Introduction

Provisioning users in Azure AD ensures security and compliance, especially with Multi-Factor Authentication (MFA) and proper licensing. This guide walks through setting up a new user with M365 E3 licensing using PowerShell.

Prerequisites

✔ PowerShell installed
✔ Azure AD module installed (Install-Module AzureAD)
✔ Global Admin or User Admin role in Azure

PowerShell Script

powershellCopyEdit# Connect to Azure AD
Connect-AzureAD

# Create a new user
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "P@ssw0rd!"

New-AzureADUser -UserPrincipalName "[email protected]" `
                -DisplayName "New User" `
                -PasswordProfile $PasswordProfile `
                -MailNickName "newuser" `
                -AccountEnabled $true

# Assign Microsoft 365 E3 License
$license = Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq "ENTERPRISEPACK"}
Set-AzureADUserLicense -ObjectId "[email protected]" -AddLicenses @(@{SkuId=$license.SkuId})

# Enable MFA
$StrongAuthRequirement = New-Object -TypeName Microsoft.Open.AzureAD.Model.StrongAuthenticationRequirement
$StrongAuthRequirement.RelyingParty = "*"
$StrongAuthRequirement.State = "Enabled"
Set-MsolUser -UserPrincipalName "[email protected]" -StrongAuthenticationRequirements @($StrongAuthRequirement)

Write-Host "User provisioned successfully with MFA and E3 license."

✅ Done! Your new user is now provisioned with an E3 license and MFA enforced.

Install-Module -Name Microsoft.Graph.Intune

✅ Intune is provisioned.

tracert google.com

✅ Tracks network routes.

netdom query fsmo

✅ Identifies FSMO roles.

Start-VM -VMName "DomainController"

✅ Restores a crashed Domain Naming Master.

New-AzVM -ResourceGroupName "MyRG" -Name "MyVM" -Location "EastUS"

✅ Azure VM created successfully.

Introduction

Joining laptops and desktops to Azure AD ensures centralized management, security compliance, and easier access to cloud resources. This guide covers both manual and PowerShell methods to join a Windows device to Azure AD.

Prerequisites

Before proceeding, ensure the following: ✔ The device is running Windows 10 or later
✔ Internet connection is available
✔ You have Azure AD credentials with permissions
✔ Intune or Azure AD Join is enabled (for auto-enrollment)
✔ PowerShell script execution is allowed (for automation)

1️⃣ Manual Method: Join Windows Device to Azure AD

1️⃣ Open Settings → Accounts
2️⃣ Click Access work or school
3️⃣ Select Connect
4️⃣ Click Join this device to Azure Active Directory
5️⃣ Enter your Azure AD credentials ([email protected])
6️⃣ Click Next, verify details, and click Join
7️⃣ Restart the computer

✅ Done! The device is now part of Azure AD.

2️⃣ PowerShell Method: Automate Azure AD Join

If you manage multiple devices, PowerShell can save a lot of time by automating the Azure AD join process.

🔹 Step 1: Check the Current Join Status

powershellCopyEditGet-MDMEnrollmentStatus

📌 This command checks if the device is already joined.

🔹 Step 2: Join the Device to Azure AD

Use the Add-Computer command to join a machine to Azure AD.

powershellCopyEdit$AzureTenant = "jetmariano.us"
$User = "[email protected]"

dsregcmd /join /tenant $AzureTenant /UserName $User

📌 This command forces the device to join Azure AD.

🔹 Step 3: Verify the Join Status

powershellCopyEditdsregcmd /status

📌 The output should show AzureAdJoined : YES

---

3️⃣ Auto-Enroll Devices via Microsoft Intune

If you’re using Intune for device management, configure Auto-Enrollment:

1️⃣ Go to Microsoft Endpoint Manager (Intune) → Devices
2️⃣ Navigate to Enroll devices
3️⃣ Enable Automatic Enrollment for Azure AD Joined devices
4️⃣ Assign User Groups
5️⃣ Click Save

✅ Now, all new devices will be auto-enrolled into Azure AD.

---

4️⃣ Troubleshooting & Best Practices

• Ensure DNS resolution is correct for jetmariano.us
• Check Azure AD licenses for device management
• Use Intune for compliance policies

---

Summary

Method	When to Use	Command
Manual	Single device setup	Settings → Accounts → Work/School
PowerShell	Multiple devices	dsregcmd /join
Intune Auto-Join	Enterprise-wide auto-enrollment	Intune Enrollment

---

✅ Your Windows devices are now joined to Azure AD!

