Is there a way for our tenant administrators to see when users in our tenant have been added as B2B guests in other tenants?
Here's the scenario we stumbled across.
An ISV was commissioned by a business user to create a POC implementation of their software.
Somewhere along the line they were told they'd need to support our Single-Signon (Siteminder) for authentication.
The vendor may have been told, or just realized that we have and AzureAD tenant that is federated to our SiteMinder STS.
The vendor stood up their software, established an OpenID Connect trust with THEIR AzureAD tenant.
They then invited some of our users as B2B EXT guests to their tenant, granted them access to the application and it worked!
I'm not convinced this is a 'bad' model, but it happened without requiring any action by our administrators. I'm not sure we're looking to prevent this, but some level of visibility/awareness would go a long way to ensuring a good user experience down the road should anyting go sideways :o