We regularly talk to organizations that want to enable better collaboration between users of multiple Office 365 tenants. Some have structured their operating units across multiple tenants, others need to comply with strict regulations around internal information sharing or accommodate deep partnerships between various organizations. Not only is it cumbersome to manually invite each user of the other tenant, it’s nearly impossible to remove them once they leave the other organization without very close communication between tenants and ongoing monitoring. This spells trouble (and mess!) for a corporate active directory. So, what is the best way to enable multi-tenant collaboration?
What is multi-tenant collaboration in Office 365?
Consider a situation with two Office 365 tenants, tenant A and tenant B.
When a user in tenant A shares a document or sends a Teams invitation to collaborate to an external contact in tenant B, what typically happens is:
- External contact receives an invitation email.
- They sign in to authenticate. If they have an Office 365 account on a different tenant, they will sign in using their organizational account.
- External contact from tenant B becomes a guest user in tenant A.
Now, the external user has some collaboration capabilities on tenant A. This is straightforward for enabling collaboration on a case by case basis, but what if you needed to do this for hundreds of users in another tenant?
Enabling multi-tenant Office 365 collaboration at scale
Office 365 multi-tenant collaboration gets complicated in companies that have several subsidiaries with thousands of users, and those who undergo mergers and need to enable collaboration for existing employees under a different tenant.
When mergers, acquisitions or divestitures happen, there is an urgent demand for quick collaboration across different Microsoft 365 tenants. This does not just mean Teams or document collaboration as in the example above. Employees across tenants will be looking to communicate across the tenants the same way they are used to and need to:
- Easily find other tenant’s users when sending emails or collaborating in Teams.
- Easily add other tenant’s users to calendar invites.
- See the other tenant’s distribution lists.
- Apply security restrictions based on the other tenant’s security groups.
Up until recently, enabling this sort of capability to work with another tenant has been a challenging process. Think GalSync FIM/MIM heartache, lots of PowerShell scripting, CSV files, exports, and imports. This can quickly become a very difficult process to manage and maintain going forward.
The good news is that Microsoft has an offering to meet that challenge.
Enter Active Directory Synchronization Service
At Ignite last year, Microsoft announced a new capability called ADSS that addresses all these difficulties. ADSS stands for Active Directory Synchronization Service, and it’s a rather unfortunate acronym for those who remember Active Directory Sites and Services. As of writing this post, if you google ADSS, you’ll find anything, but content related to the service.
Luckily, some fine folks at Microsoft were happy to respond an inquiry email I sent them about product specifics.
What can you expect from Microsoft’s ADSS?
ADSS is a Microsoft Services cloud service that’s designed for quick implementation, with no on-premise set up. The pricing is unit-based, keeping the costs predictable, and the service is offered on a consumption-based delivery model, so you’re paying only for what you use.
What do you get with Microsoft ADSS:
- Global Address List and Day 0 Integration
- Quick single GAL setup for all your tenants
- Coexistence for Office 365
- Synchronize all the objects and attributes necessary to drive seamless collaboration between Office 365 tenants. This means synchronizing Users, Security Groups, Distribution Lists, Contacts & Guest accounts between tenants.
The key point here, is that this is not a tool that you download and configure. It is a managed service offering that runs in Azure and is managed by Microsoft. You get the benefit of quick deployment and a hands-free operation. Microsoft handles all aspects of the service for you.
If, at some point, you’ll need to merge Active Directories into a single tenant, the good news is, your investment into ADSS can be leveraged and evolve into a full user migration service by upgrading to ADMS (Active Directory Migration Service).
As mentioned, ADSS isn’t an offering you can just add as a service in the Azure Portal. It is a managed service first and foremost. It requires engaging Microsoft Enterprise Services to implement the people, the process and the software to the specific needs of your organization.
Pricing also depends on your specific organization requirements, but it’s fair to say this is a service geared towards the larger enterprise customers on Office 365.
If this is something you are interested in exploring in more detail, reach out to us and we will be happy to help get you started!