Entra's Cross-tenant Access Settings, Part 1: Introduction

Reading Time: 9 minutes

Microsoft Entra ID

Entra External ID, Microsoft's Business to Business (B2B) collaboration feature, has recently gained significant functionality to customize the end-user experience when people in the organization collaborate in Entra-integrated functionality, when this functionality is integrated in the Entra tenant of another organization.

In this series of blogposts, I share how Entra's Cross-tenant Access Settings can be used to optimize the end-user experience. This information is useful both for Entra administrators who have people collaborating in another tenant and for Entra admins who have guest accounts in their tenant to facilitate access to their functionality.

Note:
In this series, I merely talk about the Entra External ID functionality that is based on Entra to Entra collaboration.

In this first blogpost of this series, I'll explain how Entra's cross-tenant access settings differ from other settings and what they bring to the table.

 

Cross-tenant access settings vs. other settings

First, I need to make clear that the Cross-tenant access settings are different to the settings on the External collaboration settings pane in Entra, the All Identity Providers pane in Entra and within the Sharing Policies in SharePoint Online.

External collaboration settings (Entra)

The External collaboration settings pane in Entra offers to configure:

  • Guest user access restrictions
    This setting determines whether guests have full access to enumerate all users and group memberships (most inclusive), limited access to other users and memberships, or no access to other users and group memberships including groups they are a member of (most restrictive).
  •  Guest invite restrictions
    This setting controls who can invite guests to your directory to collaborate on resources secured by your company, such as SharePoint sites or Azure resources. This setting can be configured as:

    • Anyone in the organization can invite guest users including guests and non-admins (most inclusive)
    • Member users and users assigned to specific admin roles can invite guest users including guests with member permissions
    • Only users assigned to specific admin roles can invite guest users
    • No one in the organization can invite guest users including admins (most restrictive)
  • Guest self-service sign up via user flows
    This setting can be configures as Yes or No.

    • Yes means that you can enable self-service sign up for guests via user flows associated with applications in your directory.
    • No means that applications cannot be enabled for self-service sign-up by guests and require them to be invited to your directory.
  • External user leave settings
    With this setting you can allow external users to remove themselves from your organization (recommended). This setting can be configures as Yes or No.

    • Yes means that the end user can leave the organization without approval from the admin.
    • No means that the end user will be guided to review the privacy statement and/or contact the privacy contact for approval to leave.
  • Collaboration restrictions
    Although cross-tenant settings are also evaluated when sending an invitation to determine whether the invite should be allowed or blocked for DNS domain names. The collaboration restrictions can be configured as:

    • Allow invitations to be sent to any domain (most inclusive)
    • Deny invitations to the specified domains
    • Allow invitations only to the specified domains (most restrictive)

 

All Identity providers (Entra)

Recently, Microsoft has moved the Email one-time passcode settings to the All identity providers pane, where admins can configure the default identity providers (Entra ID, Microsoft Account and Email one-time passcode) and add SAML/WS-Fed-based identity providers, Google and Facebook as additional identity providers.

On the All identity providers pane, Email one-time passcode as identity provider can be enabled or disabled for guests. By default Email one-time passcode is enabled as identity provider for guests.

 

Sharing Policies (SharePoint Online)

The Policies for Sharing in the SharePoint admin center control sharing at the organization level in SharePoint and OneDrive. Here, admins can configure:

  • External sharing
    This setting configures the scope in which content can be shared, individually for SharePoint and OneDrive:
    (Sharing for each individual site and OneDrive can be further restricted beyond these settings)

    • Anyone
      User can share files and folders using links that don't require sign-in. (most permissive)
    • New and existing guests
      Guests must sign in or provide a verification code.
    • Existing guests
      Only guests already in your organization's directory.
    • Only people in your organization
      No external sharing allowed. (least permissive)
  • More external sharing settings
    These settings allow admins to enable or disable the following sharing functionality:

    • Limit external sharing by domain (followed by adding DNS domain names to allow)
    • Allow only users in specific security groups to share externally (followed by managing security groups to allow)
    • Guests must sign up using the same account to which sharing invitations are sent
    • Allow guests to share items they don't own
    • Guest access to a site or OneDrive will expire automatically (followed by specifying a number of days as the expiration period)
    • People who use a verification code must reauthenticate after this many days (followed by specifying a number of days after which guests using Email one-time passcodes need to reauthenticate)
  • File and folder sharing settings
    • File and folder links scope
      This setting specifies the type of link that's selected by default when users share files and folders in SharePoint and Onedrive:

