintains security across tenant boundaries. By choosing the right topology, understanding the licensing implications and planning your deployment carefully, you can unlock new levels of agility and productivity in your organization. With cross‑cloud synchronization on the horizon, Entra ID is poised to make collaboration across Microsoft clouds as simple as working within a single tenant.