Overview
Cross-Tenant Synchronization in Microsoft Entra ID (formerly Azure AD) allows automatic user provisioning between trusted organizations. However, synchronization may fail if incorrect identity configurations exist. In this guide, I’ll walk you through setting up Cross-Tenant Sync using PowerShell, ensuring all required configurations are properly applied.
Prerequisites
Before proceeding, ensure:
- You have Global Administrator or Identity Governance Administrator roles.
- Azure AD Cross-Tenant Access Settings are configured.
- PowerShell for Microsoft Graph (Microsoft Graph PowerShell SDK) is installed.
Step 1: Install and Connect to Microsoft Graph PowerShell
Ensure you have the required module installed and connect to Microsoft Graph.
Install Microsoft Graph PowerShell Module
powershellCopyEditInstall-Module Microsoft.Graph -Scope CurrentUser
Connect to Microsoft Graph with Required Scopes
powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All", "Policy.ReadWrite.CrossTenantAccess"
After running this command, sign in with your Global Admin credentials.
Step 2: Verify and Modify Cross-Tenant Access Policy
Check your Cross-Tenant Access Policy to confirm if synchronization is enabled.
View Current Cross-Tenant Access Settings
powershellCopyEditGet-MgPolicyCrossTenantAccessPolicy | Format-List
Enable Cross-Tenant Sync (If Disabled)
powershellCopyEditUpdate-MgPolicyCrossTenantAccessPolicy -DefaultInboundAccessEnabled $true -DefaultOutboundAccessEnabled $true
This command ensures that inbound and outbound sync is enabled.
Step 3: Remove Conflicting Identity Types
If a user has Phone-based authentication (federated identity), Cross-Tenant Sync will fail. You must remove phone identities.
Check User Identities
powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]
Remove Phone-Based Authentication Method
powershellCopyEditRemove-MgUserAuthenticationMethod -UserId [email protected] -AuthenticationMethodId phone
Replace [email protected] with the actual User Principal Name (UPN).
Confirm the Change
powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]
Ensure that “phone” is no longer listed.
Step 4: Configure Cross-Tenant Sync Using PowerShell
Once identities are corrected, you can enable Cross-Tenant Sync.
Enable Cross-Tenant Sync for a Specific Tenant
powershellCopyEditNew-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>" -InboundTrustType "ExternalAzureAD"
Replace <PartnerTenantID> with the Tenant ID of the external organization.
Enable Automatic User Synchronization
powershellCopyEditSet-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>" -AutomaticUserProvisioning $true
Check Sync Status
powershellCopyEditGet-MgPolicyCrossTenantAccessPolicyConfigurationPartner -TenantId "<PartnerTenantID>"
Step 5: Test and Verify Cross-Tenant Sync
Once configured, test the sync to ensure users are provisioned correctly.
Force Sync for Testing
powershellCopyEditStart-ADSyncSyncCycle -PolicyType Delta
This forces an immediate Azure AD Sync to reflect recent changes.
Check Sync Logs
If issues persist, check the Provisioning Logs in Azure AD Portal:
- Go to Azure Portal → Entra ID → Provisioning Logs
- Look for Cross-Tenant Sync Errors
- Verify user attributes and authentication methods.
Final Thoughts
By following these steps, you can successfully set up Cross-Tenant Sync in Azure AD using PowerShell. Removing conflicting authentication methods like Phone-based authentication is critical for a seamless synchronization process.
If you have any questions or need further troubleshooting, drop a comment!