      • Specific people (only the people the user specifies)
      • Only people in your organization
      • Anyone with the link
    • Default file and folder links permission
      This setting specifies the permission that's selected by default for sharing links:

      • View
      • Edit
    • File and folder links to anyone with the link expiration
      Specifically, for file and folder links to anyone with the link (when specified as the file and folder scope), expiration can be specified as the number of days as the expiration period.
    • File and folder links to anyone with the link granular permissions
      Specifically, for file and folder links to anyone with the link (when specified as the file and folder scope), permissions can be specified more restrictively, for files and folders separately.
  • Other settings
    Under Other settings, admins can configure these settings:

    • Show owners the names of people who viewed their files in OneDrive
    • Let site owners choose to display the names of people who viewed files or pages in SharePoint
    • Use short links for sharing files and folders

 

As you can see, some settings overlap with the cross-tenant access settings. Specifically, the domain restrictions in the context of the collaboration restrictions setting on the External collaboration settings pane in Entra, the Limit external sharing by domain setting in the SharePoint admin center (for SharePoint specifically) and the cross-tenant access settings may interact, leading to longer troubleshoot periods, potentially over multiple teams managing different aspects of the Microsoft Cloud, especially when troubleshooting access to SharePoint Online and OneDrive.

 

Cross-tenant access settings

As you might imagine, I think the settings on the External collaboration settings pane in Entra, the All Identity Providers pane in Entra and within the Sharing Policies in SharePoint Online lack. Cross-tenant access settings offer vast opportunities to manage B2B collaboration and optimize the end-user experience.

Cross-tenant access settings offer Organizational settingsDefault settings and Microsoft cloud settings:

 

Default settings

The default settings on the Cross-tenant access settings plane underneath External Identites in the Entra portal, allow admins to configure default Inbound access settings, Outbound access settings and Tenant restrictions.

For Inbound access settings, the types of settings for which an admin can configure default settings include:

  • B2B collaboration
    B2B collaboration inbound access settings lets you collaborate with people outside of your organization by allowing them to sign in using their own identites. These users become guests in your Microsoft Entra tenant. You can invite external users directly or you can set up self-service sign-up so they can request access to your resources.By default, B2B Collaboration is enabled for external users and groups for all applications. For B2B collaboration, admins can:

    • Allow or block inbound access to external users and groups
    • Allow or block all applications or merely specific applications (where a block in the previous setting also blocks all external applications)
    • Configure the redemption order for identity providers. Admins can enable and specify the order of identity providers that your guest users can sign in with when they redeem their invitation. Additionally, identity providers and fallback identity providers (currently Microsoft Account and Email one-time passcode) can be disabled granularly.
  • B2B direct connect
    B2B direct connect inbound access settings determine whether users from external Microsoft Entra tenants can access your resources without being added to your tenant as guests. By selecting "Allow access" below, you're permitting users and groups from other organizations to connect with you. To establish a connection, an admin from the other organization must also enable B2B direct connect. By default, B2B direct connect is disabled. For B2B direct connect, admins can:

    • Allow or block access to external users and groups
    • Allow or block all applications or merely specific applications (where, again, block all users also blocks all external applications)
  • Trust settings
    In the Trust settings, Admins can configure whether their Conditional Access policies accept claims from other Microsoft Entra tenants when external users access their resources. The default settings apply to all external Microsoft Entra tenants except those with organization-specific settings. This is where admins can start tailoring the end-user experience for end-users beyond simply blocking. By default, all the options under Trust Settings are disabled. Admins can choose to:

    • Trust multifactor authentication from Microsoft Entra tenants
    • Trust compliant devices
    • Trust Microsoft Entra hybrid joined devices

For Outbound access settings, the types of settings for which an admin can configure default settings include:

  • B2B collaboration
    Outbound access settings determine how your users and groups can interact with apps and resources in external organizations. The default settings apply to all your cross-tenant scenarios unless you configure organizational settings to override them for a specific organization. Default settings can be modified but not deleted. By default, B2B Collaboration is enabled for users and groups in your tenant for all applications. For B2B collaboration, admins can:

