This is a continuation of series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here This article discusses using the common solutions for multitenant user management. Administrators will find that the process described here is familiar to them. 

There are two specific challenges customers solve repeatedly using current tools. These are automatic user lifecycle management and resource allocation across tenants and sharing on-premises applications across tenants.

Their solutions are described below. Microsoft recommends a single tenant wherever possible. When the single tenancy does not work, these solutions work better.

When company acquisitions occur, their employees often maintain their corporate identities. The current state is for these organizations requires them to synchronize changes between these directories. Each resource tenant has a mail contact enabled for all users in the other tenant.  No access to applications is possible across tenants.

The users expect to be shown in each organization’s Global Address List, and access applications and resources in the resource tenant and self-serve access requests to resources.  

The solution for this case requires them to create user objects: 1. Ensure that their database is up to date. 2. Deploy and configure Microsoft Identity Manager, address existing contact objects, create B2B external member objects for other tenant members and synchronize user object attributes. 3. Deploy and configure Entitlement Management access packages.

The second challenge involves sharing on-premises applications across tenants where many organizational units are synchronizing B2B guest users.  They share applications in Azure AD and add, modify, or delete is reflected in the home tenant. These units would like to provide access to on-premises resources for external guest users, applications with SAML authentication, and applications with integrated Windows authentication and Kerberos. 

The solution to this case is to enable the guest users to access the same on-premises applications by configuring access to SAML applications, configuring access to other applications, creating on-premises guest users through MIM, or PowerShell. Access to the on-premises resources must be granted to B2B users in Azure AD. Access must be configured to other applications and on-premises guest users must be created using MIM or PowerShell.