Synchronize users in multitenant organizations in Microsoft 365

For users in your tenant to be able to collaborate with those in other tenants, you must synchronize your users to the other tenants.

There are two ways to set up user synchronization:

Both methods use cross-tenant synchronization in Microsoft Entra ID.

If you want to synchronize the same users with all the other tenants in a multitenant organization, we recommend sharing users in the Microsoft 365 admin center. This creates the necessary configurations in Microsoft Entra ID for you.

If you want to synchronize different users to different tenants or use Entra groups to determine which users are in scope for provisioning, then you must configure cross-tenant synchronization directly in Microsoft Entra ID.

While you can create multiple cross-tenant synchronization configurations for a single external tenant, we recommend that you only use one for ease of administration.

If you already have B2B member users synchronized with tenants that are part of the MTO, those users will immediately become MTO members upon MTO formation.

Note

It might take up to 24 hours for synced users to be available in Microsoft 365 services such as Teams and SharePoint.

For more information about cross-tenant synchronization, see What is cross-tenant synchronization?.

If you have issues with user synchronization check the provisioning logs in Microsoft Entra ID.

User property synchronization

When you set up user synchronization with another tenant in a multitenant organization, the following user properties are synchronized:

Property Property
accountEnabled physicalDeliveryOfficeName
alternativeSecurityIds postalCode
city preferredLanguage
country showInAddressList
department state
displayName streetAddress
employeeId surname
givenName telephoneNumber
IsSoftDeleted userPrincipalName
jobTitle UserType (member)
mailNickname manager

You can change the properties that are synchronized after the synchronization has been configured. For more information, see Configure cross-tenant synchronization.

Profile card experience

The profile card is a feature that allows users to view information about another user, such as email, phone number, and office location. It's available in most Microsoft 365 apps like Teams, Outlook, SharePoint and Viva Engage. Users in multitenant organizations can see information about users in other tenants that are part of the multitenant organization. What users can see depends on what data is being synchronized between the tenants. (Note that some properties require additional configuration to be displayed.)

The new Teams desktop client fetches some data directly from the other tenants in the multitenant organization to create a richer experience. In a multitenant organization, when a user looks at the profile card for a user in another tenant in Teams, the name, contact information, and job information is available in 1:1 chats and shared channels without the need for property synchronization to be configured. (These properties are retrieved by Microsoft Entra cross-tenant access and Teams external access.) To see these properties elsewhere in Teams, such as channels, group chats, and chats with guest accounts, you need to include them as part of user synchronization.

In a multitenant organization, the profile picture is always available and is retrieved from the user's home tenant.

For the most consistent profile card experience, keep in mind the following:

  • Don't change property values as they're synced, or users will see different values in different tenants.
  • LinkedIn account connections configurations may vary across tenants.

Users synchronized to your tenant from other tenants

Users synchronized to your tenant from other tenants in your multitenant organization are synchronized as Microsoft Entra members rather than guests.

As members, people from other tenants have a more seamless collaboration experience. This includes access to files using people in your organization sharable links. (Consider using sensitivity labels if you need to limit who can access a file with a people in your organization link.)

If some people from the other tenant already have guest accounts in your directory, the synchronization process doesn't change their user type to member by default. You can change these users' user type to member by updating the user properties in Microsoft Entra ID or updating your cross-tenant synchronization configuration mappings in Microsoft Entra ID to support converting from guest to member at scale.

Set up initial user synchronization for a multitenant organization

Important

Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

To synchronize identities to other tenants in a multitenant organization:

  1. Sign in to the Microsoft 365 admin center as a global administrator.
  2. Expand Settings and select Org settings.
  3. On the Organization profile tab, select Multitenant collaboration.
  4. Select Share users.
  5. Select Select users to share.
  6. Select Save.
  7. Select Yes to confirm.

This creates a cross-tenant synchronization configuration in Microsoft Entra ID for each tenant in your multitenant organization. The synchronization configurations are named MTO_Sync_<TenantID>.

Set up user synchronization with newly added tenants

If you add additional tenants to your multitenant organization, you need to set up user synchronization with those tenants.

Important

Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

To set up user synchronization with newly added tenants:

  1. Sign in to the Microsoft 365 admin center as a global administrator.
  2. Expand Settings and select Org settings.
  3. On the Organization profile tab, select Multitenant collaboration.
  4. Select Share users.
  5. Select Share current user scope.
  6. Select Yes to confirm.

Change which users are synchronized with other tenants

You can change which users are synchronized to other tenants in your multitenant organization.

Important

Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

To change which users are synchronized to other tenants:

  1. Sign in to the Microsoft 365 admin center as a global administrator.
  2. Expand Settings and select Org settings.
  3. On the Organization profile tab, select Multitenant collaboration.
  4. Select Share users.
  5. Select Edit shared users.
  6. Update the users that you want to sync to other tenants and then select Save.
  7. Select Yes to confirm.

This procedure updates the MTO_Sync_<TenantID> synchronization configurations in Microsoft Entra ID for each tenant in your multitenant organization.

Troubleshooting tips for multitenant organizations

Known issues for provisioning in Microsoft Entra ID

Plan for multitenant organizations in Microsoft 365

Set up a multitenant org in Microsoft 365

Join or leave a multitenant organization in Microsoft 365

Scoping users or groups to be provisioned with scoping filters