Cross-Tenant Access - Security hole? or am I missing a setting?

Iron Contributor

Hi,

 

I am just having a play with cross-tenant access as we'd like to use Shared Channels in Teams.  I've setup a test connection between two tenants.  Tenant A is configured for inbound access from Tenant B and then Tenant B is configured to outbound access to Tenant A.  This appears be working.  The part that makes me very nervous is if I sign into Azure using Tenant A's URL i.e. https://portal.azure.com/TenantA and then login with my Tenant B credentials I can see all the Azure Entra settings including user names, email, enterprise apps, devices etc.  Is this by design? Can I do anything to prevent this kind of access?

 

Cheers

Rob

2 Replies

@Rob Clarke How are your Guest Access Permissions configured? I don't know if B2B Direct Connect also Respects these settings, but what you are describing goes against the documentation.

Did you perhaps previously create a guest account in Tenant A for the Account from Tenant B? If you are only using shared Channels you should not have a guest user object in Tenant A!

@juliansperling thanks for the reply. I don't remember having a guest account on the tenant and checking now there is nothing showing for the user (checked deleted items as well) but you are right this seems to be the issue, if I use a different account from the tenant B it blocks access properly. So I can only guess there is something in the bowels of Entra where the user I was testing with used to have access and that is allow them to see all of Entra - not good.

For info the guest access permission is set to "limited access" but as you suggest I don't know if these are respected by the B2B connections.