Introduction
In our growing digital world, organizations are increasingly requiring collaborating with partner organizations on various applications and services.
In this blog, I aim to show the capabilities of the Azure AD Cross-Tenant collaboration feature that allows organizations to securely share applications and services with other Azure AD organizations whilst keeping control of their data.
What is Cross-Tenant Collaboration?
Cross-Tenant Collaboration allows Azure AD organizations to securely collaborate with each other. There are two parts to B2B:
- B2B Collaboration: Uses invitations, self-service sign-up and adds external user objects in the hosting Azure AD tenant.
- B2B Direct Connect: Uses a mutual trust relationship for seamless collaboration.
B2B Collaboration
B2B collaboration allows the resource organization to invite users of the external organization to your Azure AD. This is initiated by a user or admin of the resource organization sending a sharing invite to the external user, when the invite is redeemed by the user, the external user is added into your organization Azure AD.
B2B Direct Connect
B2B Direct Connect allows the Azure AD organisations to setup a mutual trust and does not require sharing invitations to be sent or external users to be added to your Azure AD tenant. B2B Direct Connect also supports Teams Shared Channels.
Managing Cross-Tenant Access Settings
Both B2B Collaboration and B2B Direct Connect support the management of inbound and outbound access settings, tenant restrictions and trust settings, which allow for a granular approach when sharing applications and services with other Azure AD external organisations.
Configuring the Cross-tenant Access Settings allows your organisation to control the level of access available to the external organisation. There are two main areas of focus:
- Default Settings: Baseline settings which apply to the Azure AD tenant.
- Organization Settings: Settings which can be configured on a per-organisation basis.
These setting can be found in the External Identities section of Azure AD, which is available in the new Microsoft Entra Admin Center:
For each you can change the inbound access settings to allow all users or select users and groups of the external organisation access to all or select applications. It also provides the ability to outright block access too:
The outbound access settings provide a similar function, whereby you can allow all users or select users an groups of your Azure AD tenant to access all or select applications of the external organisation:
You can also choose to trust MFA, device compliancy and hybrid-joined devices from the external organisation. The trust settings are only available for inbound settings and integrate with your Conditional Access policies to provide extra security measures:
External Collaboration Settings
Your organisation can also manage the External Collaboration Settings to control the level of access a guest users has, who can invite guest users, the ability to configure guest self-service user flows, the leave settings and any collaboration restrictions. These can be found in the External Collaboration Settings:
Summary
Azure AD Cross Tenant Access provides your organisation with secure, granular controls to allow your organisation to collaborate with other Azure AD organisations applications and services whilst maintaining control over your data. Although this article focuses only on the Azure AD tenant-to-tenant collaboration features, there are many other possibilities with External Identities, such as allowing collaboration with social providers, like Microsoft Accounts, Facebook users and Google users, Hybrid B2B for on-premises collaboration and enterprise collaboration using SAML or WS-FED organisations.
Next Steps
If you are looking to setup Cross-Tenant Collaboration or External Identities, get in touch with our sales department who can assist you align consultancy resources to your project. risual Ltd has Microsoft Certified professionals who are Security Cleared that can assist you with designing, planning, implementing and supporting your environment.
