New Blog Post | Cross-tenant access settings - Notes from the field

The introduction of cross-tenant access settings for Microsoft Entra External ID marked a pivotal shift in how organizations manage security and collaboration across different tenants. This blog post dives into the essence of these settings, focusing on their significance for secure B2B collaboration.  

 

Three key areas of focus, include:  

 

• The critical aspect of trusting multifactor authentication (MFA) from business collaborators, including the exploration into the balance between maintaining high security standards and ensuring a seamless user experience for B2B guest users, plus highlighting a perspective to simplify authentication processes and reduce administrative burdens. 

• Offering a closer look at the cross-tenant access settings and how these settings enable more granular control over cross-tenant collaborations. Real-world use cases illustrate the application of these policies in managing and restricting access to ensure security without hindering productivity and cooperation. 

• Insights into leveraging Microsoft Entra cross-tenant access policies for improved security and collaboration and to ensure a smooth user experience. 

 

Trust MFA from business collaborators (B2B collaboration) by default 

 

In today's interconnected digital landscape, organizations are increasingly embracing B2B collaboration to streamline workflows and facilitate cooperation with external partners. As part of this collaborative approach, many businesses routinely create guest user accounts within their Microsoft Entra tenants and grant trusted partners access to their resources. 

 

To enhance security, many have already extended the requirement for MFA to B2B guest users. This, however, requires external users in cross-tenant access scenarios to register an additional authentication method in the foreign tenant.  

 

The need for B2B guest users to register for an additional MFA method in the resource tenant basically increases the account security, but at the same time it adds layers of complexity. 

 

User experience disruption in a B2B collaboration scenario 

 

B2B guest users who have already implemented MFA in their home tenant and have become accustomed to the convenience of advanced MFA methods like Windows Hello for Business, encounter disruptions when attempting to access the resource tenant. Even if users have already provided strong authentication in their home tenant, they will still be prompted for authentication again in the resource tenant. 

 

 

Figure 1: MFA prompt for B2B guest user who access protected resource in foreign tenant

 

 

Administrative overhead for IT and users 

 

Both the guest user and the resource tenant's IT team face additional administrative tasks. For the guest user, navigating a new MFA setup and maintaining an additional MFA registration can be annoying. For the tenant administrator and the support team, managing these additional MFA registrations can increase overhead significantly.  

 

In cases where a guest user loses access to their device or does not have a backup for a new device, regaining access to their account involves additional administrative tasks for both the guest user and the resource tenant's IT team. The guest user may need to perform a new MFA setup, while the tenant support team need to manage the additional MFA registrations.  

 

Are you wondering why guest users must register an additional authentication method per resource tenant when they already have one in their home tenant? Well, let's talk about the trust settings in cross-tenant access settings. 

 

Read the full post here: Cross-tenant access settings - Notes from the field - Tech Community