Multi-tenant user collaboration

patterns in Azure Active Directory

About this paper
This whitepaper details options for managing users across Azure Active
Directory tenants. There are enhancements in progress and planned across
Office 365 and the Microsoft identity Platform to address these more
complex organizational needs.

This document focuses on achieving user lifecycle management—that is,

provisioning, managing and deprovisioning users—across tenants with
existing tools. Specifically, by using Azure Active Directory B2B Collaboration.

Please always check for the latest version of this document at

https://aka.ms/Multi-tenant-users.

© 2020 Microsoft Corporation. All rights reserved. This

document is provided “as is.” Information and views
expressed in this document, including URL and other internet
website references, may change without notice. You bear the
risk of using it.
Contents

Learn about Azure AD B2B Collaboration ............................................................................................................. 1

Terminology ................................................................................................................................................................. 2
Deciding how to meet your requirements ............................................................................................................ 3
Common Requirements ........................................................................................................................................... 3
Patterns for B2B account creation........................................................................................................................ 4
End-user initiated collaboration ................................................................................................................................ 5
Provision accounts ..................................................................................................................................................... 5
Manage accounts ....................................................................................................................................................... 6
Deprovision accounts................................................................................................................................................ 6
Scripted collaboration ................................................................................................................................................... 7
Provision accounts ..................................................................................................................................................... 7
Manage accounts ....................................................................................................................................................... 8
Deprovision accounts................................................................................................................................................ 8
Synchronized Collaboration ........................................................................................................................................ 9
Provision accounts ..................................................................................................................................................... 9
Manage accounts .................................................................................................................................................... 13
Deprovision accounts............................................................................................................................................. 13
Common considerations ........................................................................................................................................... 14
Directory object considerations ......................................................................................................................... 14
Azure AD conditional access considerations ................................................................................................ 15
Other access control considerations ................................................................................................................ 16
Office 365 considerations ..................................................................................................................................... 17
Licensing considerations for B2B users ........................................................................................................... 18
Solving Challenges ...................................................................................................................................................... 19
Challenge: Automatic User Lifecycle Management and resource allocation across tenants ..... 19
Challenge: Sharing on-premises apps across tenants. .............................................................................. 21
Multi-tenant user collaboration patterns in
Azure Active Directory
For most organizations, provisioning users into a single Azure Active Directory (Azure AD) tenant
provides them with a unified view of resources and single set of policies and controls that
enable consistent user lifecycle management. Microsoft recommends a single tenant when
possible, and many of our cloud services are designed for a single tenant. However, we
recognize that immediate consolidation to a single Azure AD tenant is not always possible.
Multi-tenant organizations may span two or more Azure AD tenants – resulting in unique cross-
tenant collaboration and management requirements.

Organizations may have identity and access management (IAM) requirements that are
complicated by:

• mergers, acquisitions, and divestitures.

• collaboration across public, sovereign, and or regional clouds.
• political or organizational structures prohibiting consolidation to a single Azure AD
tenant.

There are enhancements in progress and planned across Office 365 and the Microsoft identity
Platform to address these more complex organizations.

This document focuses on achieving user lifecycle management—that is, provisioning,

managing and deprovisioning users—across tenants with existing tools. Specifically, by using
Azure B2B Collaboration.

Learn about Azure AD B2B Collaboration

Azure Active Directory (Azure AD) business-to-business (B2B) collaboration lets you securely
share your company's applications and services with guest users from any other organization,
while maintaining control over your own corporate data. Azure AD B2B Collaboration is the
mechanism you will use to manage users across your multi-tenant scenario.

You may want to examine the following articles to learn more about Azure AD B2B
collaboration:

1
 Article Description
Conceptual articles
B2B Best Practices Recommendations for the smoothest experience for
your users and administrators

B2B and Office 365 external Explains the similarities and differences among sharing
sharing resources through B2B, office 365, and
SharePoint/OneDrive.

Properties on an Azure AD B2B Describes the properties and states of the B2B guest
collaboration user user object in Azure Active Directory (Azure AD) before
and after invitation redemption

B2B user tokens Provides examples of the bearer tokens for B2B a B2B
collaboration user.