Overview

Cross-Tenant Synchronization in Microsoft Entra ID (formerly Azure AD) allows automatic user provisioning between trusted organizations. However, synchronization may fail if incorrect identity configurations exist. In this guide, I’ll walk you through setting up Cross-Tenant Sync using PowerShell, ensuring all required configurations are properly applied.

---

Prerequisites

Before proceeding, ensure:

1. You have Global Administrator or Identity Governance Administrator roles.
2. Azure AD Cross-Tenant Access Settings are configured.
3. PowerShell for Microsoft Graph (Microsoft Graph PowerShell SDK) is installed.

---

Step 1: Install and Connect to Microsoft Graph PowerShell

Ensure you have the required module installed and connect to Microsoft Graph.

Install Microsoft Graph PowerShell Module

powershellCopyEditInstall-Module Microsoft.Graph -Scope CurrentUser

Connect to Microsoft Graph with Required Scopes

powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All", "Policy.ReadWrite.CrossTenantAccess"

After running this command, sign in with your Global Admin credentials.

---

Step 2: Verify and Modify Cross-Tenant Access Policy

Check your Cross-Tenant Access Policy to confirm if synchronization is enabled.

View Current Cross-Tenant Access Settings

powershellCopyEditGet-MgPolicyCrossTenantAccessPolicy | Format-List

Enable Cross-Tenant Sync (If Disabled)

powershellCopyEditUpdate-MgPolicyCrossTenantAccessPolicy -DefaultInboundAccessEnabled $true -DefaultOutboundAccessEnabled $true

This command ensures that inbound and outbound sync is enabled.

---

Step 3: Remove Conflicting Identity Types

If a user has Phone-based authentication (federated identity), Cross-Tenant Sync will fail. You must remove phone identities.

Check User Identities

powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

Remove Phone-Based Authentication Method

powershellCopyEditRemove-MgUserAuthenticationMethod -UserId [email protected] -AuthenticationMethodId phone

Replace [email protected] with the actual User Principal Name (UPN).

Confirm the Change

powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

Ensure that “phone” is no longer listed.

---

Step 4: Configure Cross-Tenant Sync Using PowerShell

Once identities are corrected, you can enable Cross-Tenant Sync.

Enable Cross-Tenant Sync for a Specific Tenant

powershellCopyEditNew-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>" -InboundTrustType "ExternalAzureAD"

Replace <PartnerTenantID> with the Tenant ID of the external organization.

Enable Automatic User Synchronization

powershellCopyEditSet-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>" -AutomaticUserProvisioning $true

Check Sync Status

powershellCopyEditGet-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>"

---

Step 5: Test and Verify Cross-Tenant Sync

Once configured, test the sync to ensure users are provisioned correctly.

Force Sync for Testing

powershellCopyEditStart-ADSyncSyncCycle -PolicyType Delta

This forces an immediate Azure AD Sync to reflect recent changes.

Check Sync Logs

If issues persist, check the Provisioning Logs in Azure AD Portal:

1. Go to Azure Portal → Entra ID → Provisioning Logs
2. Look for Cross-Tenant Sync Errors
3. Verify user attributes and authentication methods.

---

Final Thoughts

By following these steps, you can successfully set up Cross-Tenant Sync in Azure AD using PowerShell. Removing conflicting authentication methods like Phone-based authentication is critical for a seamless synchronization process.

If you have any questions or need further troubleshooting, drop a comment!

Overview

Cross-Tenant Synchronization in Microsoft Entra ID (formerly Azure AD) allows automatic user provisioning between trusted organizations. However, synchronization may fail if incorrect identity configurations exist. In this guide, I’ll walk you through setting up Cross-Tenant Sync using PowerShell, ensuring all required configurations are properly applied.

---

Prerequisites

Before proceeding, ensure:

1. You have Global Administrator or Identity Governance Administrator roles.
2. Azure AD Cross-Tenant Access Settings are configured.
3. PowerShell for Microsoft Graph (Microsoft Graph PowerShell SDK) is installed.

