Azure Virtual Network Peering Options Explained

Posted on by Imran Rashid
Reading Time: 5 minutes


In this post I explain the configuration options available when configuring Virtual Network Peering in Azure. The post will mention Azure Virtual Networks, Azure VPN Gateway, Network Security Groups, Network Service Tags and User Defined Routes, however, these features will not be covered in this post. You can click the embedded links to learn more. The aim of this post is to explain the Virtual Network Peering configuration options only.

When configuring VNET (Virtual Network) peering in the Azure Portal, we come across the options below and we’ll take a look at the purpose of each one.

In my demo, I have named my Virtual Networks VNET1, VNET2 and VNET3.

Configuration option 1: Allow ‘VNET1’ to access ‘VNET2’


Explanation:
This option is enabled by default and allows resources in VNET1 to communicate with resources in  VNET2 over the Microsoft private network. If you disable this default option, resources in VNET1 cannot communicate with resources in VNET2, you’re basically disabling communication between the VNET’s.

Note: If you’re using Network Security Groups (NSG) which are used to allow and deny inbound and outbound traffic, the default VirtualNetwork service tag inside a Network Security Group (NSG) allows Virtual Network and peered traffic by default, therefore, communication between VNET1 and VNET2 could be blocked if you deny the default traffic inside an Network Security Group (NSG).


Configuration option 2: Allow ‘VNET1’ to receive forwarded traffic from ‘VNET2’


Explanation:

This option is not enabled by default.

To explain the purpose of this configuration I have drawn a diagram. In the drawing below VNET1 is peered to VNET2 and VNET2 is peered to VNET3.

If we enable this option on VNET1 (Allow ‘VNET1’ to receive forwarded traffic from ‘VNET2’), this means that VNET1 can receive traffic from VNET3. The traffic which flows through an NVA (Network Virtual Appliance) deployed in VNET2 is forwarded from VNET2 to VNET1. The blue line below represents traffic from VNET3 flowing through the NVA located in VNET2 and forwarded to VNET1.

Note: this option is only enabling the capability and does not automatically create an Network Virtual Appliance (NVA) or a User Defined Route (UDR) for you. You will need to create these as separate tasks.


I’ll be covering the last two options (options 3 and 4) togetehr as they relate to each other.

Configuration option 3: Allow gateway in ‘VNET1’ to forward traffic to ‘VNET2’

Note: This option is enabled on VNET2 settings and not VNET1 settings


Configuration option 4: Enable ‘VNET1’ to use ‘VNET2’s’ remote gateway


Explanation:

Both options are not selected by default.

Firstly, Option 4 (Enable ‘VNET1’ to use ‘VNET2’s’ remote gateway can only be enabled if ‘VNET2′ has a remote gateway. By enabling this option we are allowing VNET1 to use the remote gateway in VNET2’. Let’s dig deeper to understand this further.

You would enable this option if you have implemented a Gateway and required traffic to flow through one of these appliances. For example, VNET2, the Virtual Network you’re peering with has a Azure VPN gateway that enables communication to an on-premises network. You would need to enable this option to instruct VNET1 to use the VPN gateway (located in VNET2) if traffic needs to flow to on-premises. A user defined route would need to be created to facilitate the communication alongside this option. A User Defined Route (UDR) is not automatically created.

Once the above configuration is enabled, there is another requirement. This is where Option 3 comes in. However, we don’t enable this option in the configuration of VNET1, but it’s configured in VNET2 settings. Let me explain further below.

When we create a VNET peering, the peering wizard in the portal creates two VNET peering’s. One from VNET1 to VNET2 and one back from VNET2 to VNET1. As show in the image below.


In this example, lets assume that the Azure VPN Gateway has been deployed in VNET2, which is the virtual appliance connecting to our on-premises network. Because the VPN Gateway resides in VNET2, I would configure the option, ‘Enable ‘VNET1’ to use ‘VNET2’s’ remote gateway’ in VNET1 settings. That’s where the first arrow in the image below points to.

In VNET2 setting which is peering back to VNET1, I configure the option, ‘Allow gateway in ‘VNET2’ to forward traffic to ‘VNET1’. This setting will allow ‘VNET1’ to receive forwarded traffic from ‘VNET2’s’ VPN gateway. Again, a reminder that ‘VNET2’ must contain a gateway in order for this option to be enabled.

