Mastodawn

Merill Fernando

Folks, quick walkthrough on the new MTO feature that landed. You can now set up relationships between your tenants and manage sync from a single place if access is granted by the member tenants.

Once set-up the benefits include:

🎯 In Microsoft Entra you will be able to differentiate in-organization (MTO) users vs out-of-organization (B2B/Guest) external users

🎯 Improved collaborative experience in the new Microsoft Teams client where switching is more seamless and faster! https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-teams-advantages-of-the-new-architecture/ba-p/3775704

🎯 Improved people search experience across tenants and viewing the profile cards of users from other tenants.
https://learn.microsoft.com/en-us/microsoft-365/enterprise/multi-tenant-people-search?view=o365-worldwide

PS Your tenant needs to be enabled for Targeted Release to try out this preview. You can enable this in M365 admin center > Settings > Org Setting > Organization profile tab > Release preferences > Targeted release for everyone

See here for more info https://learn.microsoft.com/en-us/microsoft-365/admin/manage/release-options-in-office-365?view=o365-worldwide

Microsoft Teams: Advantages of the new architecture

Microsoft Teams has made a significant investment in the re-architecture of its desktop client, with a focus on providing a simpler user experience. This post..

TECHCOMMUNITY.MICROSOFT.COM

Merill Fernando

Before we start, are you confused about where MTO fits in with existing capabilities like B2B direct connect, B2B collab and cross-tenant sync?

Here's a comparison...

Merill Fernando

We start by creating the multi-tenant organization..

Merill Fernando

Next add the member tenants (you can always add/remove later)

Merill Fernando

Configure sync settings...

Decide whether you want to allow users to be synced into this tenant and provide a seamless SSO experience by suppressing consent prompts that are usually seen by B2B Guest users

Merill Fernando

Confirm creating the MTO

Configure a name for your organization and add the list of member tenants that are going to belong to this group.

Merill Fernando

Finally share the users and groups from the owner tenant to other tenants for outbound sync.

Merill Fernando

Next header over to the other tenants and follow similar steps to join the member tenant to the owner tenant.

Once joined the member tenant will start seeing the users from the other tenants syncing across. Member tenants can also share their users/groups with other tenants...

Merill Fernando

There is heaps more content including templates over on the MTO Microsoft Learn hub.

Check it out at https://learn.microsoft.com/en-us/azure/active-directory/multi-tenant-organizations/

Quick reminder to follow me and sign up to my weekly newsletter https://entra.news

Multi-tenant organizations documentation - Microsoft Entra

Learn about multi-tenant organizations.

@merill As an educational institute, we often have issues where staff share things to the entire org not realising that they're also sharing with students. Splitting students off into their own tenant seems like a solution, and MTOs might make that easy. But what about licensing? We get x student licenses for every staff licence but I think that might be limited to the one tenant.

Damien Aug 26, 2023

@mabster @merill I might be able to answer that. We have a split tenant educational org and can confirm that Ms will put the student licences in another tenant. Also running split tenant has its own problems with things like Teams classrooms, MsBookings etc not being seamless. So grass may not be greener on that front

Matt Hamilton Aug 26, 2023

@damien @merill I really wish there was an easy way to limit sharing. It seems like it's possible per site, but once you have a massive infrastructure of SharePoint sites and OneDrive accounts, the horse has kinda bolted.

Damien Aug 26, 2023

@mabster @merill Yeah, I vaguely recall us removing the "shared with everyone" folder from peoples OneDrives years ago for similar reasons but I can't remember if that's even a thing anymore

Merill Fernando

@damien @mabster Yeah it's a hard problem to solve. On the one hand you want them to be isolated but you also need the two groups to be able to collaborate seamlessly.

Maybe options like using a naming convention for sites/groups that make it clear if students have access could be one way?

Or using labels to mark docs as staff only...

Matt Hamilton Aug 26, 2023

@merill @damien it's the ability to share with the entire org that's the problem. Staff are good at picking the right groups if they're targeting the share, but it's way easier to just pick the entire org option.

@mabster @merill @damien have you looked into information barriers?
also, Azure Information Protection can help preventing to access information outside the intended audience on document level. for schools, the label setup doesn’t need to be that complex

Matt Hamilton Aug 26, 2023

@Loredo @merill @damien yeah we seem to keep coming back to information barriers. I'm not sure why we haven't played with them yet.