    • Allow or block outbound access to specific users and groups in the tenant
    • Allow or block all external applications or merely specific applications (where a block in the previous setting also blocks all external applications)
  • B2B direct connect
    B2B direct connect lets your users and groups access apps and resources that are hosted by an external organization. To establish a connection, an admin from the external organization must also enable B2B direct connect. When you enable outbound access to an external organization, limited data about your users is shared with the external organization, so that they can perform actions such as searching for your users. More data about your users may be shared with an organization if they consent to that organization's privacy policies. By default, B2B direct connect is disabled. For B2B direct connect, admins can:

    • Allow or block access to all users and groups in the tenant or specific users and groups in the tenant.
    • Allow or block all external applications or merely specific applications (where, again, block all users also blocks all external applications)
  • Trust settings
    The Trust settings is where admins can start tailoring the end-user experience for end-users beyond simply blocking. By default, all the options under Trust Settings are disabled. Admins can:

    • Trust multifactor authentication from Microsoft Entra tenants
    • Trust compliant devices
    • Trust Microsoft Entra hybrid joined devices

Tenant restrictions lets admins control whether their users can access external applications from their network or devices using external accounts, including accounts issued to them by external organizations and accounts they've created in unknown tenants. Within Tenant restrictions, admins can select which external applications to allow or block. These default settings apply to all external Microsoft Entra tenants except those with organization-specific settings.

 

Organizational settings

The organizational settings on the Cross-tenant access settings plane underneath External Identites in the Entra portal, allow admins to add an organization by tenant ID or DNS domain name. That way, for that Entra tenant, admins can specify Inbound accessOutbound access and Tenant restrictions for that organization only. Any Microsoft Entra tenants not in the list of organizations for Organizational settings uses the default settings.

Admins can use cross-tenant access settings to manage collaboration with external Microsoft Entra tenants.

Note:
For non-Microsoft Entra tenants, the External collaboration settings in the Entra portal apply.

Admins can use Organizational settings in two fundamental ways:

  1. Block inbound and/or outbound access in the Default settings and then allow inbound and/or outbound access through Organizational settings for specifically trusted organizations (most restrictive)
  2. Allow inbound and/or outbound access in the Default settings and then block inbound and/or outbound access through Organizational settings for specifically untrusted organizations (most inclusive)

By default, after adding an organization, the Inbound accessOutbound access and Tenant restrictions for that organization are configured as Inherited from default. This allows for admins to specifically block or allow access for either inbound access or outbound access, if they choose to do so.

The method of allow-by-default-block-when-untrusted might feel like the path of least resistance, in the long run this method might raise privacy concerns for lingering guest users in remote Entra tenants with possible private data stored in attributes that contain multi-factor authentication information (personal phone numbers). Additionally, the inability to report on standing outbound access rights for your users in remote Entra tenants might become cumbersome in the long run. The method of block-by-default-allow-when-trusted is the method to get and remain in control in the long run.

 

Microsoft cloud settings

By default, organizations using Entra with commercial Azure subscriptions are unable to collaborate with organizations with Entra with Government subscriptions or Azure China subscriptions. Microsoft cloud settings allow admins to collaborate with organizations from these different Microsoft clouds.

The Microsoft cloud settings pane offers two collaboration options:

  • Microsoft Azure Government
    This option allows collaboration with organizations using Azure Government (US Gov Arizona, AS Gov Texas, US Gov Virginia), Office GCC-High and DoD subscriptions.
  • Microsoft Azure China (operated by 21Vianet)
    This option allows collaboration with organizations using Azure China subscriptions (operated by 21Vianet)

To set up B2B collaboration, admins from both organizations need to configure their Microsoft cloud settings to enable the partner's cloud. Then admins at each organization use the partner's tenant ID to find and add the partner to their organizational settings. From there, admins at each organization can allow their default cross-tenant access settings apply to the partner, or they can configure partner-specific inbound and outbound settings.

 

Concluding

Entra's Cross-tenant Access Settings are generally available (GA). In the next blogposts in this series, we'll use them to limit B2B collaboration and optimize the end-user experience. This offers opportunities to extend your security measures across your supply chain and limit the privacy impact of collaborating.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.