Now, if resources in VNET1 required to communicate with the on-premises network, the traffic from VNET1 would be allowed to flow through the VPN Gateway located in VNET2 and down to on-premises. And traffic flowing from the VPN Gateway located in VNET2 would be able to communicate with resources in VNET1 forwarded through the VPN Gateway, for example traffic coming from on-premises or a Point-to-Site (P2S) VPN user could flow through the VPN Gateway and access VNET1. As mentioned earlier you would still need to create a User Defined Route (UDR) to route the traffic accordingly.


The diagram below shows,

– The option ‘Allow gateway in ‘VNET2′ to forward traffic to VNET1’ enabled on VNET2
– Enable ‘VNET1’ to use ‘VNET2’s’ remote gateway configured’ enabled on VNET1

Traffic flowing from on-premises or a Point-to-site (P2S) VPN through the Azure VPN Gateway located in VNET2 could reach VNET1 if needed, and traffic from VNET1 could use the VPNGateway in VNET2 to reach on-premises.

I hope the above drawings and explanations help. If you have any questions or feedback please feel free to comment below. See you at the next post. Thanks for tuning in.

How do I get started with Microsoft Azure?

Posted on by Imran Rashid
Reading Time: 7 minutes


I receive messages from individuals asking, “how do I get started with Microsoft Azure?” The messages I receive come from individuals who work in Tech and want to explore the world of Microsoft Azure. I thought it would be a good idea to create a post to help anyone looking to get started with Microsoft Azure.

There is a ton of useful information out there when wanting to learn Azure, and it can be difficult to select the resources to get you started which can in turn cause confusion. In this post I recommend a few learning resources to allow you to get started and learn Microsoft Azure Fundamentals, basically allowing you to take your first steps into the world of Microsoft Azure. This is what I recommend and may not be what others recommend.

I have previously documented a list of Azure resources at the following link, Useful Azure Resources, which you may find useful after going through the learning content below. The link includes a larger number of useful learning resources and tools. However, the aim of this post is to help you get started without having to search through lots of resources.

1. Free Azure Fundamentals Learning Path

  • Learning path >> Azure Fundamentals
  • Estimate time to cover content: 1 hour, however, take your time with the content and ensure you understand it before moving on. Your progress is saved so you can always return and continue from where you left.

I find that most people I come across are surprised to learn that there is free content available to anyone wanting to get started with Microsoft Azure, and therefore, I would like to start with the Azure Fundamentals course available for free via the Microsoft Learn website.

Microsoft Azure fundamentals is a three-part series that teaches you basic cloud concepts, provides a streamlined overview of many Azure services, and guides you with hands-on exercises to deploy your very first services for free.

I am sure that most people you speak to will recommend that anyone wanting to get started with Azure, should start with the Azure Fundamentals course.

Microsoft Learn offers lots of free self paced courses that you can go through in your own time. It is one of my favourite learning resources and a website I will visit when wanting to learn and prepare for new Microsoft certifications.

2. AZ-900 Azure Fundamentals Study Cram YouTube

YouTube >> AZ-900 Azure Fundamentals Study Cram
Estimated time: the video is 3 and half hours in length

John Savill owns a YouTube channel, a hobby of his, where he enjoys sharing knowledge about Microsoft Azure related content. John is a well known individual in the world of Azure. His AZ-900 Azure Fundamentals Study Cram video has had over 900,000 views and from the comments you’ll see how his video has helped individuals pass the Azure Fundamentals (AZ-900) certification. John covers the content from the Microsoft Learn website I posted in point 1 above in a visual/whiteboard format. I would recommend you go through the Microsoft Learn content in step 1 above and reinforce your knowledge with John Savill’s study cram on YouTube.

3. Free Microsoft Virtual Training Days

Free online (Registration required) >> Microsoft Virtual Training Days
Estimate duration: Azure Fundamentals usually covered over two days (3 hours per day). Duration of other courses may vary.

If you’re looking for a free online course which covers the fundamentals of Azure with live moderation where you can ask questions and get them answered live, let me introduce to you the Microsoft Virtual Training Days. Microsoft Virtual Training Days will show you how to be purposeful and ready to take on your next transformation challenge. Whether it’s the fundamentals of the Azure cloud, developing native apps, migrating servers, or managing cloud operations, or more complex skills like modernising web apps and data, implementing AI, or building data warehouses.