Conditional access for B2B Describes how conditional access and MFA work for B2B
users.

How-to articles
Use PowerShell to bulk invite Learn how to use PowerShell to send bulk invitations to
Azure AD B2B collaboration users external users

Enforce multi-factor authentication Using conditional access, MFA policies can be enforced
for B2B guest users at the tenant, app, or individual guest user level.

Email one-time passcode The Email one-time passcode feature authenticates B2B
authentication guest users when they can't be authenticated through
other means like Azure AD, a Microsoft account (MSA),
or Google federation.

Terminology
Throughout this document you will see the following terms:
• Resource Tenant: The Azure AD tenant containing the resources that users want to
share with others.
• Home Tenant: The Azure AD tenant containing users requiring access to the resources
in the resource tenant.
• User Lifecycle Management (AKA User Governance): the process of provisioning,
managing, and deprovisioning user access to resources.
• Unified GAL: Each user in each tenant can see all other users in their GAL.

2
Deciding how to meet your requirements
Your organization’s unique requirements will determine your strategy for managing your users
across tenants. You must consider the number of tenants, the type of organization, your current
topologies, and your specific user synchronization needs.

Common Requirements
Many organizations initially focus on requirements they want in place at the time of a merger or
acquisition. Sometimes known as “Day One” requirements, they focus on enabling end users to
merge smoothly without interrupting their ability to generate value for the company.

Consider your needs in the following Day One and Administrative requirements

Requirement categories Common needs

Communications Requirements
Single email domain Enable all users to send and receive mail from a single email
domain, for example [email protected].
This requires a 3rd party address rewrite solution today.

Unified global address list Each user in each tenant can see all other users in their GAL.

Free/Busy information Enable users to determine each other’s availability.

You can do this with Organization relationships in Exchange
Online.

Chat and presence Enable users to determine others’ presence and initiate
instant messaging. This can be configured through external
access in Microsoft Teams.

Book resources such as Enable users to book conference rooms or other resources
meeting rooms across the organization. Cross-tenant conference room
booking is not possible today.

Access requirements
Document access Enable users to share documents from SharePoint, OneDrive,
and Teams

Application access Allow end users to access applications across the

organization

Single Sign-on Enable users to access resources across the organization

without the need to enter additional credentials.

3
Patterns for B2B account creation
There are several mechanisms available for creating and managing the lifecycle of your B2B
accounts. Working with dozens of multi-tenant organizations, we’ve distilled three patterns that
can help you meet your requirements. You can choose which will best meet your needs. Then
you can delve into the details of that method.

Mechanism Description Best when

End-user- Resource tenant admins delegate • Users need ad hoc access to
initiated the ability to invite users to the resources.
tenant, an app, or a resource to • No automatic synchronization of
users within the resource tenant. user attributes is necessary.
Users from the home tenant are • Unified GAL is not needed
invited or sign up individually.

Scripted Resource tenant administrators • No more than two tenants.

deploy a scripted “pull” process to • No automatic synchronization of
automate discovery and user attributes is necessary.
provisioning of identities to support
resource access.

Synchronized Resource tenant admins use a • Provisioning and deprovisioning

provisioning system that automates need to be automated.
the provisioning and deprovisioning • Attribute syncing is required.
processes.

4
End-user initiated collaboration
Consider this scenario typical of customers who use this pattern:

A global professional services firm works with sub-contractors on a project. Sub-contractor users
require access to firm applications and documents. Admins at the firm can delegate to firm end-
users the ability to invite or configure self-service for sub-contractor resource access.

Provision accounts
There are 5 ways end users can get invited to access resource tenant resources.

1. Application-based invitations. Microsoft applications may enable invitation of B2B

users. B2B invitation settings must be configured both in Azure AD B2B and in the
relevant application(s).

2. MyApps. Users invite and assign a B2B user to an application using MyApps if they are
an application self-service sign up approver. They can invite users to a group if a group
owner.

3. Entitlement Management: Enables admins to tie resources, allowed external

organizations, user expiration, and access policies together in access packages. Access
packages can be published to enable self-service signup for resource access by partner
users.

