In this blog post I will explain the benefits of using the feature cross-tenant access when configuring B2B (Business to Business) collaboration.
What is cross-tenant access in Entra ID?
Cross-tenant access gives you granular control over how external Microsoft Entra organisations collaborate with you (inbound access) and how your users collaborate with external Microsoft Entra organisations (outbound access). These settings also let you trust multi-factor authentication (MFA) and device claims (compliant claims and Microsoft Entra hybrid joined claims) from other Microsoft Entra organisations. More on this later.
Requirements
1. To configure trust settings or apply access settings to specific users, groups, or applications, you’ll need a Microsoft Entra ID P1 license. The license is required on the tenant that you configure. For B2B direct connect, where mutual trust relationship with another Microsoft Entra organisation is required, you’ll need a Microsoft Entra ID P1 license in both tenants.
2. Permissions required, to configure cross-tenant access settings in the Microsoft Entra admin center, you’ll need an account with a Global administrator, Security administrator or a custom role. admins assigned the Teams administrators role can read cross-tenant access settings, but they can’t update these settings.
Let’s discuss Entra ID cross-tenant access,
We have always been able to invite users to our Entra ID Tenant as guests, for example, a guest could be a contractor who is assisting my organisation with a project. By default, anyone in your organisation can invite guests. Yes, that’s correct, but we are able to reconfigure the default permissions and control what guests can and can’t do. See my blog post Azure Entra ID External Identities for details on default guest permissions.
Today, we are able to decide whether we want to invite guest users into our Entra ID tenants, block guest invitations entirely, lock down who can and can’t invite guest users into out organisation or allow guest invitations from certain domains/companies you trust. Note that the default option allows sending guest invitations to any domain/organisation by any user including guests, see screenshot below. If you’re interested to learn more about default guest permissions, I cover guest permissions at Azure Entra ID External Identities
The screen shot above shows some text referring to cross-tenant access settings, a newer feature on the block. How is this new feature of benefit and what does it do? That’s what I’ll be covering in this post.
Prior to the cross tenant access feature being released, you could control from which organisations you wanted to allow and deny users being inviting as guests into your Entra ID tenant as shown in the image below.
Note: Continue using the below configuration for non-Microsoft Entra tenants such as @hotmail accounts. At the time of writing this post, the new cross tenant access settings only supports collaboration with other Entra ID tenants.
The option above to allow guests users to be invited from specified domains is great, but,
- What if you wanted to prevent your employees from being invited to another third party Entra ID tenant as guests? We can allow and deny others to be invited as guests into your Entra ID tenant by configuring target domains (shown in image below) but what about the opposite (outbound), controlling whether your users can be invited to another Entra ID tenant as a guest.
- or may be you only want selected users or groups in your tenant to be allowed invitations as guest users to a third party Entra ID tenant for collaboration reasons.
- or you allow all members in your organisation to be invited to specific third party Entra ID tenants only. The ones you trust.
- Or you would like guests invited to your Entra ID to only use certain Entra ID Apps in your organisation as soon as they are added as a guest user.
- Or you require added security, such as guests who login to your services need to go through MFA (Multi Factor Authentication), or be using a trusted compliant device in their home Entra ID tenant before they are authorised to gain access to you environment. These checks would need to happen in the guest users Entra ID and not your Entra ID Tenant.
The good news is that Entra ID cross-tenant access provides this granular control to allow inbound and outbound B2B (Business to Business) access.
Let’s take a look at where this feature resides in the Azure Portal.
- Access Entra ID. I’ll be accessing via portal.azure.com
- From the left pane, click External Identities
3. Click Cross-tenant access settings
4. Here we have a few tabs including organizational settings, default settings and Microsoft cloud settings
5. Let’s take a look at the default settings tab first. Click the default settings tab.
Permissions required: to configure cross-tenant access settings, you’ll need an account with a Global administrator or Security administrator role. Admins part of the Teams administrators role can read cross-tenant access settings, but they can’t update these settings.
Default settings: apply to all Entra ID tenants across the world. These default settings can be modified but not deleted.
Inbound Defaults: Allows sending people from other Entra ID Tenants invites to make them guests in your Entra ID tenant.
Default outbound: Allow users in your Entra ID tenant to be added as guests in other Entra ID tenant, so others can invite your employees as guests to their orgainisations.
Let’s take a look at the default settings. A reminder that the default settings can be changed but not deleted.
IMPORTANT: modifying these default settings could cause an impact with any organisations you are already collaborating with. If you would like insights into how your users are collaborating with other organisations before configuring cross tenant access settings, the cross-tenant access activity workbook helps you understand which external users are accessing resources in your organisation, and which organisations’ resources your users are accessing. This workbook combines all your organisation’s inbound and outbound collaboration into a single view.
The free workbook providing these insights can be located at,
– Entra ID
– Click Workbooks from the left pane
– Click Cross-Tenant access activity
Default Inbound Settings
Note: Read all of the post until the end before changing any configuration
6. Click Edit inbound defaults
The default setting below allows all external users to be invited into your Entra ID tenant as guests.
7. Click the Applications tab
The default app configuration allows guests access to your applications in Entra ID, or you have the option to block default access, or select specific applications guests can access in your organisation.
