Cross-tenant Shared DNS Space (Native Cross-Tenant Domain Sharing for Exchange Online)

-

 

Cross-tenant Shared DNS Space
(Native Cross-Tenant Domain Sharing for Exchange Online)

 

Upcoming new features, describe and change migration approach, (private preview)

Reference: Supporting Mergers, Acquisitions, and Divestitures in Microsoft 365 - Microsoft Community Hub

 

Microsoft has announced publicly a new expected solution architecture and some of the configuration and management tasks you must perform when utilizing native cross-tenant domain sharing functionality.

Below, the step-by-step description to enable cross-tenant domain sharing for a single SMTP domain. (valid as long no major changes are introduced by MS)

The domain will be Authoritative in the Tenant where you perform the primary domain management. Up on enablement for domain for cross-tenant domain sharing, you will be able to add the domain as an Internal Relay in additional tenants. An internal Relays is like in Exchange On-Premises relay configuration.

  

Cross-Tenant Domain Sharing Configuration 

Enabling domain sharing for source-tenant.com in Source Tenant so that source-tenant.com can be assigned as a Primary SMTP address to the mailboxes in Target Tenant. 

  1. Add source-tenant.com as an Accepted Domain in Source Target before adding it to other tenants

·       Domain appears as Type: Authoritative 

  1. Configure source-tenant.com in Source Tenant to allow sharing with Target Tenant

·       Microsoft will provide full details for this task once the feature is public 

  1. Add source-tenant.com as an Accepted Domain in Target Tenant

·       Domain appears as Type: Internal Relay 

  1. Configure Inbound Connectors that are in each tenant to trust the opposite tenant

·       Source Tenant connector configuration:

SenderDomains={smtp:source-tenant.com;1} 

TrustedOrganizations={smtp:target-tenant.onmicrosoft.com;1} 

·       Target Tenant connector configuration:

SenderDomains={smtp:source-tenant.com;1} 

TrustedOrganizations={smtp:source-tenant.onmicrosoft.com;1} 

  1. MX Record for source-tenant.com points to Source Tenant

·       Inbound messages for all source-tenant.com addresses will deliver to Source Tenant and then routed to Target Tenant 

  

Primary SMTP Address Assignment 

With the cross-tenant domain sharing architecture in place, you can now start to assign source-tenant.com email addresses to mailboxes in Target Tenant, which has target-tenant.com as an Authoritative Accepted Domain. 

  1. Create a mailbox in Target Tenant, which will have a UPN for a domain that is owned by Target Tenant
  1. Set the Primary SMTP on the mailbox in Target Tenant to a unique source-tenant.com address
    • Example: userA@source-tenant.com 
    • Microsoft will provide full details for this task once the feature is public 

 

The user is now able to send emails from his mailbox in Target Tenant as userA@source-tenant.com even though that domain is managed by Source Tenant. 

Comments

Post a Comment

Popular posts from this blog

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

-
Image
Lync Edge Server FQDN and IP PORTS (Version 1.2, Update 26.11.2014) As we all know, we can configure Lync Edge Server in several way. 1) Single Edge Server with a SINGLE IP ADDRESS 2) Single Edge Server with MULTIPLE IP ADDRESSES (3x IPs) 3) Multiple Edge Server in a Pool, with MULTIPLE IP ADDRESSES (Zx 3 IPs) Regardless what we are going to configure, there are common / well-known TCP Port necessary making Lync work, which are: Access: Port: 443 and 5061 Conferencing: Port: 443 and (444) AV: Port: 443 (I have not listed other ports, e.g. STUN or the dynamic port range. This is not required for the topic discussed here) External FQDN with single IP address: What can we see here? If we are going to choose a single IP address, we would have TCP Port overlapping. Therefore the only way avoiding this is assigning other ports. Additionally we will also see and are reminded that Lync highly depends on DNS. If we have single IP, we must have use single, unique FQDN fo
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more

How to hide users from GAL if they are AD Connect synchronized

-
Image
How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL. Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day. Since the Exchange Online attribute  msExchHideFromAddressList s is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL.   Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system We direct modify the AD hide at
Read more