4. Azure Portal End users given the Guest Inviter role can login to the Azure Portal and
invite B2B users from the Users menu in Azure Active Directory.

5. Programmatic (PowerShell, Graph API) End users given the Guest Inviter role can invite
B2B users via PowerShell or Graph API. We’ve developed sample code for a self-service
B2B portal using these APIs.

Redeeming an invitation
Invitations to access resources results in an email invitation to the invited address. When a B2B
collaboration user receives an invitation, they have two options for redeeming it.

Redemption URL
By accessing the redemption URL in the email, the invited user can approve or deny the
invitation (creating an account if necessary).

Just-In-Time Redemption
If the invited user already has an Azure AD or Microsoft account or email one-time passcodes
are enabled, then the user can access the resource URL directly for just-in-time redemption.

5
During JIT redemption, the user must1 accept the Privacy Terms agreement page before
accessing the resource.

PowerShell allows control over whether an email is sent when inviting via PowerShell.

You can allow or block invitations to B2B users from specific organizations by using an allow or a
deny list.

For more information see Azure Active Directory B2B collaboration invitation redemption.

! Important
We strongly recommend enabling email one time passcode authentication, a
preview feature. The Email one-time passcode feature authenticates B2B guest users
when they can't be authenticated through other means like Azure AD, a Microsoft
account (MSA), a Gmail account through Google federation, or an account from a
SAML/WS-Fed IDP through Direct Federation. With one-time passcode
authentication, there's no need to create a Microsoft account. When the guest user
redeems an invitation or accesses a shared resource, they receive a temporary code,
which is sent to their email address. Then they enter this code to continue signing in.
Without this feature enabled, a Microsoft Account or a just-in-time “unmanaged” Azure
AD tenant may be created.
Microsoft is deprecating the creation of unmanaged tenants and their users.

Manage accounts
The resource tenant admin manages B2B users in the resource tenant. These users are not
updated based on updated values in the home tenant.

Additional attributes may be set on B2B user objects to facilitate collaboration scenarios. For
example, GivenName, Surname, and TelephoneNumber are attributes that must be set to add
guests to the global address list.

Deprovision accounts
End-user initiated collaboration decentralizes access decisions but creates the problem of
deciding when to remove a B2B user and its associated access. Entitlement Management and
access reviews provide a way to review and remove existing B2B users and their access to
resources.

Note: If users are invited outside of entitlement management, for example directly through
Sharepoint Online or Teams, you will need a process to review and manage those users’ access.

1
There is a private preview “Admin Consent” feature that allows suppression of this message. Contact your
account team if you are interested in access to this preview.

6
See the Common considerations section of this document for additional information on
provisioning, managing, and deprovisioning users in this scenario.

Scripted collaboration
Consider this scenario typical of customers using a scripted collaboration mechanism.

A global shipping company acquired a competitor. Each company has a single Azure AD tenant.
They want the following “day one” collaboration scenarios to work, without users having to
perform any invitation or redemption steps. All users must be able to do the following without
needing to create or redeem an invitation.

• Single sign-on to all resources to which they are provisioned

• Find each other and resources in a unified GAL
• Determine each other’s presence and be able to initiate instant messages

However, due to logistical considerations, they cannot immediately consolidate to a single tenant.

In this case, each organization’s tenant is the home tenant for its existing employees, and the
resource tenant for the other organization’s employees.

Provision accounts
Through the use of Delta Query, tenant admins can deploy a scripted “pull” process to automate
discovery and provisioning of identities to support resource access. This process checks the
home tenant for new users and uses the B2B APIs to provision those users as invited users in the
resource tenant. Here are the components of this scripted process.

• Administrators of each tenant pre-arrange credentials and consent to allow read of each
tenant.

7
 • Allows tenant administrators to automate enumeration and “pulling” scoped users to
resource tenant.

• Use MS Graph API with consented permissions to read and provision users via the
invitation API

• Initial provisioning may read source attributes and apply them to the target user object.

