Forum Discussion

Rob-CTL's avatar
Rob-CTL
Iron Contributor
May 24, 2024

Cross-Tenant Access - Security hole? or am I missing a setting?

Hi,

 

I am just having a play with cross-tenant access as we'd like to use Shared Channels in Teams.  I've setup a test connection between two tenants.  Tenant A is configured for inbound access from Tenant B and then Tenant B is configured to outbound access to Tenant A.  This appears be working.  The part that makes me very nervous is if I sign into Azure using Tenant A's URL i.e. https://portal.azure.com/TenantA and then login with my Tenant B credentials I can see all the Azure Entra settings including user names, email, enterprise apps, devices etc.  Is this by design? Can I do anything to prevent this kind of access?

 

Cheers

Rob

    • Rob-CTL's avatar
      Rob-CTL
      Iron Contributor
      juliansperling thanks for the reply. I don't remember having a guest account on the tenant and checking now there is nothing showing for the user (checked deleted items as well) but you are right this seems to be the issue, if I use a different account from the tenant B it blocks access properly. So I can only guess there is something in the bowels of Entra where the user I was testing with used to have access and that is allow them to see all of Entra - not good.

      For info the guest access permission is set to "limited access" but as you suggest I don't know if these are respected by the B2B connections.

Resources