How to enable cross-tenant access in Microsoft 365

If you are an organization that works with multiple Microsoft 365 tenants, such as subsidiaries, partners, or customers, you might want to enable cross-tenant access for your users. Cross-tenant access is a feature that allows users to access resources and collaborate across different Microsoft 365 tenants, while still maintaining the security and compliance of each tenant. In this blog post, I will explain what cross-tenant access is, how it works, and how to configure it using the Microsoft Entra admin center.

What is cross-tenant access?

Cross-tenant access is a feature that builds upon the Microsoft Entra B2B functionality and enables seamless collaboration between users in different Microsoft 365 tenants. It consists of two components: cross-tenant access settings and cross-tenant synchronization.

  • Cross-tenant access settings are used to manage how you collaborate with other Microsoft 365 organizations through B2B collaboration and B2B direct connect. These settings determine both the level of inbound access users in external Microsoft 365 organizations have to your resources, and the level of outbound access your users have to external organizations. They also let you trust multi-factor authentication (MFA) and device claims ( compliant claims and Microsoft Entra hybrid joined claims) from other Microsoft 365 organizations.
  • Cross-tenant synchronization is a feature that automates the creation, updating, and deletion of B2B collaboration users across tenants in your organization. It leverages the Microsoft Entra provisioning service and the Microsoft Entra Graph API to synchronize user attributes and group membership between the source and target tenants.

Cross-tenant access is similar to a hybrid environment – each access or synchronization has a specific source and a specific target. The source tenant is the tenant where the user account originates, and the target tenant is the tenant where the user account is accessed or synchronized to. The source and target tenants can be different or the same, depending on your scenario. For example, you can use cross-tenant access to share resources from a parent tenant to a child tenant, or from one child tenant to another child tenant, or even from one tenant to itself.

How does cross-tenant access work?

Cross-tenant access works by using the Microsoft Entra B2B functionality, which allows users from one Microsoft 365 organization to be invited as guest users to another Microsoft 365 organization. The guest users can then access resources and collaborate with the host organization, while still being managed by their home organization.

There are two ways to enable cross-tenant access between Microsoft 365 organizations: B2B collaboration and B2B direct connect.

  • B2B collaboration is the traditional way of inviting external users to your organization. It requires the host organization to send an invitation email to the external user, who then needs to accept the invitation and redeem it to access the resources. The host organization can also use the Microsoft Entra admin center or the Microsoft Entra Graph API to create and manage guest users programmatically.
  • B2B direct connect is a new way of enabling cross-tenant access without requiring an invitation or redemption process. It allows the external user to request access to a resource in the host organization, and the host organization can automatically grant or deny the access based on the cross-tenant access settings. The host organization can also use the Microsoft Entra admin center or the Microsoft Entra Graph API to approve or reject access requests programmatically.

Both B2B collaboration and B2B direct connect rely on the cross-tenant access settings to control the level of access and trust between the source and target tenants. The cross-tenant access settings can be configured in the Microsoft Entra admin center by going to Identity > External Identities > Cross-tenant access settings. You can customize the settings according to your preferences, such as:

  • Choosing the default inbound and outbound access settings for all external Microsoft 365 organizations.
  • Adding specific Microsoft 365 organizations and configuring the inbound and outbound access settings for them.
  • Enabling or disabling the trust of MFA and device claims from external Microsoft 365 organizations.
  • Enabling or disabling the B2B direct connect feature for external Microsoft 365 organizations.

In addition to cross-tenant access settings, you can also use cross-tenant synchronization to automate the lifecycle management of B2B collaboration users across tenants in your organization. Cross-tenant synchronization can be configured in the Microsoft Entra admin center by going to Identity > External Identities > Cross-tenant synchronization. You can customize the synchronization according to your preferences, such as:

  • Selecting the source and target tenants for the synchronization.
  • Selecting the source and target groups for the synchronization.
  • Mapping the user attributes and group membership between the source and target tenants.
  • Assigning users to the synchronization and enabling the synchronization.

The cross-tenant synchronization runs every 40 minutes by default, but you can change the frequency in the Microsoft Entra admin center. You can also monitor the synchronization status and logs in the Microsoft Entra admin center.

How to configure cross-tenant access?

To configure cross-tenant access, you need to have the following prerequisites:

  • Source tenant: Microsoft Entra ID P1 or P2 license, Security Administrator role, Hybrid Identity Administrator role, Cloud Application Administrator or Application Administrator role.
  • Target tenant: Microsoft Entra ID P1 or P2 license, Security Administrator role.

The configuration steps are as follows:

  1. Plan your cross-tenant access deployment: Define how you would like to structure the tenants in your organization, determine who will be in scope for cross-tenant access, and determine what level of access and trust you want to apply between tenants.
  2. Enable cross-tenant access settings in the target tenant: In the target tenant, go to the Microsoft Entra admin center, browse to Identity > External Identities > Cross-tenant access settings, and configure the default and organizational settings for inbound and outbound access. You also need to add the source tenant as a trusted organization and enable the trust of MFA and device claims from the source tenant.
  3. Automatically redeem invitations in the source tenant: In the source tenant, go to the Microsoft Entra admin center, browse to Identity > External Identities > Cross-tenant access settings, and enable automatic redemption of invitations for the target tenant. This step is required for B2B collaboration, but not for B2B direct connect.
  4. Configure cross-tenant synchronization in the source tenant: In the source tenant, go to the Microsoft Entra admin center, browse to Identity > External Identities > Cross-tenant synchronization, and create a new configuration. You need to select the target tenant, the source groups, the target groups, and the attribute mappings for the configuration. You also need to assign users to the configuration and enable the configuration.
  5. Test and verify the cross-tenant access: After enabling the cross-tenant access settings and synchronization, you can test and verify the cross-tenant access by checking the cross-tenant access status and logs in the Microsoft Entra admin center, and by signing in to the target tenant as a guest user.

Conclusion

Cross-tenant access is a powerful and convenient feature that can help you simplify collaboration and lifecycle management of users across tenants in your organization. It leverages the Microsoft Entra B2B functionality and the Microsoft Entra provisioning service to enable seamless and secure cross-tenant access. To configure cross-tenant access, you need to have the appropriate licenses and roles in both the source and target tenants, and follow the steps in the Microsoft Entra admin center.

About the author