Check to see if there is a course available for Azure Fundamentals and get yourself registered. Explore other virtual training days later to grow your Azure knowledge further.

4. Practice test questions

You may want to take an exam and become Azure Fundamentals certified. The certification code is AZ-900. A common question I come across is, are there any free practice test questions I can go through to practice before taking the real exam. Yes, there are Microsoft official practice assessments available for free. You can take the assessments as many times as you like. These assessments have been created by the same team that develops the real Microsoft certification exams and are updated in step with certifications to keep them relevant and up to date.

Here is how you can access the free practice questions,

  1. Visit the official Azure Fundamentals certification page, Exam AZ-900: Microsoft Azure Fundamentals
  2. Scroll down (half way ish) and click Take a free practice assessment as shown in the image below. Login with a personal account such as hotmail, outlook or live email account.


If you’re interested in a list of all free practice assessments currently available for the different Microsoft certifications, here is the link, Practice Assessments for Microsoft Certifications.

I hope you find the above resources useful and I wish you all the best in your learning journey. I’m sure you may have further questions, incase you do, please have a read of the FAQ section below. If your question is not covered, use the comments section below to post a question.

FAQ’sFrequently Asked Questions

Here is a list of frequently asked questions. If you have any further questions, please feel free to comment below. If you’re totally new to Azure, some of the questions below may not make sense just yet, but I’m sure they will once you have got through your Azure Fundamentals. Good luck!

  • How do I book the exam?
    1. Visit the official AZ-900 certification page, scroll down and click schedule the exam
    Exam AZ-900: Microsoft Azure Fundamentals – Certifications

  • Can I book the exam for free?
    You must pay for the exam, but from time to time, Microsoft offer exam discounts at events allowing you to book the exam for free, such as the Cloud Skills Challenge. If no such offer is available, I would recommend you reach out to your companies training department to find out if they are able to help with a discount code. If you’re a student you may be eligible for a discount, visit the Microsoft Learn student hub to find out more.

  • Is the exam moderated?
    Yes, you will be moderated by an individual when taking the exam.

  • I have never taken a Microsoft exam before, what does the exam look like?
    Microsoft offer a free exam sandbox environment which will give you an idea of the exam format, and the different types of questions which may appear, here is the link, Exam Sandbox

  • Do I need to go into a exam test centre to take the exam?
    No, when booking the exam, you have the option to visit the nearest test centre or take the exam from home. Exam guidelines/rules are provided when you book the exam. There are additional rules when taking the exam from home. These will be provided to you when you book the exam, however, if you’re wanting the information now, visit the following link About online exams with Pearson VUE

  • Once I pass the exam, does the Azure Fundamentals certification expire?
    No, Microsoft fundamental certifications do not expire and are with you for life. The advanced certifications do expire every year, however these certifications can be renewed for free, are open book and not moderated. Further details on renewing non-fundamentals certifications at the following link, Microsoft Certification Renewal

  • Can I retake the exam for free if I fail?
    No, you must book again and pay for it or use a free code if you have access to one. I would recommend you visit the Microsoft Exam policies page below for details
    Exam policies and FAQs | Microsoft Learn

  • What if I have further questions when learning about Azure?

    You can ask for advise or seek help via,

    Microsoft Learning Rooms – Join a learning room for free. Facilitated by Microsoft Learn experts, learning rooms are designed to offer you a dedicated and safe environment where you can directly engage with an expert and dive deep into topic-specific questions via asynchronous discussions and virtual sessions.

    Microsoft Support Community – Get answers from a community of experts

    Microsoft Q&A – Find it on Q&A — the home for technical questions and answers at Microsoft.

  • Do Microsoft offer a free trial of Azure?
    Yes,
    Free Trial: Create Your Azure Free Account Today
    Free Trial for Students: Azure for Students – Free Account Credit

    There is also a 365 developer program which provides you access to 25 free Entra ID P2 licenses. Note that you can not build resources such as Virtual Machines, Virtual Networks etc in this sandbox subscription. For further details visit the following link, Developer Program. Not to be used for production use.

