Редактиране

Споделяне чрез


What is a multitenant organization in Microsoft Entra ID?

Multitenant organization is a feature in Microsoft Entra ID and Microsoft 365 that enables you to define a boundary around the Microsoft Entra tenants that your organization owns. In the directory, it takes the form of a tenant group representing your organization. Each pair of tenants in the group is governed by cross-tenant access settings that you can use to configure B2B collaboration.

Why use multitenant organization?

Here are the primary goals of multitenant organization:

  • Define a boundary around the tenants belonging to your organization
  • Collaborate across your tenants in new Microsoft Teams
  • Collaborate across your tenants in Microsoft Viva Engage

Who should use it?

Organizations that own multiple Microsoft Entra tenants and want to streamline intra-organization cross-tenant collaboration in Microsoft 365.

The multitenant organization capability in Microsoft Teams is built on the assumption of reciprocal provisioning of B2B collaboration member users across multitenant organization tenants.

The multitenant organization capability in Viva Engage is built on the assumption of centralized provisioning of B2B collaboration member users into a hub tenant.

As such, the multitenant organization capability is best deployed with the use of a bulk provisioning engine for B2B collaboration users, for example with cross-tenant synchronization.

Benefits

Here are the primary benefits of a multitenant organization:

Who are multitenant organization member users?

When you define a multitenant organization, external users (B2B collaboration users) are segmented in the following ways based on the userType property:

  • External members that originate from within a multitenant organization
  • External guests that originate from within a multitenant organization
  • External members that originate from outside of your organization
  • External guests that originate from outside of your organization

This segmentation of external users, enables you to better differentiate in-organization from out-of-organization external users in a multitenant organization.

External members that originate from within a multitenant organization are sometimes called multitenant organization member users.

Multitenant collaboration capabilities in Microsoft 365 help provide a seamless collaboration experience across tenant boundaries when collaborating with multitenant organization member users.

How does a multitenant organization work?

The multitenant organization capability enables you to define a boundary around the Microsoft Entra tenants that your organization owns, facilitated by an invite-and-accept flow between tenant administrators. The following list describes the basic lifecycle of a multitenant organization.

  • Define a multitenant organization

    One tenant administrator defines a multitenant organization as a grouping of tenants. The grouping of tenants isn't reciprocal until each listed tenant takes action to join the multitenant organization. The objective is a reciprocal agreement between all listed tenants.

  • Join a multitenant organization

    Tenant administrators of listed tenants take action to join the multitenant organization. After joining, the multitenant organization relationship is reciprocal between each and every tenant that joined the multitenant organization.

  • Leave a multitenant organization

    Tenant administrators of listed tenants can leave a multitenant organization at any time. While a tenant administrator who defined the multitenant organization can add and remove listed tenants they don't control the other tenants.

A multitenant organization is established as a collaboration of equals. Each tenant administrator stays in control of their tenant and their membership in the multitenant organization.

Multitenant organization example

The following diagram shows three tenants A, B, and C that form a multitenant organization.

Diagram that shows a multitenant organization topology and cross-tenant access settings.

Tenant Description
A Administrators see a multitenant organization consisting of A, B, C.
They also see cross-tenant access settings for B and C.
B Administrators see a multitenant organization consisting of A, B, C.
They also see cross-tenant access settings for A and C.
C Administrators see a multitenant organization consisting of A, B, C.
They also see cross-tenant access settings for A and B.

Tenant role and state

To facilitate the management of a multitenant organization, any given multitenant organization tenant has an associated role and state.

Tenant role Description
Owner One tenant creates the multitenant organization. The multitenant organization creating tenant receives the role of owner. The privilege of the owner tenant is to add tenants into a pending state as well as to remove tenants from the multitenant organization. Also, an owner tenant can change the role of other multitenant organization tenants.
Member Following the addition of pending tenants to the multitenant organization, pending tenants need to join the multitenant organization to turn their state from pending to active. Joined tenants typically start in the member role. Any member tenant has the privilege to leave the multitenant organization.
Tenant state Description
Pending A pending tenant has yet to join a multitenant organization. While listed in an administrator's view of the multitenant organization, a pending tenant isn't yet part of the multitenant organization, and as such is hidden from an end user's view of a multitenant organization.
Active Following the addition of pending tenants to the multitenant organization, pending tenants need to join the multitenant organization to turn their state from pending to active. Joined tenants typically start in the member role. Any member tenant has the privilege to leave the multitenant organization.

