You need Copilot to search and summarize data from users in a partner organization without giving them full access to your Microsoft 365 tenant. Cross-tenant synchronization allows identity objects to be shared between Azure AD tenants, and Copilot can use these synchronized identities for grounded responses. This article explains how cross-tenant synchronization works with Copilot, the prerequisites you must meet, and the exact steps to configure it. You will learn how to set up outbound and inbound synchronization so Copilot can access data from external users while respecting your existing compliance boundaries.
Key Takeaways: Cross-Tenant Sync for Copilot
- Azure AD > Cross-tenant access settings > Outbound settings: Controls which users and groups from your tenant are shared with a partner tenant.
- Azure AD > Cross-tenant access settings > Inbound settings: Controls which external users and groups can be synchronized into your tenant for Copilot to reference.
- Microsoft 365 admin center > Settings > Org settings > Cross-tenant data sharing: Must be enabled to allow Copilot to process data from synchronized users.
How Cross-Tenant Synchronization Works With Copilot
Cross-tenant synchronization uses Azure AD Connect or Microsoft Identity Manager to copy user and group objects from one tenant to another. When an external user is synchronized into your tenant, Copilot can include that user’s data in its responses if the data is stored in a Microsoft 365 service like Exchange Online, SharePoint Online, or Teams. The synchronization does not grant the external user access to your tenant’s resources. It only creates a B2B collaboration user object in your directory. Copilot then uses this object to find and summarize data that the external user has permission to see in the source tenant. This setup is useful for mergers, acquisitions, or partner collaboration scenarios where you need cross-tenant data visibility without full tenant migration.
Prerequisites for Cross-Tenant Synchronization With Copilot
Before you begin, confirm the following requirements are met:
- Both tenants must have Azure AD Premium P1 or P2 licenses.
- Each user who will be synchronized must have a valid Microsoft 365 license that includes Copilot, such as Copilot for Microsoft 365 or Copilot Pro.
- Cross-tenant access settings must be configured in both tenants: the source tenant for outbound sharing and the target tenant for inbound acceptance.
- The admin performing the setup must have the Global Administrator or Security Administrator role in both tenants.
- External sharing settings in SharePoint and OneDrive must allow sharing with B2B collaboration users if you want Copilot to search files in those services.
Steps to Configure Cross-Tenant Synchronization for Copilot
The configuration involves two phases: setting up cross-tenant access policies and then synchronizing the user objects. Follow these steps in order.
Phase 1: Configure Cross-Tenant Access Policies
- Sign in to Azure AD in the source tenant
Open the Azure portal at portal.azure.com. Navigate to Azure Active Directory > External Identities > Cross-tenant access settings. - Add the target tenant as an organizational relationship
Click Organizational settings. Select Add organization. Enter the target tenant ID or domain name. Click Add. - Configure outbound access for the target tenant
Select the target tenant row. Click Outbound access. Under B2B collaboration, choose Allow access. In the Target tab, select Allow all users or specify a group of users to share. Click Save. - Repeat in the target tenant for inbound access
Sign in to Azure AD in the target tenant. Go to External Identities > Cross-tenant access settings > Organizational settings. Add the source tenant. Click Inbound access. Under B2B collaboration, choose Allow access. Specify the same group or all users from the source tenant. Click Save.
Phase 2: Synchronize User Objects
- Create a synchronization profile in the source tenant
In Azure AD, go to External Identities > Cross-tenant synchronization. Click New profile. Give it a name, for example “Copilot cross-tenant sync.” Select the target tenant. Click Create. - Select the users or groups to synchronize
In the profile, go to Users and groups. Click Add users/groups. Choose the users or groups that contain the identities Copilot should access. Click Select. - Map attributes for the synchronized objects
Go to Attribute mapping. Review the default mappings. Ensure the userPrincipalName and displayName are mapped. You can add custom mappings if needed. Click Save. - Enable and start the synchronization
Go to Provisioning. Set Provisioning status to On. Click Save. Then click Provision on demand to run an initial sync. Wait for the status to show Success. - Verify the synchronized users appear in the target tenant
In the target tenant, go to Azure Active Directory > Users. Search for a user from the source tenant. The user object should appear with a User type of B2B collaboration.
Phase 3: Enable Cross-Tenant Data Sharing for Copilot
- Open the Microsoft 365 admin center
Go to admin.microsoft.com. Sign in with an account that has the Global Administrator role in the target tenant. - Navigate to cross-tenant data sharing settings
Go to Settings > Org settings > Cross-tenant data sharing. Click Edit. - Enable sharing for the source tenant
Toggle Allow cross-tenant data sharing to On. Select the source tenant from the list. Click Save. - Confirm Copilot can access the synchronized data
Open Copilot in Microsoft Teams or in a supported Microsoft 365 app. Ask a question about a file or message that belongs to a synchronized user. Copilot should return results from that user’s data if your permissions allow it.
If Synchronized Users Are Not Visible to Copilot
Even after following the steps above, Copilot might not return data from synchronized users. The following issues are the most common causes and their fixes.
Copilot Returns No Results for External User Data
This usually happens when the synchronized user does not have any data in Microsoft 365 services that Copilot can search. The user must have an active mailbox in Exchange Online, files in SharePoint or OneDrive, or messages in Teams. Verify that the user has a valid license for those services and has created content. If the user is from a tenant that does not have Copilot enabled, Copilot can still read their data but cannot generate responses on their behalf.
Synchronization Fails With a Provisioning Error
Check the provisioning logs in the source tenant. Go to Azure AD > External Identities > Cross-tenant synchronization > your profile > Provisioning logs. Look for errors like DuplicateAttributeValue or InvalidUserPrincipalName. These errors occur if the source user’s UPN conflicts with an existing user in the target tenant. Rename the user in the source tenant or exclude the conflicting user from the sync scope.
Copilot Shows a Permission Error When Accessing External Data
The synchronized B2B user object in the target tenant must have at least read permissions to the data Copilot is querying. For example, if you want Copilot to summarize a SharePoint document library that the external user owns, the external user must share the library with the target tenant’s users or with a group that includes the target tenant’s users. Use SharePoint sharing settings to grant access to the external user’s content.
Cross-Tenant Sync vs Tenant-to-Tenant Migration: Key Differences
| Item | Cross-Tenant Synchronization | Tenant-to-Tenant Migration |
|---|---|---|
| Description | Copies user and group identities between tenants as B2B objects | Moves user accounts, mailboxes, and data permanently to another tenant |
| Copilot data access | Copilot can read data from the source tenant for users in the target tenant | Copilot accesses data only from the target tenant after migration |
| User experience | Users keep their original accounts and credentials | Users must sign in to the new tenant and may lose access to old data |
| Compliance boundaries | Data remains in the source tenant’s geography | Data moves to the target tenant’s geography |
| Setup complexity | Requires Azure AD cross-tenant access policies and sync profile | Requires third-party migration tools or Microsoft 365 migration services |
Cross-tenant synchronization keeps data in the source tenant, which helps maintain compliance with data residency requirements. Tenant-to-tenant migration moves all data, which can be necessary when two organizations fully merge. For scenarios where you only need Copilot to search across organizational boundaries without moving data, cross-tenant synchronization is the correct approach.
You can now configure cross-tenant synchronization to let Copilot access data from users in a partner organization. Start by setting up cross-tenant access policies in both tenants, then create the synchronization profile, and finally enable cross-tenant data sharing in the Microsoft 365 admin center. To verify the setup, ask Copilot a question about a file or email from a synchronized user. For advanced control, consider using attribute-based access control to limit which synchronized users Copilot can query.