Unit 13: Implement Cross-Tenant Access Controls

1. Purpose

Cross-tenant access controls allow you to govern collaboration between two Microsoft Entra organizations. They define how users from one tenant (the external organization) access resources in another tenant, and vice versa.

This is the foundation for secure and trusted B2B relationships between organizations — ensuring you can share apps, Teams channels, and documents without giving excessive access.

2. Key Concepts

Term	Description
Inbound Access	Controls what external users (from other tenants) can access in your tenant.
Outbound Access	Controls what your users can access in external tenants.
Trust Settings	Determine whether you trust the external tenant’s authentication (e.g., MFA or device compliance).
Cross-Tenant Synchronization	Optional capability to synchronize specific users or groups between tenants.
B2B Direct Connect	Enables direct collaboration (for example, Teams shared channels) between two organizations with mutual trust.

3. Default Behavior

By default:

B2B collaboration is enabled.

→ External users can be invited and access resources using their home credentials.

B2B Direct Connect is disabled.

→ Shared Teams channels or direct organizational access require explicit configuration.

These defaults maintain collaboration flexibility while preventing unauthorized tenant-to-tenant connections.

4. Access Settings

You can manage cross-tenant access settings at two levels:

Default (Global) Settings — apply to all external tenants.
Organization-Specific Settings — override global defaults for particular trusted partners.

To access: Microsoft Entra admin center → Identity → External Identities → Cross-tenant access settings.

5. Managing Inbound and Outbound Access

Each direction (inbound/outbound) can define who and what is allowed to connect.

Outbound Access Settings

Control what your users can access in external tenants.

Choose to apply to everyone, or specific users, groups, or apps.
Typical outbound policy might restrict collaboration to approved partner tenants.

Inbound Access Settings

Control what external users can access your resources.

Define if B2B collaboration or Direct Connect is allowed.
Specify which groups or apps they can interact with.

Example: Contoso allows inbound access from Fabrikam only for Teams and SharePoint apps, while blocking all others.

6. Trust Settings (Inbound)

Trust settings determine how much you trust the external tenant’s security posture. You can configure whether to accept their MFA or device compliance checks — reducing redundant challenges for users.

Trust Setting	Description
Trust MFA	Accepts MFA completed in the user’s home tenant.
Trust compliant devices	Accepts device compliance evaluation from the external tenant.
Trust Entra hybrid joined devices	Recognizes hybrid-joined device status from the external tenant.

Example: If Fabrikam already enforces MFA, Contoso can trust that authentication rather than prompting for MFA again when Fabrikam users access Contoso’s resources.

7. Organization-Specific Configuration

You can create customized rules for each partner organization:

Go to Cross-tenant access settings → Organizational settings.
Add the partner tenant (using tenant ID or domain).
Configure unique inbound/outbound rules and trust settings.

This flexibility lets you define stronger security for unknown tenants and relaxed rules for trusted partners.

8. Microsoft Cloud-Specific Configuration

If your organization operates across different Microsoft clouds (e.g., Microsoft 365 Commercial, Government (GCC), or China Cloud), you can configure cloud-to-cloud collaboration.

Use Microsoft Cloud Settings to:

Connect to specialized cloud environments.
Define trust relationships across regulatory boundaries.

9. B2B Direct Connect

B2B Direct Connect is a mutual trust relationship between two tenants that allows seamless, direct collaboration — most notably in Microsoft Teams shared channels.

Users can participate in shared Teams channels without switching tenants.
Authentication is handled by each user’s home tenant.
Access is based on mutual trust — both sides must explicitly allow Direct Connect.

Key points:

Both organizations must enable B2B Direct Connect.
Works currently only with Microsoft Teams shared channels.
Provides single sign-on (SSO) access using users’ home credentials.

Example: Contoso and Fabrikam establish Direct Connect. Fabrikam users can access a shared Teams channel hosted by Contoso from within their own Teams client, without tenant switching or reauthentication.

10. Real-World Example

Scenario: Contoso collaborates with a key supplier, Northwind Traders. They want Northwind’s employees to access Contoso’s Teams shared channels securely.

Both tenants enable B2B Direct Connect.
Contoso configures inbound trust for Northwind’s MFA and compliant devices.
Teams shared channels are created and shared.
Northwind’s users access these directly within their Teams interface.

Result → Seamless, secure collaboration with minimal friction.

11. Exam Tip

Cross-tenant access = fine-grained control of collaboration between Entra tenants.
Default = B2B collaboration enabled, B2B Direct Connect disabled.
Both parties must enable Direct Connect.
MFA and device trust settings are configurable per partner.
Supports both organization-specific and Microsoft Cloud-specific configurations.

12. Summary

Cross-tenant access controls are the policy backbone of secure B2B collaboration. They define how and when trust is established between tenants, providing a robust framework for both compliance and productivity.

SC‑300 Study Portal Dark

Unit 13: Implement Cross-Tenant Access Controls