  • Do you have a personal list of useful Azure resources?
    Yes, here it is. This list may come in use to you as you grow and learn about Azure. The list includes a list of learning resources and useful links/tools.
    Useful Azure Resources | Cloud Build


  • Are there any free Microsoft verified credentials I could take to help me in my job and career?
    Yes, Microsoft have recently announced (October 2023) a new initiative called Applied Skills Credentials. These credentials are based on targeted validation for real-world scenarios which allows you to skill up for in-demand technical scenarios to demonstrate proficiency in specific, scenario-based skill sets so you can make a bigger impact on every project, at your organisation, and in your career.

    These verified credentials are focused on a specific skill set, are lab based so you are required to complete a few tasks. These assessments are open book so you can carry out some research if you’re not sure how to complete a task and are not moderated. A list of these free Microsoft verified credentials are available at Applied Skills Credentials. Stay tuned as more are being added. If you wish to learn more about Applied Skills Credentials, here is the official Applied Skills announcement page, Announcing Microsoft Applied Skills

  • How did others get started with Microsoft Azure? it would be great to read about their experiences and what they recommend?
    Check out AzureCrazy.com. A website where you can read written interviews from existing users of Microsoft Azure and how they started their journey.

  • My question is not listed
    Please post your question in the comments section below

Azure Entra ID B2B External Collaboration Settings Explained

Posted on by Imran Rashid
Reading Time: 8 minutes

In Azure Entra ID (Formerly Azure AD), you have the option to create different types of users, including internal users and inviting external users as guests. Internal users exist in your internal organisation, for example, employees on your payroll.

However, there is also the option to invite external users (B2B collaboration) to use your Azure resources. This is a great benefit, as long as it’s done in a secure method. Why would you want to invite external users to your Entra ID tenant? Inviting external users in Entra ID can help you collaborate with people outside your organisation. Once invited, you can assign external users to roles and groups. For example, you may wish to invite a contractor to help you with a project such as a Sharepoint project, a migration project or invite guests into your Microsoft Teams conversations.

In this post, I will go through the options available on how to enable secure B2B collaboration in Azure Entra ID and I will take you through what permissions guests are assigned by default (out of the box) when you first setup an Azure tenant.


What permissions are guests granted by default?
A great place to start is to understand what guests can do by default. By default, guest users are set to a limited permission level that blocks them from enumerating users (find out information about other users in the same tenant by using their object IDs or UPNs) and groups, or other directory resources. However, the default setting allows them to manage their own profile and retrieve some information about other users, groups, and apps, such as read display name, email, sign-in name, photo, user principal name, read manager and direct report information, search for groups by display name, read properties of registered and enterprise applications and list permissions granted to applications. By default, Internal users have more access compared to guest users. For a complete list of permissions allowed by default and a comparison of permissions between internal and guest users, visit the following link, Default user permissions

The default configuration for guest users can be located by following the instructions below,

1. Access Entra ID (Formerly Azure AD)
2. Click User settings from the left pane
3. Three radio buttons appear under guest user access in the right pane, see image below.
4. You can also access these settings by scrolling to the bottom and clicking the link manage external collaboration settings

Below is the default configuration for guest users as explained above,


What are the additional two options?

Guest users have the same access as members (most inclusive): This option will give guests the same permissions as internal users.

Guest user access is restricted to properties and memberships of their own directory objects (most restrictive): This is the most restrictive and only allows guests to access their own profiles and they can not view other user profiles or group membership.

Who can invite guests by default?
A default configuration allows all users (including non-admins) and guests in your directory to invite guests. However, built in external collaboration settings will allow you to control who can invite guests in your environment. Let’s take a look where to locate this configuration.

  1. Access Entra ID
  2. Click user settings from the left pane


3. Scroll to the bottom of the page and click, manage external collaboration settings


4. Here is the default option allowing anyone to invite guests,


What are the additional three options?

Member users and users assigned to specific admin roles can invite guest users including guests with member permissions: only allow members or any users with admin roles to invite guests.

Only users assigned to specific admin roles can invite guest users: Only allow users with administrator roles assigned including Global Administrator, User Administrator and Guest Inviter roles.

No one in the organization can invite guest users including admins (most restrictive): You’re not allowing anyone to invite guests in your organisation.

What is the option External user leave settings?


This option allows external users to remove themselves from your organisation without approval. The guest user can remove access via account.microsoft.com, clicking manage organization and clicking the option to leave under other organization you collaborate with.

