Tenant consolidation versus Multitenant Organization

Let’s assume you’re an IT administrator at Stark Industries which acquired Wayne Enterprises (if anyone would like to debate who would buy who, I’m up for the discussion). Wayne Enterprises consists of ~1,500 users and Stark Industries consists of ~4,000 users. End users will want to collaborate across organizations post-acquisition.

First, set up organization sharing so free/busy status is available between each organization. Next, create contacts in Active Directory or Entra in each organization so that the Global Address List (“GAL”) is complete. Last, configure Teams external chat settings in each organization to allow chat via Teams. At this point, Stark users can find Wayne users (and visa versa) in the GAL and see free/busy information to schedule meetings with another. They can also chat via Teams either 1:1 or 1:many. Coolio.

This is a great start, and are the first steps we’d recommend at Comet. But, users and executives are going to ask for more collaboration capabilities.

“Hey IT, can we invite Holly HR into our (insert people management solution here: Workday, Peoplesoft, Oracle HCM, etc.)? She needs to be able to work on these benefits renewals.”

“IT, how can I get Fred Finance access to our Power BI instance with last year‘s financial reports?”

“Please give access to Tommy Tax access to our Tax Team so that he can work on tax audits for a new client project”

Makes sense though, right? The whole reason Stark acquired Wayne was to combine resources to fight evil doings. So what options do we have to improve the collaboration experience?

Consolidate tenants: Migrate Wayne users, devices, and Office 365 tenant into Stark.
Invite guests: Invite Wayne users as guests to collaborate in Teams and Entra registered applications (such as Workday, Peoplesoft, Oracle HCM, etc.) in the Stark tenant.
Multitenant organization: Set up both tenants in a Multitenant organization (which is like inviting guests on steroids). This brings Wayne users in as a B2B Member instead of B2B guest, which provides an improved collaboration experience.

Each one of these options comes with its own pros, cons, and considerations. Additionally, each option depends on the intent of the acquisition. Let’s review each of these options in a bit more detail.

Consolidate tenants

Since this seems like the obvious choice, let’s discuss why you wouldn’t want to do this:

Don’t do this if you’re planning to divest the company at a later time. It will make the divestiture more complex and costly.
Don’t do this if the acquired company has complex security and/or compliance requirements. Integration may mean you need to apply those compliance requirements to the entire organization. This can result in end user impacts, increased costs, etc.

Assuming neither are true, consolidating will provide the best collaboration experience. The plan is to migrate everything from Wayne Enterprises into Stark Industries. This includes network integration, applications, data, server infrastructure, users, devices, etc. All of it.

Pros

The best collaboration experience in Office 365. Everything just works.
Centralizes IT administration into a single control plane (reduces costs, improves security, economies of scale, etc.)
One identity to manage
More users provide leverage in license negotiations

Cons

Costly initial upfront migration (consulting costs, migration tooling, extra licenses, etc.)
- TIP: include these in your IT Due Diligence report so it’s not a surprise later
Includes downtime for end users (reduce this with sufficient planning and testing)
More complex to separate users for compliance (although plenty of tools exist in Microsoft 365 to achieve this)

Invite users as guests

As the Stark IT administrator, it's tempting to invite Wayne users as guests to your tenant. After inviting them as guests, you can configure access to workloads such as an enterprise application in Entra, or a team in Teams. This is known as B2B Collaboration. This requires little administration effort, and solves the service desk requests quickly.

If the ultimate plan is to integrate the other tenant, please don’t do this. Why? Because during the integration process, you’ll now have 3 identities to map:

The source user (e.g., wayne@wayneenterprises.com)
The target user (wayne@starkindustries.com)
The guest user (username_tenantname#EXT#@starkindustries.com)

Depending on how long the guest user exists, users will invite them to all sorts of stuff. Now, you’re mapping permissions in a triangle instead of 1:1. This increases the chance of errors and increases complexity, which increases costs.

If the plan is to divest this organization quickly, go for it. Again, this is quick to set up and there are a lot of controls in Entra and other admin centers to control the guest access experience. You’ll kill two birds; you’ll improve the collaboration experience between Stark and Wayne, and have guest access securely configured if Stark Industries needs to invite guests from anyone else. To configure this, you’ll want to look into cross-tenant synchronization.

Pros

Quickly bring external users into your tenant to add them to Teams and Entra applications
Cheap solution (no third party tools or consulting services required)

Cons

Many collaboration features will not be available
Can become very complex if the organization decides to consolidate later

If the plan is hold on to this company for a while, you’re better off configuring a multitenant organization.

Multitenant organizations

Around August 2023, Microsoft announced a new feature called multitenant organizations. It builds upon the capabilities of cross-tenant access synchronization. With cross-tenant synchronization, users are synchronized between two tenants as guest users. However, with Multitenant organizations, users are synchronized as Members. They’ll show up in the synchronized tenant as External Member user type.

Therefore with Multitenant organizations, users are treated as first class Members instead of Guests. This important distinction now gives the synchronized user more permissions than if they were a guest. For example:

Member users can register applications, manage their own profile photo and mobile phone number, change their own password, and invite B2B guests. These users can also ready all directory information (with a few exceptions)

Guest users have restricted directory permissions. They can manage their own profile, change their own password, and retrieve some information about user users, groups, and apps. However they can’t read all directory information.

Refer to this table for a detailed comparison of Member and Guest default permissions.

So Stark IT can synchronize Wayne users in as External Members and visa versa. Now that the user is treated as a Member, it will be like they’re a normal user in my tenant, right? Wayne users will be able to use all of the services and collaboration features in our tenant just like a Stark user, right?

Not quite. Remember, this service is still in Preview. The service that works best with this feature is Microsoft Teams as discussed in this article. Here is a quick break down of the testing that Comet team performed (testing performed April 2024).

[^1] Multitenant organizations are in Preview and therefore not a fully supported solution by Microsoft. (ref)
[^2] Will work for users, but not for groups or distribution lists
[^3] It might take up to 7 days for a user to appear in search once synchronized. (ref)
[^4] Experience is untested and is in Preview. (ref)
[^5] Must be duplicated in each tenant or purchase a third-party solution.

Promising tech and an exciting option, but not quite ready for prime time. However, depending on your circumstance and size of organization, it could be an option. Coupled with the upcoming ability to convert Guests to internal Members (ref), this could change how acquisitions are typically handled.

Pros

Provides an enhanced collaboration experience compared to guest users.
Very easy to setup and configure.

Cons

Not all services are supported (see limitations).
Cannot add synchronized users to shared mailboxes, which is a top request.