Jet Mariano

Author: jetnmariano

  • How to Set up Cross-Tenant Sync in Azure Using PowerShell

    Overview

    Cross-Tenant Synchronization in Microsoft Entra ID (formerly Azure AD) allows automatic user provisioning between trusted organizations. However, synchronization may fail if incorrect identity configurations exist. In this guide, I’ll walk you through setting up Cross-Tenant Sync using PowerShell, ensuring all required configurations are properly applied.

    Prerequisites

    Before proceeding, ensure:

    1. You have Global Administrator or Identity Governance Administrator roles.
    2. Azure AD Cross-Tenant Access Settings are configured.
    3. PowerShell for Microsoft Graph (Microsoft Graph PowerShell SDK) is installed.

    Step 1: Install and Connect to Microsoft Graph PowerShell

    Ensure you have the required module installed and connect to Microsoft Graph.

    Install Microsoft Graph PowerShell Module

    powershellCopyEditInstall-Module Microsoft.Graph -Scope CurrentUser

    Connect to Microsoft Graph with Required Scopes

    powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All", "Policy.ReadWrite.CrossTenantAccess"

    After running this command, sign in with your Global Admin credentials.

    Step 2: Verify and Modify Cross-Tenant Access Policy

    Check your Cross-Tenant Access Policy to confirm if synchronization is enabled.

    View Current Cross-Tenant Access Settings

    powershellCopyEditGet-MgPolicyCrossTenantAccessPolicy | Format-List

    Enable Cross-Tenant Sync (If Disabled)

    powershellCopyEditUpdate-MgPolicyCrossTenantAccessPolicy -DefaultInboundAccessEnabled $true -DefaultOutboundAccessEnabled $true

    This command ensures that inbound and outbound sync is enabled.

    Step 3: Remove Conflicting Identity Types

    If a user has Phone-based authentication (federated identity), Cross-Tenant Sync will fail. You must remove phone identities.

    Check User Identities

    powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

    Remove Phone-Based Authentication Method

    powershellCopyEditRemove-MgUserAuthenticationMethod -UserId [email protected] -AuthenticationMethodId phone

    Replace [email protected] with the actual User Principal Name (UPN).

    Confirm the Change

    powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

    Ensure that “phone” is no longer listed.

    Step 4: Configure Cross-Tenant Sync Using PowerShell

    Once identities are corrected, you can enable Cross-Tenant Sync.

    Enable Cross-Tenant Sync for a Specific Tenant

    powershellCopyEditNew-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>" -InboundTrustType "ExternalAzureAD"

    Replace <PartnerTenantID> with the Tenant ID of the external organization.

    Enable Automatic User Synchronization

    powershellCopyEditSet-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>" -AutomaticUserProvisioning $true

    Check Sync Status

    powershellCopyEditGet-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>"

    Step 5: Test and Verify Cross-Tenant Sync

    Once configured, test the sync to ensure users are provisioned correctly.

    Force Sync for Testing

    powershellCopyEditStart-ADSyncSyncCycle -PolicyType Delta

    This forces an immediate Azure AD Sync to reflect recent changes.

    Check Sync Logs

    If issues persist, check the Provisioning Logs in Azure AD Portal:

    1. Go to Azure PortalEntra IDProvisioning Logs
    2. Look for Cross-Tenant Sync Errors
    3. Verify user attributes and authentication methods.

    Final Thoughts

    By following these steps, you can successfully set up Cross-Tenant Sync in Azure AD using PowerShell. Removing conflicting authentication methods like Phone-based authentication is critical for a seamless synchronization process.

    If you have any questions or need further troubleshooting, drop a comment!

  • Setting Up Cross-Tenant Sync in Azure AD Using PowerShell

    Overview

    Cross-Tenant Synchronization in Microsoft Entra ID (formerly Azure AD) allows automatic user provisioning between trusted organizations. However, synchronization may fail if incorrect identity configurations exist. In this guide, I’ll walk you through setting up Cross-Tenant Sync using PowerShell, ensuring all required configurations are properly applied.

    Prerequisites

    Before proceeding, ensure:

    1. You have Global Administrator or Identity Governance Administrator roles.
    2. Azure AD Cross-Tenant Access Settings are configured.
    3. PowerShell for Microsoft Graph (Microsoft Graph PowerShell SDK) is installed.

    Step 1: Install and Connect to Microsoft Graph PowerShell

    Ensure you have the required module installed and connect to Microsoft Graph.

    Install Microsoft Graph PowerShell Module

    powershellCopyEditInstall-Module Microsoft.Graph -Scope CurrentUser

    Connect to Microsoft Graph with Required Scopes

    powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All", "Policy.ReadWrite.CrossTenantAccess"

    After running this command, sign in with your Global Admin credentials.

    Step 2: Verify and Modify Cross-Tenant Access Policy

    Check your Cross-Tenant Access Policy to confirm if synchronization is enabled.

