Entra External ID, Microsoft's Business to Business (B2B) collaboration feature, has recently gained significant functionality to customize the end-user experience when people in the organization collaborate in Entra-integrated functionality, when this functionality is integrated in the Entra tenant of another organization.
In this series of blogposts, I share how Entra's Cross-tenant Access Settings can be used to optimize the end-user experience. This information is useful both for Entra administrators who have people collaborating in another tenant and for Entra admins who have guest accounts in their tenant to facilitate access to their functionality.
Note:
In this series, I merely talk about the Entra External ID functionality that is based on Entra to Entra collaboration.
In the first blogpost, I discussed the settings. Now, let's look at managing common B2B collaboration scenarios.
Cross-tenant access settings can modify the way end-users in your organization collaborate.
The External collaboration settings pane in Entra, and the Sharing Policies in SharePoint Online both offer options to limit the organizations where people in your organization can send invitations to. Cross-tenant access settings is the only pane where admins can configure the organizations from which invitations can be redeemed and accessed.
Blocking a specific organization
To block a specific organization for collaboration, for instance because they are a competitor, you can perform these steps while using the default settings for cross-tenant access:
- Sign in to the Entra portal. Perform multi-factor authentication when prompted.
- In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
- Click on the Organization settings tab.
- Under Organizational settings, follow the + Add organization link to onboard the organizations for which you want to block your people to work together in by specifying the DNS domain names or tenant IDs.
- After onboarding, under Outbound access, per organization, click the Inherited from default link. This takes you to the Outbound access settings pane for the organization.
- Change the radio option from Default settings to Customize settings.
- Under Users and groups, change the Access status setting to Block access.
- Click Save at the bottom of the Outbound access settings pane for the organization.
Blocking a specific organization for specific people in your organization
To block a specific organization for collaboration for specific users, based on a group membership, you can perform these steps while using the default settings for cross-tenant access:
- Sign in to the Entra portal. Perform multi-factor authentication when prompted.
- Create a group in Entra, or synchronize a group from Active Directory with a name that indicates the usage of the group, adhering to your organization's naming standard.
- In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
- Click on the Organization settings tab.
- Under Organizational settings, follow the + Add organization link to onboard the organizations for which you want to block your people to work together in by specifying the DNS domain names or tenant IDs.
- After onboarding, under Outbound access, per organization, click the Inherited from default link. This takes you to the Outbound access settings pane for the organization.
- Change the radio option from Default settings to Customize settings.
- Under Users and groups, change the Access status setting to Block access.
- Under Users and groups, change the Applies to setting to Select users and groups.
- Follow the Add users and groups link. the Select Item blade appears.
- Select the group you created or synchronized earlier. Click the Select button at the bottom of the blade to save the selection and close the blade.
- The selected group is added to the list on the the Outbound access settings pane for the organization.
- Click Save at the bottom of the Outbound access settings pane for the organization.
Blocking a specific application for external users
To block a specific organization for collaboration for specific users, based on a group membership, you can perform these steps:
- Sign in to the Entra portal. Perform multi-factor authentication when prompted.
- In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
- Click on the Default settings tab.
- Under Inbound access settings, click the Edit inbound defaults link. This takes you to the Inbound access settings – Default settings pane.
- Click the B2B collaboration tab, then click the Applications tab.
- Change the Access status setting from Allow access to Block access.
- Under Applies to, select Select applications.
- Follow the Add Microsoft applications and/or Add other applications links.
- Select the application(s) to block access for external users to. Then, click the Select button at the bottom of the blade.
- Click Save at the bottom of the Inbound access settings – Default settings pane.
Limiting the partner organizations to collaborate with externally
To limit the partner organizations to collaborate with externally, perform these steps:
- Sign in to the Entra portal. Perform multi-factor authentication when prompted.
- In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
- Click on the Default settings tab. This takes you to the Default settings pane.
- Scroll down to Outbound access setttings and click on the Edit outbound defaults link. This takes you to the Outbound access settings – Default settings pane.
- Under Users and groups, change the Access status setting from Allow access to Block access.
- Click Save at the bottom of the Outbound access settings – Default settings pane.
- In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal again or click on Cross-tenant access settings in the breadcrumbs. This takes you back to the External Identities | Cross-tenant access settings pane.
- Click on the Organization settings tab.
- Under Organizational settings, follow the + Add organization link to onboard the organizations for which you want to allow your people to work together in by specifying the DNS domain names or tenant IDs.
- After onboarding, under Outbound access, per organization, click the Inherited from default link. This takes you to the Outbound access settings pane for the organization.
- Change the radio option from Default settings to Customize settings.
- Under Users and groups, change the Access status setting to Allow access.
- Click Save at the bottom of the Outbound access settings pane for the organization.
Tip!
Microsoft Defender for Cloud Apps can be used to create an inventory of partner organizations people in your organizations collaborate with, based on sign-ins. This information can be used to define existing partner organizations.
Limiting working with a specific partner organizations based on a group membership
Assuming you have already limited the partner organizations to collaborate with externally (previous action), to limit working with a specific partner organizations based on a group membership, perform these steps:
- Sign in to the Entra portal. Perform multi-factor authentication when prompted.
- Create a group in Entra, or synchronize a group from Active Directory with a name that indicates the usage of the group, adhering to your organization's naming standard.
- In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
- Click on the Organization settings tab.
- Under Organizational settings, follow the + Add organization link to onboard the organizations for which you want to block your people to work together in by specifying the DNS domain names or tenant IDs.
- After onboarding, under Outbound access, per organization, click the Inherited from default link. This takes you to the Outbound access settings pane for the organization.
- Change the radio option from Default settings to Customize settings.
- Under Users and groups, change the Access status setting to Allow access.
- Under Users and groups, change the Applies to setting to Select users and groups.
- Follow the Add users and groups link. the Select Item blade appears.
- Select the group you created or synchronized earlier. Click the Select button at the bottom of the blade to save the selection and close the blade.
- The selected group is added to the list on the the Outbound access settings pane for the organization.
- Click Save at the bottom of the Outbound access settings pane for the organization.
- Create a group in Entra, or synchronize a group from Active Directory with a name that indicates the usage of the group, adhering to your organization's naming standard.
- Under Organizational settings, Onboard the DNS domain names or tenant IDs for the organization in which you want to allow specific people to work together in, or navigate to the partner organization in the list of organizations to change its settings.
- Per organization, change the Organizational settings to only allow the group to collaborate with that organization.
Tip!
Microsoft Defender for Cloud Apps can be used to create an inventory of partner organizations people in your organizations collaborate with, based on sign-ins. This information can be used to define existing partner organizations.
Concluding
Entra's cross-tenant access settings allow for managing common B2B collaboration scenarios, that were previously unmanageable on a per organization through Entra's external collaboration settings, Entra's Identity Providers, SharePoint's sharing policies and even through Conditional Access.
In the next blogpost in this series, let's look at optimizing the end-user experience and privacy settings through the same cross-tenant access settings.