Category: Cloud Collaboration

Introduction

Cross-Tenant Synchronization (CTS) enables organizations to securely synchronize user identities between Azure Active Directory (Entra ID) tenants. While CTS can be configured through the Azure Portal, leveraging PowerShell allows for faster, repeatable, and error-free deployments.

In this guide, you’ll learn how to set up CTS entirely through PowerShell, ensuring efficient collaboration across multiple cloud environments.

---

Why Use PowerShell for CTS?

• ✅ Automate configuration steps and reduce human error.
• ✅ Create templates for rapid onboarding of future partner tenants.
• ✅ Maintain an audit trail of your cross-tenant setup actions.

Whether you’re managing a single trusted partner or multiple tenants in a complex hybrid environment, PowerShell provides unmatched precision and speed.

---

Prerequisites

• Global Administrator or Directory Administrator permissions in your tenant.
• Microsoft Graph PowerShell SDK installed (Install-Module Microsoft.Graph -Scope CurrentUser)
• Appropriate Graph API permissions:
  • Directory.ReadWrite.All
  • Policy.ReadWrite.CrossTenantAccess
  • User.ReadWrite.All

---

Step 1: Connect to Microsoft Graph

Connect-MgGraph -Scopes "Directory.ReadWrite.All", "User.ReadWrite.All", "Policy.ReadWrite.CrossTenantAccess"

---

Step 2: Add the External Organization to Cross-Tenant Access Policy

New-MgCrossTenantAccessPolicyConfigurationPartner `
  -TenantId "<External-Tenant-ID>" `
  -InboundAccess @{ B2bCollaborationInbound = @{ IsEnabled = $true; Policy = @{ CollaborationRestrictions = "AllowAll" }}} `
  -OutboundAccess @{ B2bCollaborationOutbound = @{ IsEnabled = $true; Policy = @{ CollaborationRestrictions = "AllowAll" }}} `
  -InboundTrust @{ IsMfaAccepted = $true; IsCompliantDeviceAccepted = $false; IsHybridAzureADJoinedDeviceAccepted = $false }

Important: MFA must be cloud-based (Authenticator App, FIDO keys). Phone/SMS MFA will cause provisioning failures.

---

Step 3: Create Cross-Tenant Synchronization Configuration

New-MgCrossTenantSynchronizationConfiguration `
  -DisplayName "CTS External Tenant Sync" `
  -TenantId "<External-Tenant-ID>" `
  -SynchronizationJob @{
      SynchronizationRules = @(
          @{
              SourceObjectType = "User"
              TargetObjectType = "User"
              Scope = @{ Query = "userType eq 'Member'" }
              Actions = @(
                  @{ ActionType = "Create" },
                  @{ ActionType = "Update" }
              )
          }
      )
  }

---

Step 4: (Optional) Trigger Provisioning on Demand

Invoke-MgCrossTenantSynchronizationUserProvisioning `
  -PartnerTenantId "<External-Tenant-ID>" `
  -UserId "<User-Object-ID>"

This step is helpful for immediate validation after setting up CTS policies.

---

Best Practices

• Validate MFA methods before starting provisioning.
• Use Conditional Access policies to protect external identities.
• Start with a small test user group before bulk synchronization.
• Regularly audit synchronization logs.

---

Conclusion

PowerShell unlocks the full potential of Cross-Tenant Synchronization by making deployments faster, scalable, and easier to audit. By following this approach, you ensure that trusted collaboration between organizations remains secure, compliant, and future-ready.

Implement CTS with confidence — and take control of your hybrid collaboration strategy.

---

✨ Next Step:
If you’re new to Cross-Tenant Synchronization, start here first: Cross-Tenant Synchronization (CTS) Explained

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Introduction

Cross-Tenant Synchronization (CTS) allows organizations to securely sync users across Azure Active Directory (Azure AD) tenants for seamless B2B collaboration. Instead of manually managing external identities, CTS automates identity sharing, reduces administrative burden, and strengthens security.

In this guide, we’ll cover what CTS is, why it matters, and how you can configure it using real-world PowerShell examples.

---

What is Cross-Tenant Synchronization (CTS)?

CTS enables organizations to automatically create and manage B2B collaboration users across tenants, ensuring updated identities and permissions without manual intervention. It facilitates external collaboration without compromising compliance or security.

---

Why Use CTS for B2B Collaboration?

• Secure Identity Sharing: Automates user onboarding and offboarding between organizations.
• Unified Collaboration: Enables external users to access Teams, SharePoint, and other Microsoft 365 services.
• Simplified Management: Reduces manual directory maintenance and ensures identities stay updated.
• Compliance: Supports MFA and Conditional Access for external users.

---

High-Level Setup Steps for CTS

1. Establish a trust relationship between the source and target Azure AD tenants.
2. Define synchronization rules for user attributes.
3. Configure B2B Collaboration settings.
4. Automate and manage policies with PowerShell.

---

PowerShell Sample: Setting Up B2B Trust

# Step 1: Connect to Azure AD
Connect-AzureAD

# Step 2: Create a basic B2B Invitation Policy
New-AzureADPolicy \
  -Definition @('{"B2BInvitation": {"Enabled": true}}') \
  -DisplayName "CTS B2B Collaboration Policy" \
  -Type "B2BInvitationPolicy"

# Step 3: Set Cross-Tenant Access Policy for External Collaboration
Connect-MgGraph -Scopes "Policy.ReadWrite.CrossTenantAccess"

$policy = @{
    inboundTrust = @{ isMfaAccepted = $true; isCompliantDeviceAccepted = $true }
    outboundTrust = @{ isMfaAccepted = $true; isCompliantDeviceAccepted = $true }
}

Update-MgPolicyCrossTenantAccessPolicy -BodyParameter $policy

---

Best Practices for Cross-Tenant Synchronization

• Enforce MFA: Require multi-factor authentication for all external users.
• Use Conditional Access: Protect sensitive apps and data.
• Attribute Filtering: Only sync necessary user attributes.
• Separation of Admin Rights: Do not grant external users privileged roles.
• Audit and Monitor: Regularly review cross-tenant policies and access logs.

---

Conclusion

Cross-Tenant Synchronization (CTS) streamlines external collaboration without sacrificing security. Whether you’re preparing for mergers, managing strategic partnerships, or extending services to external clients, automating CTS setup using PowerShell ensures scalability, consistency, and security.

Implement CTS today and strengthen your organization’s B2B collaboration foundation.

---

✨ Related: See my PowerShell Toolbox for essential automation scripts.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Title:
Cross-Tenant Synchronization (CTS): Secure Collaboration Across Organizations

Post Content:

In today’s hybrid environments, collaboration often extends beyond a single organization. Cross-Tenant Synchronization (CTS) enables seamless sharing of users, groups, and resources across multiple Microsoft 365 tenants without compromising security.

Why CTS Matters:
🔹 Supports hybrid mergers, acquisitions, and strategic partnerships
🔹 Reduces manual duplication of users and permissions
🔹 Enhances Microsoft Teams B2B collaboration without exposing internal directories

How CTS Works:
➔ Synchronizes selected users/groups from one tenant to another (one-way or bidirectional)
➔ Integrates with Azure AD B2B Collaboration and Conditional Access policies
➔ Helps manage guest access more securely and systematically

My Experience with CTS:
I’ve implemented CTS workflows to securely connect environments during M&A transitions, partner onboarding, and hybrid workforce expansion. It strengthened collaboration while maintaining strict identity governance policies.

🔗 Related: Learn more about B2B Collaboration and Infrastructure as Code (IaaC).

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.