How to Setup Multi-Tenant Organisation in Microsoft 365

Multitenant organisations in Microsoft 365 enable you to create trust between two or more tenants to create better a experience for internal communication between users that are members of different tenants. 

The idea behind it is that each tenant is owned and trusted by the organisation, allowing you to provide a seamless experience without the need for intrusive migration efforts.

In this tutorial, I will show you how to set up a multitenant organisation step by step in Microsoft 365 along with demonstrating the end user experience as well as teaching you what is happening behind the scenes.

What is a multi-tenant organisation in Microsoft 365?

The multitenant organisation feature in Microsoft 365 enables you to form a trusting group of tenants within your organisation. When you create a new multitenant organisation. for each tenant that is added, a trust relationship is formed and any information transfer between the tenants is governed by the cross-tenant access settings configured in Microsoft Entra.

The below image represents the basic topology of a multitenant organisation:

Multitenant organisation diagram
Multitenant organisation diagram

When you create a multitenant organisation, the tenant for which you are logged into as you create it becomes the organisation owner. Any further tenants of the organisation are classed as member tenants. Either way, the synchronisation can be performed outbound and accepted inbound from any tenant, based on the settings you configure. From the end-user’s perspective, it does not matter which tenant is the owner of the multitenant organisation.

Use cases for using a multitenant organisation

Configuring a multitenant organisation is certainly a modern solution for modern businesses. Traditionally, in the case of company mergers, for example, the go-to solution when collaboration is needed between organisations within a group, would be a tenant-to-tenant migration, bringing all resources into a single tenant. 

Depending on the size of that tenant, a tenant-to-tenant migration would often involve a lot of stress, money and interruption to service. However, the pains were often suffered to simplify continued control, governance & compliance and trust of critical data in the long term. 

Nowadays, especially thanks to multitenant organisation features, all these things can still be maintained easily while each company tenant remains separate. Not only does this reduce consultant costs and interruption of services, but it also simplifies cost control and resource management thanks to the physical separation. 

In nearly all use cases for multitenant organisations, multiple tenants are (and should be) owned by the company. This is because synchronised users are treated as members of an organisation, instead of being treated as external guest members.

You can validate this is true by running the following command, using the ID of your synchronised user:

Get-MgBetaUser -UserId %userid% | Select UserPrincipalName, UserType

Your results should look like the following:

User type member
User type member

Prerequisites

To complete the steps in this guide and set up your own multitenant organisation, you will need to ensure you meet the following requirements for both the Owner (primary) tenant and any member tenants.

  • At minimum Microsoft Entra ID P1 (formerly Azure Active Directory P1) licensing
  • The Security Administrator role for configuring cross-tenant access settings
  • The Global Administrator role for consenting to permissions

How to Setup a Multitenant Organisation

Continue to follow the steps below to configure your own multitenant organisation.

Step 1: Create a new multi-tenant organisation

Start by signing in to the owner tenant as a global administrator. This tenant will become your primary tenant and also the tenant who owns the multi-tenant organisation relationship.

Once you are signed in, follow the below steps:

1. From admin.microsoft.com, expand Settings and select Org settings > Organization profile > Multi-tenant collaboration.
Select Multi-tenant collaboration
Select Multi-tenant collaboration

2. Click Get started and select Create a new multitenant organization and click Next.

create a new multitenant organization
create a new multitenant organization

3. On the organization details page, enter the name of your multitenant organisation and also the TenantID of any member tenants you want to join the multitenant organisation.

Define organization details
Define organization details

4. On the Sync settings page, enable both options and click Next

By Allowing users to sync into this tenant from other tenants you are simply ensuring that when enabled, users are able to be created in this tenant, this will not automatically start the sync when these settings are enabled. You can also leave this setting off if you do not want users created in this tenant. 

Also, ensure you check the box to suppress consent prompts, this will ensure that when members attempt to access resources, consent for the member users will already be granted. This will ensure a good user experience for the member users of a tenant.

Enable multitenant organisation sync settings
Enable multitenant organisation sync settings

5. Review the settings on the final page and click Create Multitenant organization.

Review and create multitenant organization
Review and create multitenant organization

Step 2: Join the multi-tenant organisation

Once the member tenant has been added to the primary (or owner) tenant, from the member tenant, you will need to join an existing multitenant organisation. Follow the below steps to join the multitenant organisation.

1. From admin.microsoft.com, expand Settings and select Org settings > Organization profile > Multi-tenant collaboration.

2. Click Get Started and select Join an existing multitenant organization. Enter the tenant ID of the primary (owner) tenant and select both checkboxes to allow users to sync and suppress consent prompts. 

Join multitenant organisation
Join multitenant organisation

Once you select to join the Multitenant organisation, you will see the following page on the Multitenant collaboration settings page:

Your tenant is being added
Your tenant is being added

This may show for a minute or two, then when you refresh you will see the following page:

MTO Group
MTO Group

Unable to join the Multitenant organisation?

For any reason you are unable to join the multitenant organisation through the Microsoft 365 admin center, such as if you receive a generic error message, you should join using Microsoft Graph PowerShell instead.

