Issue: Cross-Tenant Sync Not Working Due to Identity Type Conflicts
While configuring Azure AD Cross-Tenant Synchronization, you may encounter an issue where the synchronization process fails due to incorrect identity types assigned to user accounts. In my case, the identity type was set to phone instead of the recommended authentication method, preventing successful synchronization.
Root Cause
After troubleshooting with Microsoft engineers, it was identified that Cross-Tenant Sync does not work when a phone-based identity is assigned to a user. The issue arises because federated identities using phone-based authentication do not support synchronization across tenants.
As shown in the screenshots, my user identity in Azure AD > Users > Identities was set to phone under the “Sign-in type” column. This configuration blocked the user from syncing successfully between tenants.
Solution: Change Identity to Microsoft Authenticator
To resolve this issue, follow these steps:
1. Remove Phone-Based Identity
- Navigate to Microsoft Entra Admin Center (entra.microsoft.com).
- Go to Users > Select the affected user.
- Under Identities, locate the phone-based identity.
- Remove the phone-based identity to clear authentication conflicts.
2. Enforce Microsoft Authenticator as the Primary Sign-in Method
- Go to Authentication Methods in Azure AD.
- Ensure Microsoft Authenticator is enabled for the affected user.
- If needed, enforce passwordless authentication via the Microsoft Authenticator app.
3. Reattempt Cross-Tenant Sync
- Once the phone-based identity is removed and Microsoft Authenticator is set, retry Cross-Tenant Sync.
- The synchronization should now proceed without issues.