Entra Identity Multi Tenant Organizations: MFA, SSO, Conditional Access, and User Management Guide 2026
Why This Is Happening
I've worked through this scenario more times than I can count , your company acquires another business, or spins off a division, or merges with a partner, and suddenly you're staring at two (or five, or twelve) separate Microsoft Entra ID tenants that have no idea the others exist. Your users are blocked from Teams meetings. Nobody can find each other in Outlook. Conditional Access policies from one tenant are throwing MFA prompts on resources sitting in another. And your helpdesk ticket queue is on fire.
Here's the thing Microsoft's error messages won't tell you: this isn't one problem. It's four or five layered problems that each need a separate fix. Entra Identity multi tenant organization configuration failures happen because the platform gives you a lot of knobs to turn , cross-tenant access settings, B2B collaboration rules, cross-tenant synchronization, Conditional Access policies, multitenant people search, and they all have to point in the same direction at the same time.
The most common reasons organizations end up in this situation:
- Mergers and acquisitions, the acquired company had its own Entra tenant, and now you need identity to work across both without destroying either org's existing setup.
- Conglomerates and subsidiaries, independently operating business units each manage their own tenant, but leadership suddenly wants seamless Microsoft 365 collaboration across all of them.
- Divestiture activity, a part of the business was split off or sold, and the original tenant needs to now treat that new company as a partner organization with controlled access.
- Compliance and data residency requirements, some organizations run separate tenants in different cloud regions or sovereign clouds to meet regulatory requirements, and still need identity to work across those boundaries.
- Test and staging tenants, IT teams spun up a dev tenant that grew into something production teams depend on, and now it needs to talk to the main tenant properly.
I know this is frustrating, especially when leadership is asking why the newly acquired team can't join a Teams call with the parent org. The good news is Microsoft Entra ID has a full set of multitenant capabilities designed for exactly these scenarios. The bad news is you have to configure them in the right order, or nothing works. This guide walks you through every piece.
The Quick Fix, Try This First
If users from another tenant in your organization can't access your apps, can't be found in Teams, or keep hitting MFA walls when they should have trust already established, your cross-tenant access settings are almost certainly the culprit. This is the first place to look, every single time.
Here's what you do. Sign into the Microsoft Entra admin center at entra.microsoft.com as a Global Administrator or Security Administrator. Navigate to:
Identity > External Identities > Cross-tenant access settings
You'll see two sections: Organizational settings and Default settings. The default settings control behavior for every external tenant that doesn't have a specific partner entry. If these are locked down, and they often are in security-hardened environments, users from your other tenants are being silently blocked.
To fix this for a specific partner tenant:
- Click Add organization under Organizational settings.
- Enter the tenant ID or domain name of your partner tenant (e.g.,
contoso.onmicrosoft.com). - Once the tenant appears in the list, click it to open its settings.
- Under the Inbound access tab, configure whether B2B collaboration and B2B direct connect are allowed from that tenant. For most multitenant organization scenarios, you want to allow both.
- Under the Outbound access tab, configure what your users can access in the partner tenant.
- Check the Trust settings tab, this is where you can tell your tenant to trust MFA claims from the partner tenant, so users don't get double-prompted for MFA when crossing tenant boundaries.
Save and wait 5–10 minutes. For many organizations, this single configuration step resolves the immediate access block.
Before you touch a single configuration setting, you need to formally define which tenants are part of your multitenant organization. Microsoft Entra ID has a specific feature called Multitenant organization, and it's distinct from simply having multiple tenants. It creates an official, recognized boundary around the tenants your organization owns, and it unlocks better collaboration experiences in Microsoft Teams and other Microsoft 365 apps.
The process works through an invite-and-accept flow. The owning tenant creates the multitenant organization and invites other tenants to join. Each invited tenant's admin accepts the invitation. Once that mutual recognition is in place, cross-tenant access settings automatically get a flag indicating those tenants are part of the same multitenant organization, which simplifies a lot of downstream policy configuration.
To create your multitenant organization, you have two paths:
Via Microsoft 365 admin center (recommended for smaller orgs): Go to admin.microsoft.com, navigate to Settings > Org settings > Multitenant collaboration, and use the guided wizard. This gives you an intuitive portal experience that also walks you through basic user synchronization setup.