Manage accounts
The resource organization may choose to augment profile data to support collaboration
scenarios by updating the user’s metadata attributes in the resource tenant. However, if ongoing
synchronization is necessary, then a synchronized solution may be a better option.

Deprovision accounts
Delta Query can signal when a guest user needs to be deprovisioned. Entitlement Management
and access reviews can also provide a way to review and remove existing B2B users and their
access to resources.

Note: If users are invited outside of entitlement management, for example directly through
Sharepoint Online or Teams, you will need a process to review and manage those users’ access.

See the Common considerations section of this document for additional information on
provisioning, managing, and deprovisioning users in this scenario.

8
Synchronized Collaboration
By far the most complex pattern, synchronized collaboration across tenants enables more
automated management and deprovisioning scenarios than user-initiated or scripted
collaboration.

Consider this scenario which could require a synchronized solution

A multinational conglomeration has multiple subsidiaries, each with their own Azure AD tenant,
that need to work together. In addition to synchronizing new users among tenants, attribute
updates must be automatically synchronized, and deprovisioning must be automated. For
example, if an employee is no longer at a subsidiary, their account should be removed at the next
synchronization from all other tenants.

Provision accounts
This advanced deployment uses Microsoft Identity Manager (MIM) as a synchronization engine
and custom connectors to call the MS Graph API and Exchange Online PowerShell. Alternative
implementations include the cloud hosted Active Directory Synchronization Services (ADSS)
managed service offering from Microsoft Consultation Services. There are also non-Microsoft
offerings that can be created from scratch with other identity management offerings.

You should consider support for these scenarios, and also understand there are considerations
such as integration of on-premises applications that are outside the scope of this document.
However, we do address this at a high level in our Solving challenges section.

There are two topologies that we have seen to accomplish synchronized collaboration.

A mesh topology enables sharing of all resources in all tenants. Users from other tenants are
created in each resource tenant as guest users.

A global tenant topology uses a single global tenant (the resource tenant), to which users from
other companies are invited as external guest users.

We illustrate both below. To help you determine which is right for your organization, consider
the following.

9
Comparison of mesh versus global tenant topologies

Consideration Mesh topology Global tenant

Each company has separate Azure AD Yes Yes
tenant with users and resources

Resource location and collaboration

Shared apps and other resources remain in Yes No.
their current home tenant Only resources in the
global tenant are shared.
All viewable in individual company’s GALs Yes No
(Unified GAL)
Resource access and administration
ALL applications connected to Azure AD Yes No. only those in the
can be shared among all companies global tenant are shared.
Those remaining in
individual tenants are
not.
Global resource administration Continue at tenant Consolidated at global
level tenant
Ability to use a single Teams instance, No Yes – if Teams is only
avoiding the need to sign in and out to deployed in the Global
various Teams instances. tenant.
Licensing – Office 365 Continue at tenant Continues at tenant level
level
SharePoint Online,
unified GAL, Teams
access all support guests;
however, other Exchange
Online scenarios do not.

Licensing – Azure AD (premium) 5 to 1 guest to 5 to 1 guest to member

member ratio ratio
Licensing – SaaS apps Remain in individual Can be consolidated to
tenants, may require global tenant
licenses per user per
tenant

10
Mesh topology

In a mesh topology, every user in each home tenant is synchronized to each of the other
tenants, which become resource tenants.

• This enables any resource within a tenant to be shared with guest users.
• This enables each organization to see all users in the conglomerate. In the illustration
above there are four unified GALs, each of which contains the home users and the guest
users from the other three tenants.

See the common considerations section of this document for additional information on
provisioning, managing, and deprovisioning users in this scenario.

11
Global tenant topology

In a global tenant topology, users and their attributes are synchronized to the global tenant.

• All resources that are to be shared among the member organizations must reside in the
global tenant.
o If multiple subsidiaries have subscriptions to the same SaaS apps, this may be an
opportunity to consolidate those subscriptions.
• Only the GAL at the global tenant will show users from all companies.
• To facilitate communication and improve productivity, you can choose to enable
Microsoft Teams at the global tenant only, avoiding the need to sign-in and sign-out of
multiple Teams instances.
o Guest users are supported in Office Groups, Teams, SharePoint Online, and
PowerBI, but not supported with Exchange Online mailboxes.