---

Step 1: Install and Connect to Microsoft Graph PowerShell

Ensure you have the required module installed and connect to Microsoft Graph.

Install Microsoft Graph PowerShell Module

powershellCopyEditInstall-Module Microsoft.Graph -Scope CurrentUser

Connect to Microsoft Graph with Required Scopes

powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All", "Policy.ReadWrite.CrossTenantAccess"

After running this command, sign in with your Global Admin credentials.

---

Step 2: Verify and Modify Cross-Tenant Access Policy

Check your Cross-Tenant Access Policy to confirm if synchronization is enabled.

View Current Cross-Tenant Access Settings

powershellCopyEditGet-MgPolicyCrossTenantAccessPolicy | Format-List

Enable Cross-Tenant Sync (If Disabled)

powershellCopyEditUpdate-MgPolicyCrossTenantAccessPolicy -DefaultInboundAccessEnabled $true -DefaultOutboundAccessEnabled $true

This command ensures that inbound and outbound sync is enabled.

---

Step 3: Remove Conflicting Identity Types

If a user has Phone-based authentication (federated identity), Cross-Tenant Sync will fail. You must remove phone identities.

Check User Identities

powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

Remove Phone-Based Authentication Method

powershellCopyEditRemove-MgUserAuthenticationMethod -UserId [email protected] -AuthenticationMethodId phone

Replace [email protected] with the actual User Principal Name (UPN).

Confirm the Change

powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]

Ensure that “phone” is no longer listed.

---

Step 4: Configure Cross-Tenant Sync Using PowerShell

Once identities are corrected, you can enable Cross-Tenant Sync.

Enable Cross-Tenant Sync for a Specific Tenant

powershellCopyEditNew-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>" -InboundTrustType "ExternalAzureAD"

Replace <PartnerTenantID> with the Tenant ID of the external organization.

Enable Automatic User Synchronization

powershellCopyEditSet-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>" -AutomaticUserProvisioning $true

Check Sync Status

powershellCopyEditGet-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>"

---

Step 5: Test and Verify Cross-Tenant Sync

Once configured, test the sync to ensure users are provisioned correctly.

Force Sync for Testing

powershellCopyEditStart-ADSyncSyncCycle -PolicyType Delta

This forces an immediate Azure AD Sync to reflect recent changes.

Check Sync Logs

If issues persist, check the Provisioning Logs in Azure AD Portal:

1. Go to Azure Portal → Entra ID → Provisioning Logs
2. Look for Cross-Tenant Sync Errors
3. Verify user attributes and authentication methods.

---

Final Thoughts

By following these steps, you can successfully set up Cross-Tenant Sync in Azure AD using PowerShell. Removing conflicting authentication methods like Phone-based authentication is critical for a seamless synchronization process.

If you have any questions or need further troubleshooting, drop a comment!

Issue: Cross-Tenant Sync Not Working Due to Identity Type Conflicts

While configuring Azure AD Cross-Tenant Synchronization, you may encounter an issue where the synchronization process fails due to incorrect identity types assigned to user accounts. In my case, the identity type was set to phone instead of the recommended authentication method, preventing successful synchronization.

Root Cause

After troubleshooting with Microsoft engineers, it was identified that Cross-Tenant Sync does not work when a phone-based identity is assigned to a user. The issue arises because federated identities using phone-based authentication do not support synchronization across tenants.

As shown in the screenshots, my user identity in Azure AD > Users > Identities was set to phone under the “Sign-in type” column. This configuration blocked the user from syncing successfully between tenants.

Solution: Change Identity to Microsoft Authenticator

To resolve this issue, follow these steps:

1. Remove Phone-Based Identity

• Navigate to Microsoft Entra Admin Center (entra.microsoft.com).
• Go to Users > Select the affected user.
• Under Identities, locate the phone-based identity.
• Remove the phone-based identity to clear authentication conflicts.

2. Enforce Microsoft Authenticator as the Primary Sign-in Method

• Go to Authentication Methods in Azure AD.
• Ensure Microsoft Authenticator is enabled for the affected user.
• If needed, enforce passwordless authentication via the Microsoft Authenticator app.

3. Reattempt Cross-Tenant Sync

• Once the phone-based identity is removed and Microsoft Authenticator is set, retry Cross-Tenant Sync.
• The synchronization should now proceed without issues.