Multitenant Organization (MTO) in Microsoft 365: cross-tenant setup step by step (2025 guide)

Introduction: what an MTO is and when to use it

A Multitenant Organization (MTO) groups multiple Microsoft Entra ID and Microsoft 365 tenants under a common collaboration framework so they can work as if they were one entity: people search, meetings, People cards, Teams (including shared channels), and smoother access to resources.

When to choose MTO (search intent: “Is it for me?”)

• Enterprise groups with subsidiaries, brands, or regional divisions that need separate identity but seamless collaboration.
• M&A: integrate quickly without consolidating the directory or primary tenant yet.
• Compliance-driven segregation (data, regions) while keeping controlled collaboration across tenants.
• Long-term strategic partners where standardizing B2B and synchronization makes sense.

You can create/join from the Microsoft 365 Admin Center or via Microsoft Graph. When an invite is accepted, Entra sets baseline relationships (cross-tenant access) and adds a synchronization configuration (MTO_Sync_<TenantID>) you’ll later activate with your own jobs and rules.

When not to choose MTO (search intent: “Alternatives”)

• If the end goal is a single tenant with no separation going forward → consider a tenant-to-tenant migration (e.g., cross-tenant mailbox migration).
• If you only need occasional calendar federation → Exchange organization relationships (how-to: create relationship).
• If you need centralized, immutable compliance and archiving → evaluate a full consolidation strategy.

1) Requirements, roles, and licensing

Technical prerequisites

• Tenants with verified domains and a stable primary domain.
• Consistent UPN and email address conventions (avoid collisions).
• Modern auth, MFA, and Conditional Access enabled as a baseline.
• Naming review (display names for the MTO and member tenants).

Minimum roles per task

• Governance/Security: Security Administrator / Conditional Access Administrator.
• Identity: Hybrid Identity Administrator / User Administrator.
• Apps/Graph: Cloud Application Administrator / Application Administrator.
• Exchange (calendar): Exchange Admin for organization relationships.

Licensing (high level)

Cross-tenant synchronization and access policies require advanced Entra ID capabilities. Verify P1/P2 needs depending on governance, provisioning, and protection.

2) Methodology: governance, security, and phases

We recommend a phased methodology with a Zero Trust mindset and minimum end-user friction.

Phases

1. Design: scope, architecture, RACI, risks, MTO vs consolidation decisions.
2. Initial setup: create MTO, invite tenants, default restrictive posture.
3. Pilot: limited sync (control group), minimal Free/Busy, and 1–2 shared channels.
4. End-to-end: People Search, Teams, SharePoint, internal/SaaS apps, L1 support.
5. Scale-up: MTO templates, automation, monitoring, and runbooks.

Security best practices

• Cross-tenant access “deny by default” and explicit partners.
• Sensitivity labels (Purview) and DLP per tenant; share only what’s needed.
• Quarterly review of partners, rules, and Access Reviews.

3) Configure an MTO in the Admin Center

Path: Settings → Org settings → Multitenant collaboration.

Step-by-step (no scripts)

1. Create MTO: name, description, and designate the owner tenant.
2. Invite tenants: add their IDs and set a display name.
3. Enable key options: allow sync, auto-redemption, and visible labels.
4. Send instructions so each tenant can join.
5. After joins, verify MTO_Sync_<TenantID> appears in Entra.

From the same panel you can change roles (owner/member), enable Free/Busy, notifications, and review each tenant’s status.

4) Configuration with Microsoft Graph (PowerShell/API)

The programmatic route is ideal for large environments and repeatable deployments (infra as code).

# Requires Microsoft.Graph PowerShell SDK

# 1) Create/enable the MTO with name/description (owner = your tenant)
Connect-MgGraph -Scopes "Organization.Read.All","Directory.ReadWrite.All"
$body = @{ displayName = "Contoso Group"; description = "Corporate MTO" }
Invoke-MgGraphRequest -Method PUT `
  -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/multiTenantOrganization" `
  -Body $body

# 2) Add member tenants (they remain 'pending' until they join)
$memberTenantId = "11111111-2222-3333-4444-555555555555"
New-MgTenantRelationshipMultiTenantOrganizationTenant -TenantId $memberTenantId -DisplayName "Fabrikam"

# 3) List members and status (owner/member; pending/active/removed)
Get-MgTenantRelationshipMultiTenantOrganizationTenant |
  Select-Object TenantId,DisplayName,Role,State

# In the joining tenant, after being added as 'pending'
Connect-MgGraph -Scopes "Directory.ReadWrite.All","Policy.ReadWrite.CrossTenantAccess"

# Send join request; may take up to ~2h to complete
Update-MgTenantRelationshipMultiTenantOrganizationJoinRequest

PUT https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/partners/{sourceTenantId}/identitySynchronization
Content-Type: application/json

{
  "userSyncInbound": { "isSyncAllowed": true }
}

5) Cross-tenant user synchronization (Entra ID)

Cross-tenant synchronization automates the B2B user lifecycle (provisioning, update, deprovisioning) so they’re discoverable and can collaborate across Microsoft and third-party apps. You can configure it from Entra or via Graph; both use the same underlying service.

5.1 Essential steps (Microsoft Graph PowerShell)

1. Target: create cross-tenant partner and allow userSyncInbound = true.
2. Source: enable auto-redemption and suppress outbound consent prompts.
3. Provisioning: define jobs, scoping filters (who’s in), and attribute mappings.
4. Validation: review Provisioning logs, GAL/People Search, and app access.