Cross-tenant access settings

Administrators staying in control of their resources is a guiding principle for multitenant organization collaboration. Cross-tenant access settings are required for each tenant-to-tenant relationship. Tenant administrators explicitly configure, as needed, the following policies:

Templates for cross-tenant access settings

To ease the setup of homogenous cross-tenant access settings applied to partner tenants in the multitenant organization, the administrator of each multitenant organization tenant can configure optional cross-tenant access settings templates dedicated to the multitenant organization. These templates can be used to preconfigure cross-tenant access settings that are applied to any partner tenant newly joining the multitenant organization.

Constraints

The multitenant organization capability has been designed with the following constraints:

  • Any given tenant can only create or join a single multitenant organization.
  • Tenants the are in a granular delegated admin privileges (GDAP) relationship cannot create or join a multitenant organization.
  • Any multitenant organization must have at least one active owner tenant.
  • Each active tenant must have cross-tenant access settings for all active tenants.
  • Any active tenant may leave a multitenant organization by removing themselves from it.
  • A multitenant organization is deleted when the only remaining active (owner) tenant leaves.

Limits

Resource Limit Notes
Maximum number of active tenants, including the owner tenant 100 The owner tenant can add more than 100 pending tenants, but they won't be able to join the multitenant organization if the limit is exceeded. This limit is applied at the time a pending tenant joins a multitenant organization. This limit is specific to the number of tenants in a multitenant organization. It doesn't apply to cross-tenant synchronization by itself. To increase this limit, submit a support request in the Microsoft Entra or Microsoft 365 admin center.

Get started

Here are the basic steps to get started using multitenant organization.

Step 1: Plan your deployment

For more information, see Plan for multitenant organizations in Microsoft 365 and Limitations in multitenant organizations.

Step 2: Create your multitenant organization

Create your multitenant organization using Microsoft 365 admin center, Microsoft Graph PowerShell, or Microsoft Graph API:

  • First tenant, soon-to-be owner tenant, creates a multitenant organization.
  • Owner tenant adds one or more joiner tenants.

For more information about using Microsoft 365 admin center to create a multitenant organization, see Create or join a multitenant organization using the Microsoft 365 admin center.

Step 3: Join a multitenant organization

Join a multitenant organization using Microsoft 365 admin center or Microsoft Graph PowerShell, or Microsoft Graph API:

  • Joiner tenants submit a join request to join the multitenant organization of owner tenant.
  • To allow for asynchronous processing, wait up to 2 hours.

Your multitenant organization is now formed. As a result, any existing external member users from within the multitenant organization will now be recognized as multitenant organization members for improved seamless collaboration across the active tenants of your multitenant organization.

For more information about using Microsoft 365 admin center to join the multitenant organization, see Create or join a multitenant organization using the Microsoft 365 admin center.

Step 4: Provision external member users

Multitenant organization collaboration in Microsoft 365 relies on the provisioning of B2B collaboration member users. Depending on your use case, you may want to provision users using one or more of the following methods:

For more information about provisioning external member users, see Options to provision your external member users.

Step 5: Complete Microsoft 365 application requirements

The following multitenant organization collaboration applications may have additional requirements:

Once your Microsoft 365 application requirements have been completed, your employees will be able to collaborate seamlessly across your organization of multiple tenants.

License requirements

The multitenant organization capability requires Microsoft Entra ID P1 licenses. Only one Microsoft Entra ID P1 license is required per employee per multitenant organization. Also, you must have at least one Microsoft Entra ID P1 license per tenant. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.

Next steps