Default outbound settings
8. Click Outbound settings.
Outbound settings allows your users to be invited as guests to other Entra ID tenants. Like inbound settings, you can configure the settings to only allow certain users to be invited to other Entra ID tenants. You could also configure the Entra ID apps your users can access in other tenants, however you will require the ID of the application.
B2B Direct Connect option
9. Click the B2B direct connect
B2B direct connect is disabled by default, both inbound and outbound.
B2B direct connect allows you to set up a mutual trust relationship with another Microsoft Entra organisation for seamless collaboration. This feature currently works with Microsoft Teams shared channels only. With B2B direct connect, users from both organisations can work together using their home credentials and a shared channel in Teams, without having to be added to each other’s organisations as guest users. Use B2B direct connect to share resources with external Microsoft Entra organisations or use it to share resources across multiple Microsoft Entra tenants within your own organisation. There is no need to invite guests manually as B2B Direct connect creates a mutual trust between both organisations. The organisation you are working with will also need to configure B2B Direct Connect for this to work.
Trust Settings option
10. Click the Trust settings tab
Trust settings: when device trust settings are enabled, Microsoft Entra ID checks a user’s authentication session for a device claim. If the session contains a device claim indicating that the policies have already been met in the user’s home tenant, the external user is granted seamless sign-on to your shared resource. For example, the user needs to go through MFA (Multi Factor Authentication) in their home Entra ID tenant before being able to sign in to your tenant. These checks if enabled, Trust multifactor authentication from Microsoft Entra tenants, trust compliant devices (Intune or 3rd party MDM solution) and trust Microsoft Entra hybrid joined devices will be checked at the guests home tenant before they can sign in to your tenant as a guest. If the selected conditions are not met, the guest user will not be granted access.
Organizational settings option
11. Click the organizational settings tab
This is where you can add Entra ID tenants and customise the settings overriding the collaboration settings configured at the default settings tab. This is great as it allows you the freedom to configure different policies for different organisations you wish to collaborate with. Basically allowing you to over ride the default settings and with granular control on a per organisation basis.
12. Click Add organization
Here you add the tenant ID or tenant domain of the company you would like to collaborate with, and click the add button.
Here is one I added,
The image above shows one of my Entra ID tenants I added, the settings inherited from the default settings tab we visited earlier.
I can configure my own inbound and outbound access configuration instead of inheriting them from the default policies, allowing me to configure granular inbound or outbound permissions for different organisations I may wish to collaborate with. If the organisation does not exist in the organisational settings tab, the default settings we visited earlier will apply.
Microsoft cloud settings
13. Click the Microsoft cloud settings tab
This option allows you to collaborate with sovereign Azure customers if there was a requirement to do so. Although all regions are Azure regions, these sovereign regions (Azure Government and Azure China) are isolated from the rest of Azure.
Tenant restrictions V2 (In preview since 25th May 2023)
At the time of writing this post, the latest cross-tenant access feature is Tenant restrictions V2. A feature which is in preview.
Tenant restrictions enables tenant admins to control if employees can access external apps using an external issued account, and then use that externally issued account from a third party to access the external app from an organisational owned device on your network.
For example, Andrew Doe is an employee of Contoso Ltd and is doing some consulting work for another company named Fabrikam Ltd. Fabrikam Ltd create and issue a user account for Andrew Doe to access Fabrikam resources. Andrew Doe needs to access Fabrikam resources while using the Contoso issued device on Contoso’s network. The admin of Contoso wants to contain data exfiltration risk by blocking access for all other external identities from organisation devices except for enabling access to Andrew Does Fabrikam account. Tenant Restrictions allows the Contoso admin to configure granular access controls on a per organisation basis using the organisational settings tab we went through above.
Tenant restrictions v2 can be scoped to specific users, groups, organisations, or external apps. Apps built on the Windows operating system networking stack are protected, including:
- All Office apps (all versions/release channels).
- Universal Windows Platform (UWP) .NET applications.
- Auth plane protection for all applications that authenticate with Microsoft Entra ID, including all Microsoft first-party applications and any third-party applications that use Microsoft Entra ID for authentication.
- Data plane protection for SharePoint Online and Exchange Online.
- Anonymous access protection for SharePoint Online, OneDrive for business, and Teams (with Federation Controls configured).
- Authentication and Data plane protection for Microsoft tenant or Consumer accounts.
- When using Universal tenant restrictions in Global Secure Access (in preview at the time of writing), all browsers and platforms.
- When using Windows Group Policy, Microsoft Edge and all websites in Microsoft Edge.
Note: Tenant restrictions are independent of other cross-tenant access settings, so any inbound, outbound, or trust settings you’ve configured won’t impact tenant restrictions.
At the time of writing Tenant restrictions V2 is currently in preview and should not be used in production. Visit the following link for further details and setup instructions, Configure tenant restrictions – Microsoft Entra ID – Microsoft Entra | Microsoft Learn
For more information on Cross-tenant access, visit the following Microsoft Learn link, Cross-tenant access overview | Microsoft Learn
and that’s it for now. I hope you found this post useful. As always if you have any questions or feedback, please drop a comment below.
See you at the next one