Microsoft Entra Cross-tenant access

Introduction

Microsoft announced at the beginning of May 2024 that Microsoft Entra External ID will officially receive General Availability (GA) status as of 15 May 2024. In the same breath, I thought to myself, let’s take a closer look at the topic of Entra Cross-tenant access in an article.

The aim is for you to understand more about Entra Cross-tenant access and its advantages and, if necessary, to configure it for certain use cases in your company in the future.

What is Entra Cross-tenant access?

Entra Cross-tenant access refers to capabilities within Microsoft’s Entra portfolio that allow organizations to seamlessly and securely manage access across different Entra ID tenants. This is particularly useful for scenarios involving collaborations between different organizations, subsidiary management, or any situation where users from one Entra ID tenant need to access resources in another tenant without cumbersome setup processes.

The concept behind Cross-tenant access is to streamline the governance, compliance, and security aspects surrounding inter-organizational collaborations and resource sharing in the cloud. Businesses frequently need to share access to apps, services, or data with partners, vendors, or other stakeholders operating in separate Entra ID tenants. Doing this while maintaining a high level of control and security was historically challenging due to the need to manage external identities or set up complex trust relationships.

With Entra Cross-tenant access, Microsoft aims to:

  • Simplify the access management process
  • Enhance Security
  • Improve Compliance and Auditing
  • User Experience

Implementing Cross-tenant access involves configuring trust relationships between the Entra ID tenants, determining what types of access will be allowed, and applying the relevant security and compliance policies to govern this access appropriately. Microsoft provides tools and guidance for IT administrators to set up and manage these cross-tenant access configurations through the Microsoft Entra Admin Center and Azure Portal.

Configuration

In a short how-to, I will show you how to configure Entra Cross-tenant access in the Microsoft Azure Portal.

  1. Navigate to Microsoft Entra ID -> External Identities -> Cross-tenant access settings

  2. Add organization -> Search with Tenant ID or domain name
  3. The Entra ID Tenant could be added successfully
  4. The inbound access, outbound access and tenant restrictions can now be configured explicitly for the this organisation.

Inbound access

B2B collaboration
B2B collaboration inbound access settings determine whether users from external Entra ID can be invited to your organization and added to your tenant as guests. Below, specify whether external Entra ID users and groups can be invited to your organization and select the applications you want to make available for B2B collaboration.

B2B direct connect
B2B direct connect inbound access settings determine whether users from external Microsoft Entra tenants can access your resources without being added to your tenant as guests. By selecting “Allow access” below, you’re permitting users and groups from other organizations to connect with you. To establish a connection, an admin from the other organization must also enable B2B direct connect.

Trust settings
Configure whether your Conditional Access policies will accept claims from other Microsoft Entra tenants when external users access your resources.

Cross-tenant sync
Enabling this will allow the admin of the specified (source) tenant to sync objects into this (target) tenant.

Outbound access

B2B collaboration
B2B collaboration outbound access settings determine whether your users can be invited to external Entra ID for B2B collaboration and added to their directory as guests. Below, specify whether your users and groups can be invited to external Entra ID and the external applications they can access.

B2B direct connect
B2B direct connect lets your users and groups access apps and resources that are hosted by an external organization.

Trust settings
Automatic redemption

Tenant restrictions

Tenant restrictions let you control how accounts from outside your organizations can be used to access external Entra ID and select the applications that can be accessed.

Summary

I find Microsoft Entra Cross-tenant access to be very useful for protecting one’s tenant. The default settings provided by Microsoft are a solid foundation to build upon. Depending on the type of company and the regulations it is subject to, one might want to make the collaboration settings a bit more restrictive to protect against potential data leaks, for example.

A common setting that I often see in company tenants concerns the inbound access trust setting, which directly influences the Conditional Access Policies. Increasingly, I see that Conditional Access Policies, for example, require MFA (Multi-Factor Authentication) or a compliant device before one can access certain resources. With these configuration options, one has the choice to accept or reject information from the external Entra ID.

Source: Microsoft Learn – Cross-tenant access

You might also like