Via Microsoft Entra admin center: Go to entra.microsoft.com, navigate to Identity > External Identities > Multitenant organizations, and create the organization there. You can then add tenants and generate the invitation tokens that partner admins use to join.
Via Microsoft Graph API or PowerShell, you can also automate this with the multiTenantOrganization resource type, useful if you're scripting large-scale multitenant organization setup across many tenants.
# Connect to Microsoft Graph with the required scope
Connect-MgGraph -Scopes "MultiTenantOrganization.ReadWrite.All"
# Check if a multitenant organization already exists in your tenant
Get-MgTenantRelationshipMultiTenantOrganizationIf the command returns a multitenant organization object with an id, you're already in one. If it returns nothing or an error, you'll need to create one. When your multitenant organization is active and partner tenants have accepted their invitations, you'll see the tenant list populate under Tenants in the Multitenant organizations blade. That's your confirmation it worked.
This is the most technically involved step and the one that causes the most headaches. Cross-tenant access settings in Entra ID control four distinct things: B2B collaboration, B2B direct connect, cross-tenant synchronization, and the multitenant organization trust signals. Each one has its own inbound and outbound controls per partner tenant.
Here's how I approach this systematically. For each tenant in your multitenant organization, open Identity > External Identities > Cross-tenant access settings and check that tenant's entry (or create one if it's missing). Then configure:
Inbound B2B collaboration: Set this to "Allow" for users and groups from the partner tenant. You can scope this to specific groups if you don't want to allow everyone, this is smart in larger organizations where only certain teams need cross-tenant access.
Outbound B2B collaboration: Controls whether your users can authenticate to apps registered in the partner tenant. For internal multitenant organizations, you generally allow all users outbound.
B2B direct connect inbound/outbound: This is required specifically for Teams shared channels. B2B direct connect users don't get a guest account in your directory, they're visible in Teams but not represented as users in your tenant. Enable this if Teams shared channel collaboration is a requirement.
Trust settings (critical for MFA): Under the partner tenant's inbound settings, go to Trust settings and check "Trust multifactor authentication from Microsoft Entra tenants". This tells your tenant to honor MFA claims the partner tenant has already satisfied. Without this, users from the partner tenant get hit with a second MFA prompt every time they access your resources, which is a terrible experience and kills adoption.
# View cross-tenant access partner configurations via Graph API
GET https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/partners
# Check inbound trust settings for a specific partner tenant
GET https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/partners/{partnerTenantId}When these settings are correctly configured on both sides, users from partner tenants will stop seeing unexpected MFA prompts and authentication failures. Outlook and Teams will also start showing them as trusted internal users rather than external guests.
Cross-tenant access settings open the door, but users from your partner tenants still don't automatically appear in your directory. That's what cross-tenant synchronization solves. It's a synchronization service that automatically creates, updates, and deletes B2B collaboration users in target tenants, so they show up in Microsoft 365 apps, address books, and people searches without anyone manually managing guest accounts.
Cross-tenant synchronization is configured in the source tenant, the tenant where the users live, and it pushes those users into the target tenant as B2B collaboration users. The sync is governed by the cross-tenant synchronization settings you set up in Step 2.
To configure this in the Microsoft Entra admin center (source tenant):
- Navigate to Identity > External Identities > Cross-tenant synchronization.
- Click Configurations, then New configuration.
- Give the configuration a name (e.g., "Sync to Fabrikam Tenant") and enter the target tenant ID.
- Authenticate to the target tenant, you'll need admin consent granted in the target tenant for the provisioning service.
- Under Provisioning, set the provisioning mode to Automatic.
- Configure the scope, either sync all users or filter to a specific group. Scoping to a group first is good practice.
- Review the attribute mappings and save.
# Check provisioning status for cross-tenant sync via PowerShell
Connect-MgGraph -Scopes "Synchronization.Read.All"
# Get synchronization jobs for a specific service principal
Get-MgServicePrincipalSynchronizationJob -ServicePrincipalId
# Trigger an on-demand sync cycle
Invoke-MgServicePrincipalSynchronizationJobOnDemand `
-ServicePrincipalId `
-SynchronizationJobId A successful initial sync cycle will show provisioned users appearing in the target tenant as B2B collaboration users with user type "Member" (if configured that way) rather than "Guest." The difference matters, Member-type B2B users get access to more Microsoft 365 applications than Guest-type users, which is exactly what you want for employees moving between tenants in your own organization.
