FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Can you move users from one tenant to another?

    Scheduled Pinned Locked Moved Solved
    Q&A
    user import tenant faq
    4
    7
    27.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • danD
      dan
      last edited by

      Is there a way to move a user from one tenant to another? Or do we have to delete and re-import?

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • danD
        dan @joshua
        last edited by

        Another option that works as of today is to set up a tenant to tenant connector.

        Add a connector to the new tenant. Point it at the /api/login endpoint of the old tenant, including an API key as a header.

        Change your app to send everyone to a new application in the new tenant.

        When the user logs in to the new application, if it is the first time they've been seen, the old tenant data, including password, will be queried. The password hash will be transparently migrated to the new tenant.

        This slow migration takes time, but is another option.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • danD
          dan
          last edited by

          No, a user cannot be moved between tenants in the admin user interface. You could do this via the API with a retrieve and a create in a small program, though.

          --
          FusionAuth - Auth for devs, built by devs.
          https://fusionauth.io

          1 Reply Last reply Reply Quote 0
          • R
            rnsupercool
            last edited by

            How do you retrieve the whole user with password and other information? Is there any api available for the same?

            Thanks,
            Lohith

            1 Reply Last reply Reply Quote 0
            • danD
              dan
              last edited by

              @rnsupercool

              Unfortunately, there's no way to extract the password and the other information via the APIs.

              Options I could see working:

              • if you have developer edition (or other paid edition), you could set up a connector from FusionAuth to itself (via a generic http connector). This would take time to move the users to a different tenant.
              • you can get a database dump of your FusionAuth instance and run a bulk import of the user data, password, and other password settings into another tenant.
              • you could move over the users, set a random password and force them to change their password by setting passwordChangeRequired. Not sure that would definitely work; you should test this.

              Hope this helps.

              --
              FusionAuth - Auth for devs, built by devs.
              https://fusionauth.io

              D 1 Reply Last reply Reply Quote 0
              • D
                dwong @dan
                last edited by

                @dan Could a rule be set up such that if an already-provisioned user (e.g. johndoe@abc.com) from tenant A which logs into tenant B can perform a custom backend query that finds that user on tenant A, automatically lazy-import them into B, and finally provide successful login?

                I wish to use multitenancy for custom login experience across tenants, but I don't necessarily care that the credentials for that email address are different.

                joshuaJ 1 Reply Last reply Reply Quote 0
                • joshuaJ
                  joshua @dwong
                  last edited by joshua

                  @dwong

                  FusionAuth is API first, so this type of flow could be created using our API and custom integration code.

                  Roughly:

                  1. On tenant B, a user from tenant A logs in.
                  2. Do a search for a user
                  3. If found, do a registration and/or user create using API.
                  4. The newly created user can now be logged in. As referenced above, you may have some interstitial pages that would be needed for password generation as the user passes from one tenant to another.

                  Another way to do this would be to reconsider how you are using tenants and applications. Depending on your business requirements, registering a user to a new application rather than a completely separate tenant removes a few steps from a workflow as described.

                  Reference documentation -> https://fusionauth.io/docs/v1/tech/apis/

                  Thanks,
                  Josh

                  danD 1 Reply Last reply Reply Quote 1
                  • danD
                    dan @joshua
                    last edited by

                    Another option that works as of today is to set up a tenant to tenant connector.

                    Add a connector to the new tenant. Point it at the /api/login endpoint of the old tenant, including an API key as a header.

                    Change your app to send everyone to a new application in the new tenant.

                    When the user logs in to the new application, if it is the first time they've been seen, the old tenant data, including password, will be queried. The password hash will be transparently migrated to the new tenant.

                    This slow migration takes time, but is another option.

                    --
                    FusionAuth - Auth for devs, built by devs.
                    https://fusionauth.io

                    1 Reply Last reply Reply Quote 0
                    • danD dan marked this topic as a question on
                    • danD dan has marked this topic as solved on
                    • First post
                      Last post