Over the past several months, I’ve been working closely with a large number of customers implementing Microsoft Entra Multitenant Organizations (MTO) and Cross-Tenant Synchronization (CTS). These capabilities are a major step forward for organizations that need to operate across multiple tenants—whether due to mergers and acquisitions, regional isolation, or business unit separation. When properly configured, CTS provides automated lifecycle management by creating, updating, and removing users across tenants, enabling seamless collaboration between environments.
However, despite the benefits, there’s one piece of feedback that consistently surfaces in nearly every engagement: CTS only supports provisioning users as B2B collaboration users, not as native mail contacts. For many organizations, this limitation creates real friction. In practice, customers often already have an established pattern for cross-tenant visibility, such as legacy tooling like the now-deprecated Azure AD Tenant Sync Service (ADSS), or even simple CSV-driven processes used to maintain static contact lists in Exchange Online. These solutions, while functional, are typically rigid, manual, and difficult to scale or maintain over time.
What customers are really asking for is something more flexible and operationally efficient: a fully automated solution that can handle user lifecycle events—adds, changes, and deletes—while maintaining contacts instead of guest users. Just as importantly, they want to stay aligned with modern identity practices by using application registrations and Microsoft Graph, without introducing the overhead and complexity of deploying Microsoft Identity Manager (MIM), including Graph or PowerShell management agents and custom extensions. For many teams, MIM is simply too heavy for what should be a relatively straightforward synchronization problem.
To address this gap, I developed a lightweight, automation-friendly PowerShell-based synchronization solution. The approach uses Microsoft Graph (via client ID and client secret) to retrieve source tenant user data, and Exchange Online PowerShell (via certificate-based authentication) to manage objects in the target tenant. The result is a tenant-to-tenant synchronization process that can create, modify, and delete mail contacts in the target tenant, effectively mimicking a traditional directory sync—but scoped specifically for cross-tenant contact visibility rather than identity federation.
One of the key design goals was simplicity and repeatability. The script is fully schedulable and can be run independently for each source-to-target relationship. It also supports an external XML configuration file that contains all required connection details, including tenant identifiers, application registration information, and certificate references. This allows a single script to be reused across multiple synchronization scenarios simply by swapping the input configuration, without requiring code changes or redeployment. The result is a highly flexible model that scales cleanly across complex multi-tenant environments.
For organizations adopting MTO and CTS, this fills a practical gap between modern identity provisioning and real-world operational needs—particularly in environments where contact-based discovery and email routing are still required alongside or instead of B2B user provisioning. While CTS is designed to manage B2B collaboration identities across tenants, many organizations still need a complementary solution for Exchange-centric scenarios where contacts remain the better fit.
My script can be found on GitHub HERE
If you’re exploring these capabilities, Microsoft provides detailed documentation here:
Plan for multitenant organizations in Microsoft 365