If the sync is failing, check the provisioning logs under Monitoring > Provisioning logs in the Entra admin center. Error code AzureActiveDirectoryInvalidCredentials usually means the admin consent in the target tenant wasn't granted properly. Error code InvalidCrossTenantSynchronizationConfiguration means the cross-tenant access settings in Step 2 don't permit this sync.
This is where enterprise IT teams often paint themselves into a corner. Conditional Access policies that work perfectly for your own users can completely break the experience for B2B collaboration users coming in from partner tenants, and the policy failures show up as generic access denied errors that your users will interpret as "the system is broken."
The key concept to understand: when a B2B collaboration user from another tenant in your multitenant organization accesses a resource in your tenant, your tenant's Conditional Access policies evaluate them. That user's home tenant Conditional Access policies also evaluated them before they got here. If you haven't configured MFA trust (from Step 2), your policy might demand MFA that the user technically already completed.
Here's how to structure your Conditional Access policy for multitenant organization users:
In Microsoft Entra admin center > Protection > Conditional Access > Policies, create or modify the policy that applies to external users:
- Under Users, include Guest or external users and specifically target B2B collaboration guest users and/or B2B collaboration member users.
- Under Conditions > Filter for devices, consider whether your policy should apply differently to managed vs. unmanaged devices crossing tenant boundaries.
- Under Grant, if you require MFA, also check "Require multifactor authentication to be satisfied by MFA claim in the token", this honors MFA the user already completed in their home tenant, assuming you've set up MFA trust in cross-tenant access settings.
- For named locations, ensure your policies don't inadvertently block IP ranges from the partner tenant's office locations.
For SSO to work across tenants, the applications in your tenant need to be configured to accept B2B users. In Enterprise applications, for each app, check Properties and confirm Assignment required is either set to No, or the synced B2B users have been assigned. Many teams forget that cross-tenant synchronization creates the user, but application assignment is separate.
# Query Conditional Access sign-in logs to diagnose failures
# Look for CAE interrupts or MFA failures for B2B users
Connect-MgGraph -Scopes "AuditLog.Read.All"
# Get sign-in logs filtered to B2B cross-tenant sign-ins
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=crossTenantAccessType eq 'b2bCollaboration'When this is configured correctly, users from partner tenants will sign in with their home tenant credentials, satisfy MFA once at their home tenant, and access resources in your tenant without being challenged again. That's the seamless SSO experience the whole multitenant organization setup is designed to deliver.
You've got the identity plumbing working, now let's make sure Microsoft 365 actually knows about it. Microsoft 365 multitenant people search is what lets users in one tenant find and contact users in another tenant of the same multitenant organization through Outlook, Teams, and other apps. Without this, users can technically access resources cross-tenant but can't discover each other organically.
People search for B2B collaboration users works when two conditions are both true:
- The B2B collaboration users have been synchronized into the target tenant via cross-tenant synchronization (from Step 3).
- Those users are shown in the address list (not hidden from the Global Address List).
By default, B2B guest users are hidden from the Global Address List. B2B member users are not hidden. So if you provisioned users as Guest type rather than Member type, you need to either change their user type or explicitly show them in the address list. You can do this in the Entra admin center under the user's profile, or at scale via PowerShell:
# Change a B2B user's ShowInAddressList property via Microsoft Graph
PATCH https://graph.microsoft.com/v1.0/users/{userId}
Content-Type: application/json
{
"showInAddressList": true
}For Microsoft Teams specifically, if you configured B2B direct connect (from Step 2), users from partner tenants will be visible in Teams for shared channel collaboration without needing a directory entry in your tenant at all. This is a different path from B2B collaboration, users appear in Teams but nowhere else in your Microsoft 365 environment.
For Viva Engage and other Microsoft 365 apps, the multitenant organization feature (the formal boundary you created in Step 1) enables deeper integration. Users elevated to Member type in your tenant get access to most Microsoft 365 applications as if they were internal users, not with the limited guest access profile.
To validate people search is working: from a user account in your tenant, open Outlook on the web at outlook.office.com, start a new email, and type the name of a known synced user from the partner tenant. If they appear in autocomplete with their name and correct email, cross-tenant people search is working. If they don't appear, check the provisioning logs and the address list setting. It typically takes up to 24 hours after provisioning for address book data to fully propagate across Exchange Online.