    View Current Cross-Tenant Access Settings

    powershellCopyEditGet-MgPolicyCrossTenantAccessPolicy | Format-List

    Enable Cross-Tenant Sync (If Disabled)

    powershellCopyEditUpdate-MgPolicyCrossTenantAccessPolicy -DefaultInboundAccessEnabled $true -DefaultOutboundAccessEnabled $true

    This command ensures that inbound and outbound sync is enabled.

    Step 3: Remove Conflicting Identity Types

    If a user has Phone-based authentication (federated identity), Cross-Tenant Sync will fail. You must remove phone identities.

    Check User Identities

    powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

    Remove Phone-Based Authentication Method

    powershellCopyEditRemove-MgUserAuthenticationMethod -UserId [email protected] -AuthenticationMethodId phone

    Replace [email protected] with the actual User Principal Name (UPN).

    Confirm the Change

    powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

    Ensure that “phone” is no longer listed.

    Step 4: Configure Cross-Tenant Sync Using PowerShell

    Once identities are corrected, you can enable Cross-Tenant Sync.

    Enable Cross-Tenant Sync for a Specific Tenant

    powershellCopyEditNew-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>" -InboundTrustType "ExternalAzureAD"

    Replace <PartnerTenantID> with the Tenant ID of the external organization.

    Enable Automatic User Synchronization

    powershellCopyEditSet-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>" -AutomaticUserProvisioning $true

    Check Sync Status

    powershellCopyEditGet-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>"

    Step 5: Test and Verify Cross-Tenant Sync

    Once configured, test the sync to ensure users are provisioned correctly.

    Force Sync for Testing

    powershellCopyEditStart-ADSyncSyncCycle -PolicyType Delta

    This forces an immediate Azure AD Sync to reflect recent changes.

    Check Sync Logs

    If issues persist, check the Provisioning Logs in Azure AD Portal:

    1. Go to Azure PortalEntra IDProvisioning Logs
    2. Look for Cross-Tenant Sync Errors
    3. Verify user attributes and authentication methods.

    Final Thoughts

    By following these steps, you can successfully set up Cross-Tenant Sync in Azure AD using PowerShell. Removing conflicting authentication methods like Phone-based authentication is critical for a seamless synchronization process.

    If you have any questions or need further troubleshooting, drop a comment!

  • Blog

    Legal Disclaimer for JetMariano.us
    Use at Your Own Risk
    • You are responsible for testing any commands or scripts in a non-production environment before using them in live or critical systems.
    • I am not liable for any data loss, security breaches, or system failures that may occur from using the information provided.
    The content and PowerShell scripts provided on JetMariano.us are based on my personal experience working with Azure, AWS, Microsoft 365, and IT automation. While I strive to ensure accuracy, all information, scripts, and tutorials are provided “as is” with no warranties or guarantees of any kind.
    Best Practice: Always review and modify scripts according to your organization’s policies and security requirements before implementation.

    © 2012-2025 Jet Mariano. All Rights Reserved.
    This website and its contents, including blog posts, tutorials, PowerShell scripts, and technical guides, are protected under copyright law.
    Unauthorized reproduction, redistribution, or commercial use of the content without permission is prohibited.
    If you’d like to reference or share my content, please provide proper credit and a link to JetMariano.us.
    Error: View d08e1139bf may not exist

  • “Fixing Cross-Tenant Sync Issues in Azure: Resolving Identities Conflicts”.

    Issue: Cross-Tenant Sync Not Working Due to Identity Type Conflicts

    While configuring Azure AD Cross-Tenant Synchronization, you may encounter an issue where the synchronization process fails due to incorrect identity types assigned to user accounts. In my case, the identity type was set to phone instead of the recommended authentication method, preventing successful synchronization.

    Root Cause

    After troubleshooting with Microsoft engineers, it was identified that Cross-Tenant Sync does not work when a phone-based identity is assigned to a user. The issue arises because federated identities using phone-based authentication do not support synchronization across tenants.

    As shown in the screenshots, my user identity in Azure AD > Users > Identities was set to phone under the “Sign-in type” column. This configuration blocked the user from syncing successfully between tenants.

    Solution: Change Identity to Microsoft Authenticator

    To resolve this issue, follow these steps:

    1. Remove Phone-Based Identity

    • Navigate to Microsoft Entra Admin Center (entra.microsoft.com).
    • Go to Users > Select the affected user.
    • Under Identities, locate the phone-based identity.
    • Remove the phone-based identity to clear authentication conflicts.

    2. Enforce Microsoft Authenticator as the Primary Sign-in Method

    • Go to Authentication Methods in Azure AD.
    • Ensure Microsoft Authenticator is enabled for the affected user.
    • If needed, enforce passwordless authentication via the Microsoft Authenticator app.

    3. Reattempt Cross-Tenant Sync

    • Once the phone-based identity is removed and Microsoft Authenticator is set, retry Cross-Tenant Sync.
    • The synchronization should now proceed without issues.
error: Content is protected !!