If the option shown in the image above is set to no, the external user will not be allowed to leave your organisation and will have to email the privacy contact in your organisation.

The external user leave settings option is enabled by default and can be located on the external collaboration settings page. If you’re not still on that page. Here is a reminder of how to get there,

1. Access Entra ID
2. Click User Settings
3. Scroll down
4 Click external collaboration settings which appears below guest invite settings as shown below


Where is the Privacy email contact set?
1. Access Entra ID
2. Click Properties


Note: Microsoft strongly recommend you add both your global privacy contact and your organisation’s privacy statement, so your internal employees and external guests can review your policies. Because privacy statements are uniquely created and tailored for each business, Microsoft strongly recommend you contact a lawyer for assistance. More info at the following link Your organization’s privacy info

What is the option Enable guest self-service sign up via user flows?


The option guest self-service sign up via user flows allows an organisation to create user flows that allow a user in a partner organisation to sign up for an app and create a new guest account in your tenant. A self service sign up user flow defines the series of steps the user will follow during sign up, such as adding name, telephone number and any other attributes you wish to collect at the sign up stage. You can also configure the identity provider you’ll allow guests to use when signing into your application.

Note: You can associate user flows with apps built by your organisation. User flows can’t be used for Microsoft apps, like SharePoint or Teams.

If you wish to publish a customer facing application, an Azure AD B2C instance is one you may want to look at.

This option enable guest self-service sign up via user flows is disabled by default.


Once the above option is switched to Yes it will automatically create you a registered app which will be used by Entra ID and should not be modified. This automatically created app is visible by accessing Entra ID > App Registrations and clicking all applications to view the newly created app registration, as shown below.


A number of custom attributes are also enabled. Here are the default ones, however you can add your own custom user attributes which can be presented to the guest user at sign up.

Let’s look at how to create a user flow to allow partners to sign up,


1. Click user flows


2. Here I configure the flow my partner will go through to sign up for my company app I want to make available to guests. If I specified any custom attributes they would appear here.


3. There are also two identity providers which appear by default. Identity providers are the different types of accounts the users signing up can use to log/authenticate into my application.


3. We could configure additional identity providers my partner guests can use to sign into my app, such as Google and Facebook. Additional identity providers can be configured by following the instructions below,

– Click Entra ID
– Click External Identities
– Click All identity providers

Once configured the additional identity providers would appear in your user flow and be available for you to enable, and depending on which ones you select, will be visible to the guest when signing up to access your app.


4. Once the user flow is created, you can customise it and link it to the application registered in Entra ID. The option to link an application is available after you go through the user flow creation wizard, and is located in the left pane.

Can I control the domains my organisation can invite guests?

Yes, below, however you may wish to use a newer feature which offers granular control, visit my post Cross Tenant Access

Collaboration restrictions by default allows invitations to be sent to all domains, however this can be locked down to allow or deny domains, including non Entra ID organisations such as hotmail, gmail etc

What are cross-tenant access settings displayed as a warning in the image below?


I have documented this feature in a separate post, click the following link Cross Tenant Access

Can external identity controls be configured from anywhere else in the portal?

Yes

Option 1:
The option we have already discussed. Here it is again,
– Access Entra ID
– Click User Settings
– Scroll down
– Click the link Manage external collaboration settings

Option 2:
– Access Entra ID
– Click External Identities from the left pane


– Click Set up external collaboration settings (image below)


Option 3:
Slightly off topic. You can also control what guests can do in Microsoft Teams such as being able to delete messages, post memes, video calls and so on.

Instructions on how to access guest settings in Teams are below, but for more info on guest access in Teams, visit the following link Guest access in Microsoft Teams

Microsoft Teams
1. Visit the teams portal, admin.teams.microsoft.com
2. Expand users (left pane)


The options above are where you can control what guests can do once added to your Teams conversations.

SharePoint and One drive restrictions
For more info on guest access in SharePoint and OneDrive, visit the following link Manage sharing settings for SharePoint and OneDrive in Microsoft 365. Instructions below on how to access guest controls for SharePoint and Onedrive.

1. Visit admin.microsoft.com
2. Expand admin centres from the left pane
3. Click SharePoint
4. Expand Policies from the left pane

How are guest users in Entra ID licensed?

