Synchronising Azure AD users as guests between Microsoft 365 tenants with Power Automate and Microsoft Graph

While Microsoft has now made available its cross-tenant synchronisation feature in public preview, I thought it about time I wrote my long-overdue blog post about a similar solution you can use now that does a few things theirs doesn’t.

I built the solution for organisations to quickly onboard subsidiaries, joint partnerships, partners, and others in a way that minimises administration and support requirements using out-of-the-box capabilities within Microsoft 365:

Effectively, my Guest Sync Engine is like DirSync (showing my age there) between M365 organisations: if a user is in scope in Tenant A, they will get created as a guest user in Tenant B. The key features of the solution are:

  • Automated provisioning of guest accounts in a parent tenant
  • Synchronisation of guest profile information, including:
    • Job title
    • Department
    • Company
    • Profile photo
  • Automated clean-up of guests that are no longer in scope
  • Reporting and statistics
  • Takes no more than 5 minutes to set up per external organisation

How the solution works at a high-level

The system doesn’t send any guest invitation emails, as it is expected that this is implemented along with a proper change management program for something like an acquisition or portal launch – so guest would have a URL to access for the resource, and are prompted to redeem their guest invitation when they open that link.

The data for each guest is stored in a SharePoint list along with:

  • User principal name of the guest account in the host tenant
  • ID of the guest account in the host tenant
  • Date of creation

You also get some pretty graphs using native SharePoint functionality so you can see how any users have redeemed their invite, versus those that haven’t:

Requirements for the solution

Source tenant

Within the source organisation (i.e. the tenant that contains the users who are to be created as guests in the other tenant) we need:

  • An Azure AD app registration with the Directory.Read.All and User.Read.All application permissions.
  • A security group for users to be added as members, so as to know the scope of who is / isn’t to be synchronised over to the host tenant

Host tenant

Within the host organisation though, we need a few more things:

  • An Azure AD app registration with Directory.Read.All, User.ReadWrite.All, and User.Invite.All application permissions
  • A (secure) SharePoint site where the tracking data and reporting will be housed
  • A Power Automate per user license for the service account
  • Optional: a dynamic security group for the guests to be added to (as this helps control access and apply relevant policies)

Adding a source tenant

The process to add a source tenant is super-simple. All that needs to happen is:

  1. Admin of source tenant creates security group (1 minute)
  2. Admin of source tenant creates Azure AD app registration (2-3 minutes)
  3. Admin of host tenant creates item in the control SharePoint list that includes: source tenant ID, app/client ID, secret value, and source sync group ID (1 minute)

The next time the workflows run, the new source tenant will be picked up with any other changes the other source tenants.

Using it in your organisation

I’ve made the solution available on my GitHub profile, along with more detailed documentation and installation guides.

It also includes a couple of setup workflows that will build the SharePoint lists required within the site, as well as the site home page with pretty graphs.

Enjoy!


Also published on Medium.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: