Introduction
Cross-Tenant Synchronization (CTS) enables organizations to securely synchronize user identities between Azure Active Directory (Entra ID) tenants. While CTS can be configured through the Azure Portal, leveraging PowerShell allows for faster, repeatable, and error-free deployments.
In this guide, you’ll learn how to set up CTS entirely through PowerShell, ensuring efficient collaboration across multiple cloud environments.
Why Use PowerShell for CTS?
- ✅ Automate configuration steps and reduce human error.
- ✅ Create templates for rapid onboarding of future partner tenants.
- ✅ Maintain an audit trail of your cross-tenant setup actions.
Whether you’re managing a single trusted partner or multiple tenants in a complex hybrid environment, PowerShell provides unmatched precision and speed.
Prerequisites
- Global Administrator or Directory Administrator permissions in your tenant.
- Microsoft Graph PowerShell SDK installed (
Install-Module Microsoft.Graph -Scope CurrentUser) - Appropriate Graph API permissions:
Directory.ReadWrite.AllPolicy.ReadWrite.CrossTenantAccessUser.ReadWrite.All
Step 1: Connect to Microsoft Graph
Connect-MgGraph -Scopes "Directory.ReadWrite.All", "User.ReadWrite.All", "Policy.ReadWrite.CrossTenantAccess"Step 2: Add the External Organization to Cross-Tenant Access Policy
New-MgCrossTenantAccessPolicyConfigurationPartner `
-TenantId "<External-Tenant-ID>" `
-InboundAccess @{ B2bCollaborationInbound = @{ IsEnabled = $true; Policy = @{ CollaborationRestrictions = "AllowAll" }}} `
-OutboundAccess @{ B2bCollaborationOutbound = @{ IsEnabled = $true; Policy = @{ CollaborationRestrictions = "AllowAll" }}} `
-InboundTrust @{ IsMfaAccepted = $true; IsCompliantDeviceAccepted = $false; IsHybridAzureADJoinedDeviceAccepted = $false }Important: MFA must be cloud-based (Authenticator App, FIDO keys). Phone/SMS MFA will cause provisioning failures.
Step 3: Create Cross-Tenant Synchronization Configuration
New-MgCrossTenantSynchronizationConfiguration `
-DisplayName "CTS External Tenant Sync" `
-TenantId "<External-Tenant-ID>" `
-SynchronizationJob @{
SynchronizationRules = @(
@{
SourceObjectType = "User"
TargetObjectType = "User"
Scope = @{ Query = "userType eq 'Member'" }
Actions = @(
@{ ActionType = "Create" },
@{ ActionType = "Update" }
)
}
)
}Step 4: (Optional) Trigger Provisioning on Demand
Invoke-MgCrossTenantSynchronizationUserProvisioning `
-PartnerTenantId "<External-Tenant-ID>" `
-UserId "<User-Object-ID>"This step is helpful for immediate validation after setting up CTS policies.
Best Practices
- Validate MFA methods before starting provisioning.
- Use Conditional Access policies to protect external identities.
- Start with a small test user group before bulk synchronization.
- Regularly audit synchronization logs.
Conclusion
PowerShell unlocks the full potential of Cross-Tenant Synchronization by making deployments faster, scalable, and easier to audit. By following this approach, you ensure that trusted collaboration between organizations remains secure, compliant, and future-ready.
Implement CTS with confidence — and take control of your hybrid collaboration strategy.
✨ Next Step:
If you’re new to Cross-Tenant Synchronization, start here first: Cross-Tenant Synchronization (CTS) Explained
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.