Do MSPs need a separate Entra ID app registration per tenant?

Yes. Each customer tenant requires its own App Registration with app-only certificate authentication. Multi-tenant apps exist, but most MSPs prefer per-tenant single-tenant apps because it makes revocation and audit trails cleaner.

Can I deploy GAL sync via an RMM tool like NinjaOne or Datto?

Yes. CYNC ships as a WiX MSI with silent-install support. The typical RMM pattern is: push the MSI, drop a pre-configured settings file, and start the service. Full deployment per tenant takes under 10 minutes.

Does GAL sync work on Windows Server Core?

CYNC supports a service-only install on Windows Server Core (no WinUI 3 dashboard required). Admins manage remote instances via gRPC over HTTPS with Windows-integrated authentication from any workstation running the UI.

GAL sync for MSPs: managing contact sync across multiple Microsoft 365 tenants

The MSP problem

For a 20-client MSP, rolling out GAL sync means: 20 Entra ID App Registrations, 20 certificates, 20 sync schedules, and somehow monitoring the whole thing from one place without logging into 20 different admin consoles. Do this with SaaS contact-sync tools and the per-user billing stacks up to five figures fast. Do it with EWS scripts and you’ve got 20 scripts on 20 servers, all about to break in October 2026.

The pattern that scales

1. Per-tenant Entra ID App Registration

Create a single-tenant app in each customer tenant with the three required Graph permissions (User.Read.All, Group.Read.All, Contacts.ReadWrite). Single-tenant keeps blast radius contained: if one customer revokes consent, it doesn’t affect your other clients. See the app registration walkthrough.

2. Headless service on Server Core

Install the CYNC service-only MSI on a Windows Server Core box per customer (or on a shared management VM, depending on your segmentation policy). No UI means lower attack surface, lower patch burden, and no GUI licenses to worry about.

3. RMM-driven deployment

The MSI accepts silent install (/quiet) and supports pre-configured settings files. The typical RMM playbook:

Push MSI + customer-specific cert + settings.json via NinjaOne, Datto RMM, Kaseya, or N-able.
Run a post-install script that imports the cert and starts the service.
Monitor the Windows Event Log channel for sync results via your existing RMM alert policies.

Full deployment per tenant runs in under 10 minutes, fully automated.

4. Centralized remote admin

CYNC exposes a gRPC-over-HTTPS admin endpoint with Windows-integrated auth. From the WinUI 3 dashboard on your own workstation, you connect to any customer’s sync service and see sync status, last-run results, and error logs — without RDPing into 20 different boxes.

The MSP pricing model

The two things MSPs care about in contact-sync pricing are (a) whether the free tier is per-tenant or shared across your book, and (b) whether pricing drops with aggregate volume.

CYNC: 10-user free tier per tenant. A 20-client MSP with clients averaging 15 users gets the first 200 users free, then €0.18–€0.29/user/month above the per-tenant free tier.
Volume discounts: Per-user pricing decreases with scale. Floor of €0.18/user/month on annual plans.
Billing model: Stripe subscription per tenant, simple to cross-charge to clients.

See the MSP page for a worked example and pricing calculator.

Anti-patterns to avoid

One multi-tenant app across all clients. Cleaner to set up, but consent revocation affects everyone and audit trails get muddy.
Shared service account with EWS impersonation. Deprecated and going away October 1, 2026. Start with Graph app-only auth.
Manual runbooks instead of RMM automation. If you’re not pushing this via your RMM tool, you’ll drift by client five within a year.