Sync users from one Azure AD instance to another

Jasper

11/16/22, 7:25 AM

I'm looking to 'sync' (maybe not the best term) users from multiple Azure AD instances into one single instance.

Reasoning behind this is the following: our company is part of a 'group' together with a few other companies. Each company is self supporting in the sense that they have their own administration, tenants (some are using Google instead of Azure) and so forth.

Now for a couple of things it would be handy to have one AD instance with all of the company employees combined. What we're currently looking into for instance is a provider for physical access to our office building. They offer the ability to link into Azure AD, but only for a single tenant at a time. So I can use it with one company only, which is not very useful in our case.

I looked into B2B options which at first I thought would be the solution for this. I created a new AD tenant. Now although it's perfectly possible to 'invite' users from the other tenants, this is a manual process which needs to be repeated for every new user. I was hoping there would be a way to 'link' the two ADs and set-up grants like "all users from tenant X are members of group Y" in order to be able to use those groups for the access solution mentioned.

The annoying thing is that when searching for 'sync', I mostly find things that are related to syncing on-prem users using AD Connect. So maybe I'm searching in the wrong place. Can anyone elaborate whether this scenario is supported somehow?

185

1 + 0

azure

azure-active-directory

Score:2

Server

Noor Khaldi

11/17/22, 9:35 PM

I was hoping there would be a way to 'link' the two ADs and set-up grants like "all users from tenant X are members of group Y" in order to be able to use those groups for the access solution mentioned.

Well, it's not exactly a button that says "invite all users from this tenant", but you have an option there called "Azure AD B2B Bulk Invite", which will save you the trouble of inviting users one by one by collecting all the data you need in an excel file, you could generate this excel file easily from the tenant you want to invite users from: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite

Once the invitation is sent, you could manage how the redemption is done, you really don't need users to accept that email once the initiation is sent. All the newly invited guest users have to do is sign-in to a common endpoint, or to an app that exists in your tenant: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/redemption-experience

If you are developing your own SAML apps or just adding apps from the AAD gallery, and you want users from other tenants to sign-in to those apps, you could create a user flow to collect the user claims during the app sing-in and create a guest account for them too: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/self-service-sign-up-user-flow

If you believe that the above option is going to cause trouble and people will just start randomly appear in your tenant, then you can configure B2B options to limit what guest accounts can do in your tenant: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations#configure-b2b-external-collaboration-settings

If you want to delegate all of the hassle of managing B2B guest accounts in your tenant to someone, there's an AAD role for that called "Guest inviter" role: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations#assign-the-guest-inviter-role-to-a-user

Adding guest users to your tenant doesn't do anything unless they are given access to apps. Your tenant users can invite those guest accounts to access apps in the same tenant, and you could delegate app access management to app "owners", who can review and approve app access requests from guest accounts too: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/add-users-information-worker#invite-someone-to-join-a-group-that-has-access-to-the-app

My apology for the wall of text :)

0 + 2

Jasper

11/19/22, 7:24 PM

Thanks for that wall of text :) Just to check I'm understanding this correctly: the bulk invite option is a one-time thing right? So if I use it today and the other org gets a new user, I still have to invite that user manually again? Or maybe use the bulk invite again but I wonder what that would do to those people who maybe not responded to the invite yet (or maybe even who did). If so than this is useful, but not exactly what I was looking for.

Noor Khaldi

11/19/22, 10:28 PM

Bulk invite is a one time thing yes. the Invitation status never expires too. I honestly never tested re-inviting users using that tool, but guess it can be tested easily. If you read the fine print above, you have so many other options beside doing this invite process manually. I'd really suggest automating the process as much as possible, or delegate it to someone in your org like HR or Department Heads.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Sync users from one Azure AD instance to another

TH: ซิงค์ผู้ใช้จากอินสแตนซ์ Azure AD หนึ่งไปยังอีกอินสแตนซ์

RO: Sincronizați utilizatorii de la o instanță Azure AD la alta

RU: Синхронизируйте пользователей из одного экземпляра Azure AD в другой.

VI: Đồng bộ hóa người dùng từ phiên bản Azure AD này sang phiên bản Azure AD khác

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.