12
Manage accounts
This solution detects and sync’s attribute changes from source tenant users to resource tenant
B2B users. These attributes can be used to make authorization decisions such as through
dynamic groups.

Deprovision accounts
Automation detects deletion of the object in source environment and deletes the associated B2B
user object in the target environment.

See the Common considerations section of this document for additional information on
provisioning, managing, and deprovisioning users in this scenario.

13
Common considerations
There are many considerations that are relevant to more than one collaboration pattern.

Directory object considerations

When a B2B user is created from an invitation, it is by default created as a user object with a
default user type of Guest.

• Some of the limits on Guest functionality can be removed.

• Guest accounts can be converted to a user type of Member if desired2.

Issues with using mail-contact objects instead of external users or members

It is possible to represent users from another tenant through a GAL synchronization. If a GAL
synchronization is done rather than using B2B collaboration, a mail-contact object is created.

• A mail-contact object and a mail-enabled B2B user (member or guest) cannot coexist in
the same tenant with the same email address at the same time.

• If a mail-contact object exists for the same mail address as the invited B2B guest user,
the B2B Guest user will be created, but is NOT mail enabled.

• If the mail-enabled B2B user exists with the same mail, an attempt to create a mail-
contact object will throw an exception at creation time.

Results of various mail-contact objects and B2B user states.

Existing state Provisioning scenario Effective result

None Invite B2B Member Non-mail enabled member

user2
None Invite B2B Guest Mail-enable guest user
Mail-contact object exists Invite B2B Member Error – Conflict of Proxy
Addresses
Mail-contact object exists Invite B2B Guest Mail-contact and
Non-Mail enabled B2B user2
Mail-enabled B2B Guest user Create mail-contact object Error
Mail-enabled B2B Member Create mail-contact Error
user exists
.

2
There are some issues in how Exchange Online handles B2B accounts. You can’t mail-enable these accounts
invited as B2B Members. In order to get a B2B Member mail enabled, the best approach is to invite the cross-org
users as Guests, show them in the GAL, then set the UserType to Member so they show up as MailUser in
Exchange Online

14
We do not recommend GAL synchronization. Instead, use Azure AD B2B collaboration to
create either external guest accounts that you enable to show in the GAL, or to create external
member accounts, which show in the GAL by default, but are not mail enabled.

Some organizations use mail-contact object to show users in the GAL because it integrates a
GAL without providing other permissions. Instead, achieve this goal by inviting B2B users,
unhide them from the GAL, and then disable them by blocking them from sign-in. A mail-
contact object cannot be converted to a user object. Therefore any properties associated with a
mail-contact object, such as group memberships or other resource access, cannot be
transferred.

Using a mail-contact object to represent a user presents the following challenges.

• Office 365 Groups – Office 365 groups support policies governing the types of users
allowed to be members of groups and interact with content associated with groups. For
example a group may not allow guest accounts to join. These policies cannot govern
mail-contact objects.

• Azure AD Self-service group management (SSGM) – Mail-contact objects are not

eligible to be members in groups using the SSGM feature, so additional tools may be
needed to manage groups with recipients represented as contacts instead of user
objects.

• Azure AD Identity Governance - Access Reviews – The access reviews feature can be
used to review and attest to membership of Office 365 group. Access reviews are based
on user objects. Members represented by mail-contact objects are out of scope of access
reviews.

• Azure AD Identity Governance - Entitlement Management (EM) – When EM is used

to enable self-service access requests for external users via the company’s EM portal, a
user object is created at the time of request. Mail-contact objects are not supported.

Azure AD conditional access considerations

The state of the user, device, or network in the user’s home tenant is not conveyed to the
resource tenant, so a B2B user is not be able to satisfy conditional access (CA) policies that use the
following controls.

• Require multi-factor authentication – B2B users will be required to register/respond to

MFA in the resource tenant, even if MFA was satisfied in the home tenant, resulting in
multiple MFA challenges. In addition, if they need to reset their MFA proofs they may not
be aware of the multiple MFA proof registrations across tenants. This may require them
to contact an administrator in the home tenant, resource tenant, or both.

