Cross-tenant access settings in now in preview. You can use cross-tenant access settings to manage collaboration with external Azure AD organizations but for non-Azure AD organizations, use collaboration settings.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/AllowlistPolicyBlade
Table of Contents
What is Cross-tenant access?
External Identities cross-tenant access settings to manage how you collaborate with other Azure AD organizations through B2B collaboration. These settings determine both the level of inbound access users in external Azure AD organizations have to your resources, as well as the level of outbound access your users have to external organizations. They also let you trust multi-factor authentication (MFA) and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.
Manage external access with inbound and outbound settings
B2B collaboration is enabled by default, but comprehensive admin settings let you control your B2B collaboration with external partners and organizations
- Outbound access settings control whether your users can access resources in an external organization. You can apply these settings to everyone, or you can specify individual users, groups, and applications.
- Inbound access settings control whether users from external Azure AD organizations can access resources in your organization. You can apply these settings to everyone, or you can specify individual users, groups, and applications.
- Trust settings (inbound) determine whether your Conditional Access policies will trust the multi-factor authentication (MFA), compliant device, and hybrid Azure AD joined device claims from an external organization if their users have already satisfied these requirements in their home tenants. For example, when you configure your trust settings to trust MFA, your MFA policies are still applied to external users, but users who have already completed MFA in their home tenants won’t have to complete MFA again in your tenant.
How does it affect Your tenant?
- The access settings you configure for users and groups must match the access settings for applications. Conflicting settings aren’t allowed, and you’ll see warning messages if you try to configure them.
- If you block access to all apps by default, users will be unable to read emails encrypted with Microsoft Rights Management Service (also known as Office 365 Message Encryption or OME). To avoid this issue, we recommend configuring your outbound settings to allow your users to access this app ID: 00000012-0000-0000-c000-000000000000. If this is the only application you allow, access to all other apps will be blocked by default.
- To configure cross-tenant access settings in the Azure portal, you’ll need an account with a Global administrator or Security administrator role.
- To configure trust settings or apply access settings to specific users, groups, or applications, you’ll need an Azure AD Premium P1 license.
PowerShell
Cross-tenant sign-in activity PowerShell script
You can get sign-in activity with the following. https://github.com/AzureAD/MSIdentityTools/wiki/Get-MSIDCrossTenantAccessActivity
1 |
Get-MSIDCrossTenantAccessActivity -SummaryStats -ResolveTenantId |
Sign-in logs PowerShell script
To determine your users’ access to external Azure AD organizations, you can use the Get-MgAuditLogSignIn cmdlet in the Microsoft Graph PowerShell SDK to view data from your sign-in logs for the last 30 days.
1 2 3 4 5 |
Get-MgAuditLogSignIn ` -Filter “ResourceTenantID ne ‘your tenant id’” ` -all:$True| ` group ResourceTenantId,AppDisplayName,UserPrincipalName| ` select count, @{n=’Ext TenantID/App User Pair’;e={$_.name}}] |
How to create or edit those settings?
Adding organization
First You will add the external tenant to Your settings.
You will see the tenant name and ID. You can also add the original onmicrosoft.com name.
Quick tip! You can use this webpage to check out any tenants ID
When You add the tenant it will use default settings.
Editing the Inbound settings – External users and groups
Opening settings opens the following page, from there You can example add specific users. Although at this time You have to add the object ID for the users or groups.
Applications
You can add Your own published applications or Microsoft applications.
Trust settings
- Trust multi-factor authentication from Azure AD tenants: Select this checkbox to allow your Conditional Access policies to trust MFA claims from external organizations. During authentication, Azure AD will check a user’s credentials for a claim that the user has completed MFA. If not, an MFA challenge will be initiated in the user’s home tenant.
- Trust compliant devices: Allows your Conditional Access policies to trust compliant device claims from an external organization when their users access your resources.
- Trust hybrid Azure AD joined devices: Allows your Conditional Access policies to trust hybrid Azure AD joined device claims from an external organization when their users access your resources.
Editing the Outbound settings
Users and groups
B2B collaboration outbound access settings determine whether your users can be invited to the external tenant for B2B collaboration and added to their directory as guests. Below, specify whether your users and groups can be invited to external tenant and the external applications they can access.
External applications
How to find the Application ID?
Every published application has an unique GUID as ID, You can find it from Enterprise application page
Or from App registrations page.
What are default settings?
External user experience
The experience is the same than with any Invited Azure AD guest user. Cross-tenant settings will only enforce chosen settings for the tenant specified or all tenants if You choose this setup.