# Target: partner and inbound identity sync
$SourceTenantId = ""
$TargetTenantId = ""

Connect-MgGraph -TenantId $TargetTenantId -Scopes "Policy.Read.All","Policy.ReadWrite.CrossTenantAccess"
New-MgPolicyCrossTenantAccessPolicyPartner -BodyParameter @{ TenantId = $SourceTenantId } | Out-Null
$body = @{ userSyncInbound = @{ isSyncAllowed = $true } }
Invoke-MgGraphRequest -Method PUT `
  -Uri "https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/partners/$SourceTenantId/identitySynchronization" `
  -Body $body

# Source: auto-redeem invitations and suppress consent prompts
Connect-MgGraph -TenantId $SourceTenantId -Scopes "Policy.Read.All","Policy.ReadWrite.CrossTenantAccess","Application.ReadWrite.All","Directory.ReadWrite.All","AuditLog.Read.All"
New-MgPolicyCrossTenantAccessPolicyPartner -BodyParameter @{ TenantId = $TargetTenantId } | Out-Null
Update-MgPolicyCrossTenantAccessPolicyPartner `
  -CrossTenantAccessPolicyConfigurationPartnerTenantId $TargetTenantId `
  -AutomaticUserConsentSettings @{ OutboundAllowed = "True" }

5.2 Recommended attribute mapping (example)

5.3 Scoping filters (practical examples)

• Include only employees with extensionAttribute1 = "MTO-Enabled".
• Exclude service/admin accounts (userType eq 'Member' and accountEnabled eq true).
• OU/group limits (if federating from AD and using group-based scoping).

5.4 What this enables in practice

• People Search and GAL across tenants (profile cards).
• Consistent access to Teams, SharePoint, and apps in the target tenant.
• Automatic deprovisioning when users stop matching the scope.

6) Cross-tenant access: B2B and B2B Direct Connect

Cross-tenant access governs standard B2B collaboration and B2B Direct Connect (e.g., Teams shared channels). Define default posture (inbound/outbound) and partner overrides. In MTO, use templates to keep policies consistent as new tenants join.

Policy example (simplified JSON)

{
  "inboundTrust": {
    "isMfaAccepted": true,
    "isCompliantDeviceAccepted": true,
    "isHybridAzureADJoinedDeviceAccepted": false
  },
  "b2bCollaborationInbound": { "isDefaultSettings": false, "applications": { "accessType": "allow" } },
  "b2bDirectConnectOutbound": { "isDefaultSettings": false, "usersAndGroups": { "accessType": "allow" } }
}

• Mutuality: Direct Connect requires relationships in both directions.
• Diagnostics: use Sign-in and Audit logs to spot CA/trust denials.

7) Calendars, Free/Busy, and People Search

From the Admin Center you can enable Free/Busy within the MTO. Alternatively, create Organization Relationships in Exchange Online to share availability (limited or full details per policy).

Install-Module ExchangeOnlineManagement -Scope CurrentUser
Connect-ExchangeOnline

# Organization relationship with limited details (both tenants must configure it)
New-OrganizationRelationship -Name "Rel-Fabrikam" `
  -DomainNames "fabrikam.com" `
  -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails

Recommended test plan

1. Check Scheduling Assistant between two pilot users (different tenants).
2. Create/cancel meetings and verify cross-tenant notifications.
3. Validate People Search and profile cards (photo, title, department).
4. Test a Teams shared channel with members from both tenants.

8) Monitoring, auditing, and KPIs

• Entra logs: Audit (policy/partner changes) and Sign-in (B2B/Direct Connect).
• Provisioning logs: runs, rules, and sync errors (mappings/attributes).
• KPIs: sync success (>99%), time to add/remove (<45 min), batch error rate (<0.5%).

Useful KQL queries

AuditLogs
| where ActivityDisplayName has "Cross-tenant"
| summarize count() by ActivityDisplayName, Result, bin(TimeGenerated, 1d)

ProvisioningLogs
| where Status has "Failure"
| summarize fails = count() by TargetId, TargetDisplayName, bin(TimeGenerated, 1h)

9) Pre-flight checklist and verification

Before

• Model: owner/member tenants, domains, and scope.
• Security: default restrictive posture, MFA, and Conditional Access.
• Licenses and roles in source/target.
• User comms and support plan.

During

• Create MTO (Admin Center or Graph) and add invited tenants.
• Join request from each tenant to move to active.
• Configure partners and enable userSyncInbound; enable auto-redeem.
• Provisioning: validated scoping and mappings in pilot.
• Pilot Free/Busy, People Search, and Teams (shared channel).

After

• Alerts for provisioning errors and access denials.
• Review templates, Access Reviews, and clean up stale accounts.
• Operational documentation and support runbooks.

10) Common pitfalls and how to avoid them

• Not creating provisioning jobs: the MTO config creates the container but not the effective jobs.
• Permissive default posture: define explicit partners, test, and audit.
• Free/Busy without testing: validate the scheduling assistant before scaling.
• Excessive roles: least privilege; avoid Global Admin for routine tasks.
• Email/UPN collisions: normalize domains and use prefixes/suffixes if needed.
• Ignoring the Teams experience: test shared channels and SharePoint permissions.

11) Frequently asked questions (FAQ)

12) Comparison: MTO vs tenant consolidation

13) Conclusion and next steps

A well-implemented MTO rests on three pillars: consistent configuration (templates and partners), cross-tenant synchronization with clear governance, and a validated collaboration experience (Free/Busy, People Search, Teams). If you want to accelerate with operational guides, automation, and day-one security, we can help.

14) Quick glossary

• MTO: Multitenant Organization grouping multiple tenants.
• B2B: Collaboration with invited users (Guest).
• B2B Direct Connect: Advanced collaboration (e.g., Teams shared channels) without classic Guest conversion.
• Cross-tenant access: Policies governing B2B and Direct Connect.
• Free/Busy: Cross-org calendar availability.
• Scoping filter: Rule defining which objects are provisioned in sync.