Advanced Troubleshooting
When the standard configuration steps don't fully resolve your multitenant organization issues, you need to go deeper. Here are the scenarios I've seen trip up even experienced Entra administrators.
Cross-Tenant Sync Errors in Provisioning Logs
Open Microsoft Entra admin center > Applications > Enterprise applications > [Your sync config] > Provisioning > Provisioning logs. Filter by Status = "Failure." Common errors and what they mean:
- EntryConflict, a user with that UPN or email already exists in the target tenant (possibly an old guest account). Delete or merge the duplicate before the sync will succeed.
- InvalidCrossTenantSynchronizationConfiguration, the target tenant's cross-tenant access settings don't permit inbound sync from your tenant. Confirm with the target tenant admin that cross-tenant synchronization is allowed under their inbound access settings for your tenant.
- QuarantinedProvisioningException, the sync job is in quarantine due to repeated failures. Go to the sync configuration's overview page, click Restart provisioning after fixing the underlying error.
Conditional Access Sign-In Failures
In Microsoft Entra admin center > Monitoring > Sign-in logs, filter by User type = "Guest" and Status = "Failure." Look at the Conditional Access tab in the sign-in detail, it shows exactly which policy blocked the sign-in and why. The most common CA failure for multitenant org users is a policy requiring a compliant device that the user's home tenant device isn't registered to your tenant. Fix this by adding an exclusion for B2B member users on device-compliance policies, or by configuring cross-tenant device compliance trust if both tenants run Intune.
PowerShell Diagnostics for Cross-Tenant Access
# Get all cross-tenant access policy partner configurations
Connect-MgGraph -Scopes "Policy.Read.CrossTenantAccess"
Get-MgPolicyCrossTenantAccessPolicyPartner | Select-Object TenantId, IsServiceProvider
# Check the default settings (what applies to tenants without a specific entry)
Get-MgPolicyCrossTenantAccessPolicyDefault
# Verify multitenant organization membership
Get-MgTenantRelationshipMultiTenantOrganizationTenantMicrosoft Graph API: Diagnosing Sync Job Health
# Get synchronization job status and last execution time
GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}/synchronization/jobs/{jobId}
# Get provisioning errors for investigation
GET https://graph.microsoft.com/v1.0/auditLogs/provisioning?$filter=result eq 'failure'Event Viewer Analysis for On-Premises Hybrid Scenarios
If your environment includes on-premises Active Directory connected via Entra Connect, check Event Viewer > Applications and Services Logs > Microsoft > AzureADConnect > Sync on your Entra Connect server. Event ID 6900 indicates a sync error. Event ID 6949 indicates a quarantine condition. These logs often surface attribute conflicts that prevent B2B users from being properly written back to your on-premises directory.
Prevention & Best Practices
Once your Entra Identity multitenant organization is working, the last thing you want is to break it again during a routine policy change or a new app rollout. Here's what keeps things stable.
Document your cross-tenant access topology before changing anything. Export your cross-tenant access partner configurations via the Graph API and save them. When someone changes a default policy and suddenly half the organization can't access Teams, having a baseline to compare against saves hours of debugging.
Scope cross-tenant synchronization to security groups, not all users. Syncing all users in a source tenant to a target tenant creates noise and potential attribute conflicts. Maintain a dedicated group, something like "MTO-Sync-TargetTenant", and manage membership intentionally. This also lets you test changes on a small group before rolling out broadly.
Test Conditional Access changes with What If first. The What If tool in Microsoft Entra admin center > Protection > Conditional Access > What If lets you simulate what policies would apply to a specific user signing into a specific app from a specific condition. Always run What If before deploying a new CA policy in a multitenant environment, B2B users have subtly different token properties that can trigger policy rules unexpectedly.
Monitor provisioning health with alerts. In the Entra admin center, set up email notifications for provisioning failures under your cross-tenant sync configuration's Notifications settings. Don't wait for helpdesk tickets to tell you that sync broke, know before users do.
- Set up MFA trust in cross-tenant access settings on day one, retroactively fixing double MFA prompts affects everyone and is disruptive to roll out.
- Elevate synced B2B users to Member type rather than Guest type if they need full Microsoft 365 app access, Guest type is designed for external partners, not internal employees across your own tenants.
- Add a dedicated "Multitenant Organization Admins" security group with delegated rights to cross-tenant sync configurations, so changes aren't gated on Global Admin availability.