15
 • Require device to be marked as compliant – Device identity is not registered in the
resource tenant, so the B2B user will be blocked from accessing resources that require
this control

• Require Hybrid Azure AD Joined device - Device identity is not registered in the
resource tenant (or on-premises Active Directory connected to resource tenant), so the
B2B user will be blocked from accessing resources that require this control.

• Require approved client app or Require app protection policy – External guest users
can’t apply resource tenant InTune Mobile App Management (MAM) policy because it
also requires device registration. Resource tenant Conditional Access (CA) policy using
this control doesn’t allow home tenant MAM protection to satisfy the policy. External
Guest users should be excluded from every MAM-based CA policy.

Additionally, while the following CA conditions can be used, be aware of the possible
ramifications.

• Sign-in risk and user risk – The sign-in risk and user risk are determined in part by user
behavior in their home tenant. The data and risk score is stored in the home tenant.
If resource tenant policies block a B2B user, a resource tenant admin may not be able to
perform the necessary actions to enable access. For more information, see Identity
Protection and B2B users.

• Locations – The named location definitions that are defined in the resource tenant are
used to determine the scope of the policy. Trusted locations managed in the home
tenant are not currently evaluated in the scope of the policy. In scenarios where
organizations want to share trusted locations across tenants, they would need to be
defined in each tenant where the resources and conditional access policies are defined.

Other access control considerations

You can define access control policies to control access to resources. You should design CA
policies with B2B users in mind. You can create policies specifically for B2B users. If your
organization is using the [All Users] condition in your existing CA policy, this policy will affect
B2B users because [Guest] users are in scope of [All Users]. You should create dedicated CA
policies for [Guest] accounts. For information on hardening dynamic groups that utilize the [All
Users] expression, see Dynamic groups and Azure AD B2B collaboration

Require User Assignment

If an application has the [User assignment required?] property set to [No], B2B users can also
access to those application. Application admins should take this into account, especially if the
application contains sensitive information. For more information, see How to restrict you Azure
AD app to a set of users.

16
Terms and Conditions
Azure AD terms of use provides a simple method that organizations can use to present
information to end users. You can use terms of use to require B2B users to approve terms of use
before accessing your resources.

Office 365 considerations

Microsoft Exchange Online
Exchange online limits certain functionality for guest users. These may be lessened by creating
external members instead of external guests. However, none of the following are supported for
external users at this time.

• While an B2B user can be assigned an Exchange Online license, they are prevented from
being issued a token for Exchange Online, so they are not able to access the resource.

o B2B users cannot use shared or delegated Exchange Online mailboxes in the
resource tenant.

o A B2B user can be assigned to a shared mailbox, but cannot access it.

• Invited B2B users are hidden from the Exchange Online GAL by default, and need to be
unhidden to be included in the GAL.

o Invited users’ user objects are created at invite time. This is independent of
whether they have redeemed their invitation. Therefore, if all B2B users are
unhidden, this will include user objects of B2B users who have not redeemed an
invitation.

• Updates to the mail property of an B2B user can be done using the Exchange Admin
Center or Exchange Online PowerShell management cmdlets.

Microsoft Sharepoint Online

SharePoint Online has its own service-specific permissions depending on if the user is a member
of guest in the Azure Active Directory tenant.

For more information see Office 365 external sharing and Azure Active Directory B2B
collaboration.

Microsoft Teams
Microsoft Teams has features to limit access and based on user type, so changes to user type
may have an impact on the content accessed and features available.

• The current “tenant switching” mechanism for Microsoft Teams may require users to
manually switch the context of their Teams client when working in Teams outside their home
tenant.

17
• You can enable Teams users from another entire external domain to find, call, chat, and set
up meetings with your users with Teams Federation. For more information, see Manage
external access in Microsoft Teams.

Licensing considerations for B2B users

When using Azure B2B with Office 365 workloads there are some key considerations. There are
instances in which guest accounts do not have the same experience as a member account.

