Sync users from one Azure AD instance to another

azure azure-active-directory

I was hoping there would be a way to 'link' the two ADs and set-up grants like "all users from tenant X are members of group Y" in order to be able to use those groups for the access solution mentioned.

Well, it's not exactly a button that says "invite all users from this tenant", but you have an option there called "Azure AD B2B Bulk Invite", which will save you the trouble of inviting users one by one by collecting all the data you need in an excel file, you could generate this excel file easily from the tenant you want to invite users from: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite

Once the invitation is sent, you could manage how the redemption is done, you really don't need users to accept that email once the initiation is sent. All the newly invited guest users have to do is sign-in to a common endpoint, or to an app that exists in your tenant: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/redemption-experience

If you are developing your own SAML apps or just adding apps from the AAD gallery, and you want users from other tenants to sign-in to those apps, you could create a user flow to collect the user claims during the app sing-in and create a guest account for them too: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/self-service-sign-up-user-flow

If you believe that the above option is going to cause trouble and people will just start randomly appear in your tenant, then you can configure B2B options to limit what guest accounts can do in your tenant: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations#configure-b2b-external-collaboration-settings

If you want to delegate all of the hassle of managing B2B guest accounts in your tenant to someone, there's an AAD role for that called "Guest inviter" role: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations#assign-the-guest-inviter-role-to-a-user

Adding guest users to your tenant doesn't do anything unless they are given access to apps. Your tenant users can invite those guest accounts to access apps in the same tenant, and you could delegate app access management to app "owners", who can review and approve app access requests from guest accounts too: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/add-users-information-worker#invite-someone-to-join-a-group-that-has-access-to-the-app

My apology for the wall of text :)

Related

Hosting of inconsistent workloads in Azure
How to block Filetransfer through RDP (Port 3389)?
Directory listing isn't working on nginx showing 404 error
AWS EC2 instance behind AWS ELB cannot get the real client's IP address
exactly 90 seconds to restart apache httpd
NGINX / Cloudflare random 520 HTTP errors when HTTP2 is enabled within NGINX
GCP Load Balancer - Instance Failing - Debug?
How to bring up last terminal window with a shortcut key?
org.freedesktop.PolicyKit1 was not provided by any .service files
How to change value of /proc/sys/fs/inotify/max_user_watches
Spotify has stopped working on the latest Ubuntu today, 15.04 [closed]
How to combine the output of multiple `find` commands?