Licensing for guests works differently compared to internal accounts. Visit the following page, Pricing – Active Directory External Identities

For further reading on Entra ID External Identities, visit the following link at Microsoft Learn, Microsoft Entra External ID overview | Microsoft Learn

and that’s it. I hope you found this post useful. Please feel free to comment below with any feedback you may have.

Thanks and see you at the next post 🙂

Entra ID Protection – Free Leaked Credential Detections

Posted on by Imran Rashid
Reading Time: 3 minutes

Microsoft are offering Free Leaked Credential Detection reports for all licenses including the free version of Entra ID. In this post, I’ll take you through how to access the leaked credential detection logs from the Entra ID portal.

What are Leaked Credentials in Azure?
When cybercriminals compromise valid passwords of legitimate users, they often share or sell the credentials by posting publicly on the dark web or paste sites. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they’re checked against Microsoft Entra users’ current valid credentials to find valid matches. If a match is found, a service called Entra ID Identity Protection can be configured to allow users to self remediate the security risk by forcing them to go through a password reset or you could block access. I don’t intend to go into what Identity Protection has to offer, but you can find out more at the following link, What is Identity Protection

What license is required to use Identity Protection?
To make use of all capabilities of Identity Protection including allowing the user to self remediate, Entra ID P2 or Microsoft 365 E5 licenses are required. However, Microsoft are now providing leaked credential detection reports for free and the purpose of this post is to show you where these logs can be accessed.

Password Hash Synchronisation
To benefit from leak credential detections, a requirement is to enable Password Hash Synchronisation. For more information on the different authentication methods including Password Hash Synchronisation, click the following link Authentication for Microsoft Entra hybrid identity solutions

Entra ID Protection Free Leaked Credential Detections

Back to the purpose of this post, Microsoft are allowing the capability to check if any leaked credentials were detected without any license requirements. Yes, leaked credential detection reports are free to access. If leaked credentials are detected, the compromised user accounts will be written to Azure logs allowing your administrators to take action.

To access these logs,

  1. Login to Entra ID via entra.microsoft.com
  2. Expand Protection from the left pane and click Identity Protection

3. Click risk detections

4. Click detection type, select Leaked credentials and click apply.

If any leaked credentials have been detected, they would be logged here.

As per the below table from Microsoft, Leaked credential detections are accessible for free and no longer a premium license feature.

Source: What are risks in Microsoft Entra ID Protection

That’s it. See you at the next post.

Entra ID cross-tenant access

Posted on by Imran Rashid
Reading Time: 9 minutes


In this blog post I will explain the benefits of using the feature cross-tenant access when configuring B2B (Business to Business) collaboration.

What is cross-tenant access in Entra ID?

Cross-tenant access gives you granular control over how external Microsoft Entra organisations collaborate with you (inbound access) and how your users collaborate with external Microsoft Entra organisations (outbound access). These settings also let you trust multi-factor authentication (MFA) and device claims (compliant claims and Microsoft Entra hybrid joined claims) from other Microsoft Entra organisations. More on this later.

Requirements
1. To configure trust settings or apply access settings to specific users, groups, or applications, you’ll need a Microsoft Entra ID P1 license. The license is required on the tenant that you configure. For B2B direct connect, where mutual trust relationship with another Microsoft Entra organisation is required, you’ll need a Microsoft Entra ID P1 license in both tenants.

2. Permissions required, to configure cross-tenant access settings in the Microsoft Entra admin center, you’ll need an account with a Global administrator, Security administrator or a custom role. admins assigned the Teams administrators role can read cross-tenant access settings, but they can’t update these settings.

Let’s discuss Entra ID cross-tenant access,

We have always been able to invite users to our Entra ID Tenant as guests, for example, a guest could be a contractor who is assisting my organisation with a project. By default, anyone in your organisation can invite guests. Yes, that’s correct, but we are able to reconfigure the default permissions and control what guests can and can’t do. See my blog post Azure Entra ID External Identities for details on default guest permissions.

Today, we are able to decide whether we want to invite guest users into our Entra ID tenants, block guest invitations entirely, lock down who can and can’t invite guest users into out organisation or allow guest invitations from certain domains/companies you trust. Note that the default option allows sending guest invitations to any domain/organisation by any user including guests, see screenshot below. If you’re interested to learn more about default guest permissions, I cover guest permissions at Azure Entra ID External Identities


The screen shot above shows some text referring to cross-tenant access settings, a newer feature on the block. How is this new feature of benefit and what does it do? That’s what I’ll be covering in this post.