Start by connecting to Microsoft Graph PowerShell with the following recommended permissions scopes: (Ensure you connect to the member tenant)

Connect-MgGraph -scopes MultiTenantOrganization.ReadWrite.All, `
Policy.Read.All, `
Policy.ReadWrite.CrossTenantAccess, `
Application.ReadWrite.All, `
Directory.ReadWrite.All

Use the following script to join the multitenant organisation: (Ensure you replace Owner tenant ID, with the ID of your primary tenant)

$uri = "https://graph.microsoft.com/beta/tenantRelationships/multiTenantOrganization/joinRequest"

$body = @'
{
    "addedByTenantId": "Owner tenant ID"
}
'@

Invoke-MgGraphRequest -uri $uri -body $body -Method PATCH -ContentType "application/json"

You can check this has worked with the following commands:

$uri = "https://graph.microsoft.com/beta/tenantRelationships/multiTenantOrganization/joinRequest"
Invoke-MgGraphRequest -uri $uri -Method GET

If your member tenant has successfully joined the multitenant organisation, you should get the following response:

MTO member state active
MTO member state active

Step 3: Sync users in your multitenant organisation

Once your multitenant organisation relationship is established, you will need to configure the user synchronisation between your tenants. Users synced between tenants in this manner will be synchronized as Member users instead of Guest users. As members of the related tenants, they will have a better collaboration experience as they will be represented as users within your organisation.

Follow the below steps to enable user synchronisation:

1. From admin.microsoft.com, expand Settings and select Org settings > Organization profile > Multi-tenant collaboration.

2. On the multitenant collaboration page, select Share users.

Share users
Share users

3. In the text box, type in the name of the users or groups you wish to sync from the tenant you are currently signed in with, to the partner tenant and click Save.

Edit shared users and groups
Edit shared users and groups

It is important that you add your shared users and groups through the method above (the Microsoft 365 org settings) as synchronisation will automatically be enabled. If you manually modify the cross-tenant synchronisation settings, the user sync will not happen automatically. 

Now that sync is enabled, you can confirm the initial sync has successfully completed by clicking on the destination tenant from your Multitenant collaboration page and viewing the Directory sync status as highlighted below.

Directory sync confirmation
Directory sync confirmation

From the destination tenant, the synced users will now be visible in your users list:

MTO synced users
MTO synced users

The end user experience for multitenant organisations

Once users are synchronising to your tenant, or visa versa, you will then be able to search for them through Microsoft Teams and they will appear as standard members of your organisation.

For example, below I am logged in as a member of the owner (primary tenant) which user John Smith’s identity is being synchronised to (from a member tenant). When I search for the user John Smith through Teams, they appear as a standard internet user.

People search
People search

When I open John Smith’s contact card in Microsoft Teams, their contact address proves that they are an external user as it does not match one of the owner tenants’ accepted domains.

Example user mail address
Example user mail address

On the other side, if I log in as the user John Smith, I then can very quickly switch which organisation I am viewing in Microsoft Teams from the profile icon at the top right, highlighted in orange below. 

I can also individually change my presence status within each tenant I am synchronised to, as highlighted in purple below.

Switching tenants in Teams
Switching tenants in Teams

Also, if John Smith needed to communicate with each tenant at the same time, he could pop out a chat Windows in his primary tenant, then switch to the member tenant and continue to communicate in both at the same time.

Popout chats for multitenant organisations
Popout chats for multitenant organisations

Reviewing multitenant organisation settings through Microsoft Entra

When you configure your multitenant organisation through the Microsoft 365 admin centre, cross-tenant synchronisation settings are automatically configured through the Microsoft Entra admin centre. The cross-tenant synchronisation settings facilitate the user sync between each member tenant of the MTO and the cross-tenant access settings define the trust settings between the MTO members also.

Each cross-tenant synchronisation setting also has a related service principal that matches the member tenant is synchronised to. Let’s look at each of these settings…

Cross-tenant synchronization

Cross-tenant synchronisation settings are automatically created when you create your multitenant organisation from the Microsoft 365 admin center. You can find these settings by logging into Microsoft Entra and selecting Identity > External identities > Cross tenant synchronisation > Configurations.

Cross tenant synchronisation configurations
Cross tenant synchronisation configurations

Once you click into your MTO configuration, you can view the users and groups previously assigned. As an alternative method to assigning users via the Microsoft 365 admin center, you can also add and remove synced users or groups from here.

MTO users and groups
MTO users and groups

A related service principal is also automatically created in Microsoft Entra that matches the name of your cross-tenant synchronisation configuration. The users assigned to your configuration (as per the screenshot above) will also be assigned to the service principal too. You can view this by expanding Applications from with the Microsoft Entra admin center and selecting Enterprise applications. Then click into the application with the matching name.

MTO service principal
MTO service principal

Importantly, your cross-tenant synchronization configuration will contain provisions logs pertaining to the synchronisation, creation and modification of users’ accounts between your synced directories.

multitenant organisation provisioning logs
multitenant organisation provisioning logs

Cross-tenant access settings

When your multitenant configuration is automatically configured, cross-tenant access settings also get automatically provisioned to support the collaboration between tenants. You can view these settings by logging into Microsoft Entra and selecting Identity > External Identities > Cross-tenant access settings > Cross-tenant access settings.

From the below image, you can see both inbound and outbound access settings have been configured for the partner organisation.

Cross tenant access settings
Cross tenant access settings

From here, you should check the inbound trust settings for this organisation. Select Configured under Inbound access and then select Trust settings.

By default, Default settings will be selected, if no changes have been made here, the claims in Conditional Access from your member tenant will not be accepted in this tenant. I recommend you customise these settings and check which boxes apply to you. 

multitenant organisation trust settings
multitenant organisation trust settings

The box highlighted above in green should already be selected, but if it isn’t, ensure that Automatically redeem invitations with the tenant ‘tenant name’ box is checked.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 2 Comments

  1. Marian

    Hi Daniel, thank you for the article, you nailed it, MTO is described perfectly. I really like the screenshots and Graph examples.

    BTW, did you need to do configure the new Teams client to see both orgs? I have just configured MTO between my two test tenants, logged in as John Smith but cannot see the secondary org. All the rest seems to be working fine.

    1. Daniel Bradley

      Hi Marian,

      Thanks for reaching out! Yes you will either need to use the new teams client or you can switch tenant from Teams in your web browser 🙂

Leave a Reply