Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Cross-tenant synchronization in Entra ID

Cross-tenant synchronization auto-provisions B2B guests between Microsoft Entra ID tenants in a multi-tenant organisation.

Cross-tenant synchronization is the Microsoft Entra ID feature that auto-provisions B2B guest users between Microsoft Entra ID tenants. Configured once at each end of a tenant pair, it keeps a defined set of users synchronised as guests between the tenants without manual invitation. It's most useful inside a Multi-Tenant Organisation (MTO) — where multiple Microsoft 365 tenants belong to the same organisation — but it works for any tenant-to-tenant pair you choose to configure.

What it provides

Once set up between Tenant A (source) and Tenant B (target):

  • A defined set of users from Tenant A automatically appears as B2B guests in Tenant B.
  • Attribute updates (job title, manager, department) propagate.
  • Disabled or deleted users in Tenant A are removed from Tenant B.
  • Group membership changes can drive scope changes.

The user experience: people from Tenant A can immediately sign into Tenant B's apps and Teams as guests, with no invitation acceptance step.

Why this matters

Without cross-tenant synchronization, B2B works like this:

  • Someone in Tenant B invites a Tenant A user by email.
  • The Tenant A user clicks the invitation, redeems it, becomes a guest.
  • If they leave Tenant A, their account in Tenant B stays orphaned.

This is fine for ad-hoc external collaboration. For organisations that have multiple tenants belonging to the same group — acquisitions, subsidiaries, regional separation — the manual invitation model is operationally painful. Cross-tenant sync replaces it with automation.

Configuration

In each tenant, configure in Entra admin center → Identity → External Identities → Cross-tenant access settings → Organisation settings:

  1. Outbound (source side) — choose which target tenants to sync to, and which users / groups are in scope.
  2. Inbound (target side) — choose which source tenants you accept users from, and whether to auto-create user objects.
  3. Set up the sync job — under Provisioning, configure attribute mappings.

The job runs every ~40 minutes (like other Entra provisioning jobs), with logs showing every action.

Trust requirements

For sync to work, both tenants must configure Cross-Tenant Access Settings (CTAS) to trust each other for the relevant scenarios:

  • Trust the source tenant's MFA and device claims (so guests don't have to MFA again on the target).
  • Allow automatic redemption of B2B invitations (so users don't see consent prompts).
  • Allow the sync object types (user objects, group objects).

MTO simplification

Inside a Multi-Tenant Organisation, much of this configuration is template-driven. Once tenants join the MTO, cross-tenant sync is configured with a guided experience that sets up the trust and sync simultaneously.

Operational considerations

  • Attribute mapping is the most common source of issues — verify what comes across.
  • Lifecycle — when a user is disabled in source, are they fully removed from the target? Yes, but verify your settings.
  • Conditional Access at the target still applies — synchronised users are subject to the target's CA policies.
  • Audit — both tenants log every sync action.

For organisations with multiple legitimate tenants belonging to one entity, cross-tenant synchronization is the foundation of operating them as one organisation.