Prior to the cross tenant access feature being released, you could control from which organisations you wanted to allow and deny users being inviting as guests into your Entra ID tenant as shown in the image below.

Note: Continue using the below configuration for non-Microsoft Entra tenants such as @hotmail accounts. At the time of writing this post, the new cross tenant access settings only supports collaboration with other Entra ID tenants.


The option above to allow guests users to be invited from specified domains is great, but,

  • What if you wanted to prevent your employees from being invited to another third party Entra ID tenant as guests? We can allow and deny others to be invited as guests into your Entra ID tenant by configuring target domains (shown in image below) but what about the opposite (outbound), controlling whether your users can be invited to another Entra ID tenant as a guest.

  • or may be you only want selected users or groups in your tenant to be allowed invitations as guest users to a third party Entra ID tenant for collaboration reasons.

  • or you allow all members in your organisation to be invited to specific third party Entra ID tenants only. The ones you trust.

  • Or you would like guests invited to your Entra ID to only use certain Entra ID Apps in your organisation as soon as they are added as a guest user.

  • Or you require added security, such as guests who login to your services need to go through MFA (Multi Factor Authentication), or be using a trusted compliant device in their home Entra ID tenant before they are authorised to gain access to you environment. These checks would need to happen in the guest users Entra ID and not your Entra ID Tenant.

The good news is that Entra ID cross-tenant access provides this granular control to allow inbound and outbound B2B (Business to Business) access.

Let’s take a look at where this feature resides in the Azure Portal.

  1. Access Entra ID. I’ll be accessing via portal.azure.com
  2. From the left pane, click External Identities


3. Click Cross-tenant access settings


4. Here we have a few tabs including organizational settings, default settings and Microsoft cloud settings


5. Let’s take a look at the default settings tab first. Click the default settings tab.

Permissions required: to configure cross-tenant access settings, you’ll need an account with a Global administrator or Security administrator role. Admins part of the Teams administrators role can read cross-tenant access settings, but they can’t update these settings.

Default settings: apply to all Entra ID tenants across the world. These default settings can be modified but not deleted.
Inbound Defaults: Allows sending people from other Entra ID Tenants invites to make them guests in your Entra ID tenant.
Default outbound: Allow users in your Entra ID tenant to be added as guests in other Entra ID tenant, so others can invite your employees as guests to their orgainisations.


Let’s take a look at the default settings. A reminder that the default settings can be changed but not deleted.

IMPORTANT: modifying these default settings could cause an impact with any organisations you are already collaborating with. If you would like insights into how your users are collaborating with other organisations before configuring cross tenant access settings, the cross-tenant access activity workbook helps you understand which external users are accessing resources in your organisation, and which organisations’ resources your users are accessing. This workbook combines all your organisation’s inbound and outbound collaboration into a single view.

The free workbook providing these insights can be located at,
– Entra ID
– Click Workbooks from the left pane
– Click Cross-Tenant access activity


Default Inbound Settings

Note: Read all of the post until the end before changing any configuration

6. Click Edit inbound defaults


The default setting below allows all external users to be invited into your Entra ID tenant as guests.


7. Click the Applications tab


The default app configuration allows guests access to your applications in Entra ID, or you have the option to block default access, or select specific applications guests can access in your organisation.

Default outbound settings

8. Click Outbound settings.

Outbound settings allows your users to be invited as guests to other Entra ID tenants. Like inbound settings, you can configure the settings to only allow certain users to be invited to other Entra ID tenants. You could also configure the Entra ID apps your users can access in other tenants, however you will require the ID of the application.

B2B Direct Connect option

9. Click the B2B direct connect

B2B direct connect is disabled by default, both inbound and outbound.


B2B direct connect allows you to set up a mutual trust relationship with another Microsoft Entra organisation for seamless collaboration. This feature currently works with Microsoft Teams shared channels only. With B2B direct connect, users from both organisations can work together using their home credentials and a shared channel in Teams, without having to be added to each other’s organisations as guest users. Use B2B direct connect to share resources with external Microsoft Entra organisations or use it to share resources across multiple Microsoft Entra tenants within your own organisation. There is no need to invite guests manually as B2B Direct connect creates a mutual trust between both organisations. The organisation you are working with will also need to configure B2B Direct Connect for this to work.