Microsoft groups. To understand the guest account experience in Microsoft Groups see Adding
guests to office 365 Groups..

Microsoft Teams. To understand the guest account experience in Microsoft Teams, see Team
owner, member, and guest capabilities in Teams.

You can enable a full fidelity experience in Teams by utilizing B2B External Members. Office 365
recently clarified its licensing policy for Multi-tenant organizations

• Users that are licensed in their home tenant may access resources in another tenant (within
the same legal entity) as External Members with no additional licensing fees. This applies to
SharePoint, OneDrive for Business, Teams, and Groups.

o Engineering work is underway to automatically check the license status of a user in

their home tenant and enable them to participate as a Member with no additional
license assignment or configuration. However, for customers who wish to use
External Members now, there is a licensing workaround that requires the Account
Executive to work with the Microsoft Business Desk.

o From now until the engineered licensing solution is enabled, customers can utilize a
Teams Trial License which can be assigned to each user in their foreign tenant. The
Trial license has a one-year duration and enables all of the workloads listed above.

o For customers that wish to convert B2B Guests into B2B Members there are several
known issues with Microsoft Teams such as the inability to create new channels and
the ability to add applications to an existing Team.

• Identity Governance features (Entitlement Management, Access Reviews) may require

additional licenses for guest users or external members. Work with the Account Team or
Business Desk to get right answer for your organization.

• Other products (like Dynamics CRM) may require licensing in every tenant in which a user is
represented. Work with your account team to get the right answer for your organization.

18
Solving Challenges
There are two specific challenges our customers have solved using current tools. Their solutions
are detailed below. While Microsoft recommends a single tenant wherever possible, and is
working on tools to resolve these challenges more easily, these solutions have worked for
customers today.

Challenge: Automatic User Lifecycle Management and resource allocation across

tenants
A customer acquired a competitor with whom they had previously had a close business
relationship. The organizations will maintain their corporate identities.

Current state
Currently, the organizations are synchronizing each other’s users as contact-mail objects so that
they show in each other’s directories.

• Each resource tenant has a mail-contact object enabled for all users in the other tenant.
• No access to applications is possible across tenants.

Goals
This customer had the following goals

• Every user continues to be shown in each organization’s GAL.

o User account lifecycle changes in the home tenant automatically reflected in the
resource tenant GAL.

o Attribute changes in home tenants (such as department, name, SMTP address)

automatically reflected in resource tenant GAL as well as home GAL

• Users can access applications and resources in the resource tenant.

• Users can self-serve access requests to resources

19
Solution architecture
The organizations will use a point-to-point architecture with a synchronization engine such as
MIM.

Each tenant admin does the following to create the user objects:

1. Ensures that their users database is up to date.

2. Deploy and configure MIM.
a. Address existing contact objects
b. Create B2B External Member objects for the other tenant’s members.
c. Synchronize user object attributes
3. Deploy and configure Entitlement Management access packages.
a. Resources to be shared
b. Expiration and access review policies

20
Challenge: Sharing on-premises apps across tenants.
This customer, with multiple peer organizations, has a need to share on-premises applications
from one of the tenants.

Current state
Multiple peer organizations are synchronizing B2B Guest users in a mesh topology, enabling
resource allocation to their cloud applications across tenants. They currently

• Share applications in Azure AD.

• Ensure user Lifecycle Management in resource tenant is automated based on home
tenant. That is, add, modify, delete is reflected.
• Only member users in Company A access Company A’s on-premises apps.

Goals
In addition to the current functionality, they would like to

• Provide access to Company A’s on-premises resources for the external guest users.
• Apps with SAML authentication
• Apps with Integrated Windows Authentication and Kerberos

21
Solution architecture
Company A is currently providing SSO to on premises apps for its own members via Azure
Application Proxy.

To enable their guest users to access the same on-premises applications Admins is tenet A will:

1. Configure access to SAML apps.

2. Configure access to other applications.
3. Create on-premises B2B users through MIM or PowerShell.

For more information, see

Grant B2B users in Azure AD access to your on-premises resources

Azure Active Directory B2B collaboration for hybrid organizations

22