- Run a monthly review of provisioning logs to catch silent sync failures before they accumulate into a large batch of broken accounts.
Frequently Asked Questions
What exactly is a multitenant organization in Microsoft Entra ID, and is it different from just having multiple tenants?
Yes, they're different, and confusingly named. Having multiple tenants just means your organization has more than one Entra ID instance, which happens all the time through acquisitions, subsidiaries, or test environments. A multitenant organization is a specific feature you activate in Entra ID that formally defines a boundary around the tenants your organization owns, using an invite-and-accept flow between tenant admins. Once that formal relationship is in place, you unlock deeper collaboration features in Microsoft Teams and other Microsoft 365 apps that aren't available to tenants that are just configured as B2B partners. Think of it as upgrading from "two tenants that can guest-invite each other" to "two tenants that are officially recognized as the same company."
What is the difference between B2B collaboration and B2B direct connect?
B2B collaboration creates an actual guest (or member) user account in your tenant's directory for the external user. That user shows up in your user list, can be assigned to apps, added to groups, and found in people search. B2B direct connect, on the other hand, doesn't create a directory entry at all, the user authenticates from their home tenant and accesses resources through a mutual trust, but they're invisible in your directory except in Microsoft Teams. B2B direct connect is specifically designed for Teams shared channels, it's the mechanism that lets a Teams channel include members from a partner tenant without those members needing guest accounts. For most Entra Identity multitenant organization scenarios, you'll use both: B2B collaboration for broad Microsoft 365 access and people search, B2B direct connect for Teams shared channels.
Why can't users in different tenants find each other in Microsoft Teams or Outlook?
This almost always comes down to one of three things. First, cross-tenant synchronization hasn't been configured, so users from the partner tenant don't have any presence in your directory, Outlook has nobody to search. Second, synced users are B2B guest type and are hidden from the Global Address List by default, so even though the accounts exist, they're invisible to address book lookups. Third, Microsoft 365 people search takes up to 24 hours to index newly provisioned or modified accounts, so even when everything is correctly configured there's a propagation delay. Check the provisioning logs to confirm sync ran, then verify the user's showInAddressList property is set to true, then wait out the propagation window before assuming something else is broken.
How do I stop users from getting prompted for MFA twice when accessing resources in another tenant?
This is the trust settings configuration in cross-tenant access settings. In the Microsoft Entra admin center, go to Identity > External Identities > Cross-tenant access settings, click the partner tenant entry, go to Inbound access > Trust settings, and check "Trust multifactor authentication from Microsoft Entra tenants." This tells your tenant to accept MFA claims that the user's home tenant already satisfied. You also need to make sure your Conditional Access policies don't override this by demanding a fresh MFA challenge regardless of existing claims, check your CA policies for any "require MFA" grants without a "satisfied by claim in token" option. Both sides of this need to be configured; enabling trust settings alone isn't enough if a CA policy is explicitly re-demanding MFA.
What is cross-tenant synchronization and do I need it for a multitenant organization?
Cross-tenant synchronization is an automated provisioning service that creates, updates, and deletes B2B user accounts across your tenants. You configure it in the source tenant (where real users live), point it at a target tenant, and it handles everything, account creation, attribute updates, and cleanup when users leave. For a multitenant organization, you technically don't have to use cross-tenant sync, you can manually invite users as B2B guests instead. But for any organization with more than a handful of users, manual B2B invitations become unmanageable fast. Cross-tenant sync is the right answer for automated, lifecycle-managed user provisioning across tenants at scale. Without it, your B2B user accounts go stale, don't reflect HR changes, and accumulate departed employees who still have access.
Do I need to reconfigure everything if my organization adds a new tenant through an acquisition?
You don't need to tear down and rebuild, the multitenant organization feature is designed to accommodate new tenants being added. In the Entra admin center of your owner tenant, go to the Multitenant organizations blade and add the new tenant. The new tenant's admin will receive an invitation they need to accept. Once accepted, you'll then create a new cross-tenant access partner entry for that tenant, configure inbound/outbound settings and trust settings, and set up a new cross-tenant synchronization configuration scoped to the new tenant. Your existing tenant relationships and configurations are unaffected. The main thing to watch is whether your existing Conditional Access policies have rules that inadvertently block the new tenant's users, run What If tests against a sample user from the new tenant before the full sync runs.