Trust Settings option

10. Click the Trust settings tab


Trust settings: when device trust settings are enabled, Microsoft Entra ID checks a user’s authentication session for a device claim. If the session contains a device claim indicating that the policies have already been met in the user’s home tenant, the external user is granted seamless sign-on to your shared resource. For example, the user needs to go through MFA (Multi Factor Authentication) in their home Entra ID tenant before being able to sign in to your tenant. These checks if enabled, Trust multifactor authentication from Microsoft Entra tenants, trust compliant devices (Intune or 3rd party MDM solution) and trust Microsoft Entra hybrid joined devices will be checked at the guests home tenant before they can sign in to your tenant as a guest. If the selected conditions are not met, the guest user will not be granted access.

Organizational settings option

11. Click the organizational settings tab


This is where you can add Entra ID tenants and customise the settings overriding the collaboration settings configured at the default settings tab. This is great as it allows you the freedom to configure different policies for different organisations you wish to collaborate with. Basically allowing you to over ride the default settings and with granular control on a per organisation basis.

12. Click Add organization


Here you add the tenant ID or tenant domain of the company you would like to collaborate with, and click the add button.


Here is one I added,


The image above shows one of my Entra ID tenants I added, the settings inherited from the default settings tab we visited earlier.

I can configure my own inbound and outbound access configuration instead of inheriting them from the default policies, allowing me to configure granular inbound or outbound permissions for different organisations I may wish to collaborate with. If the organisation does not exist in the organisational settings tab, the default settings we visited earlier will apply.

Microsoft cloud settings

13. Click the Microsoft cloud settings tab

This option allows you to collaborate with sovereign Azure customers if there was a requirement to do so. Although all regions are Azure regions, these sovereign regions (Azure Government and Azure China) are isolated from the rest of Azure.

Tenant restrictions V2 (In preview since 25th May 2023)

At the time of writing this post, the latest cross-tenant access feature is Tenant restrictions V2. A feature which is in preview.

Tenant restrictions enables tenant admins to control if employees can access external apps using an external issued account, and then use that externally issued account from a third party to access the external app from an organisational owned device on your network.

For example, Andrew Doe is an employee of Contoso Ltd and is doing some consulting work for another company named Fabrikam Ltd. Fabrikam Ltd create and issue a user account for Andrew Doe to access Fabrikam resources. Andrew Doe needs to access Fabrikam resources while using the Contoso issued device on Contoso’s network. The admin of Contoso wants to contain data exfiltration risk by blocking access for all other external identities from organisation devices except for enabling access to Andrew Does Fabrikam account. Tenant Restrictions allows the Contoso admin to configure granular access controls on a per organisation basis using the organisational settings tab we went through above.

Tenant restrictions v2 can be scoped to specific users, groups, organisations, or external apps. Apps built on the Windows operating system networking stack are protected, including:

  • All Office apps (all versions/release channels).
  • Universal Windows Platform (UWP) .NET applications.
  • Auth plane protection for all applications that authenticate with Microsoft Entra ID, including all Microsoft first-party applications and any third-party applications that use Microsoft Entra ID for authentication.
  • Data plane protection for SharePoint Online and Exchange Online.
  • Anonymous access protection for SharePoint Online, OneDrive for business, and Teams (with Federation Controls configured).
  • Authentication and Data plane protection for Microsoft tenant or Consumer accounts.
  • When using Universal tenant restrictions in Global Secure Access (in preview at the time of writing), all browsers and platforms.
  • When using Windows Group Policy, Microsoft Edge and all websites in Microsoft Edge.

Note: Tenant restrictions are independent of other cross-tenant access settings, so any inbound, outbound, or trust settings you’ve configured won’t impact tenant restrictions.

At the time of writing Tenant restrictions V2 is currently in preview and should not be used in production. Visit the following link for further details and setup instructions, Configure tenant restrictions – Microsoft Entra ID – Microsoft Entra | Microsoft Learn


For more information on Cross-tenant access, visit the following Microsoft Learn link, Cross-tenant access overview | Microsoft Learn

and that’s it for now. I hope you found this post useful. As always if you have any questions or feedback, please drop a comment below.

See you at the next one