Blog Post

Microsoft Entra Blog
8 MIN READ

Cross-tenant access settings - Notes from the field

HeikoBischoff's avatar
HeikoBischoff
Icon for Microsoft rankMicrosoft
Mar 18, 2024

The introduction of cross-tenant access settings for Microsoft Entra External ID marked a pivotal shift in how organizations manage security and collaboration across different tenants. This blog post dives into the essence of these settings, focusing on their significance for secure B2B collaboration.  

 

Three key areas of focus, include:  

 

  • The critical aspect of trusting multifactor authentication (MFA) from business collaborators, including the exploration into the balance between maintaining high security standards and ensuring a seamless user experience for B2B guest users, plus highlighting a perspective to simplify authentication processes and reduce administrative burdens. 
  • Offering a closer look at the cross-tenant access settings and how these settings enable more granular control over cross-tenant collaborations. Real-world use cases illustrate the application of these policies in managing and restricting access to ensure security without hindering productivity and cooperation. 
  • Insights into leveraging Microsoft Entra cross-tenant access policies for improved security and collaboration and to ensure a smooth user experience. 

 

Trust MFA from business collaborators (B2B collaboration) by default 

 

In today's interconnected digital landscape, organizations are increasingly embracing B2B collaboration to streamline workflows and facilitate cooperation with external partners. As part of this collaborative approach, many businesses routinely create guest user accounts within their Microsoft Entra tenants and grant trusted partners access to their resources. 

 

To enhance security, many have already extended the requirement for MFA to B2B guest users. This, however, requires external users in cross-tenant access scenarios to register an additional authentication method in the foreign tenant.  

 

The need for B2B guest users to register for an additional MFA method in the resource tenant basically increases the account security, but at the same time it adds layers of complexity. 

 

User experience disruption in a B2B collaboration scenario 

 

B2B guest users who have already implemented MFA in their home tenant and have become accustomed to the convenience of advanced MFA methods like Windows Hello for Business, encounter disruptions when attempting to access the resource tenant. Even if users have already provided strong authentication in their home tenant, they will still be prompted for authentication again in the resource tenant. 

 

Figure 1: MFA prompt for B2B guest user who access protected resource in foreign tenant

 

 

Administrative overhead for IT and users 

 

Both the guest user and the resource tenant's IT team face additional administrative tasks. For the guest user, navigating a new MFA setup and maintaining an additional MFA registration can be annoying. For the tenant administrator and the support team, managing these additional MFA registrations can increase overhead significantly.  

 

In cases where a guest user loses access to their device or does not have a backup for a new device, regaining access to their account involves additional administrative tasks for both the guest user and the resource tenant's IT team. The guest user may need to perform a new MFA setup, while the tenant support team need to manage the additional MFA registrations.  

 

Are you wondering why guest users must register an additional authentication method per resource tenant when they already have one in their home tenant? Well, let's talk about the trust settings in cross-tenant access settings. 

 

Simplifying the authentication process 

 

A more efficient approach to managing MFA in cross-tenant B2B collaborations is to trust the MFA from a guest's home tenant. Doing so eliminates the need for additional MFA registration and maintenance in the resource tenant. This means that the user can continue to use his usual strong authentication method that he uses in his home tenant and does not have to register another method in the resource tenant. This is a considerable relief for the user and the support team of the resource tenant no longer has to deal with the MFA registrations of the guests. 

 

The MFA default trust settings are configured in the Microsoft Entra admin center (https://entra.microsoft.com). In the default configuration, a Microsoft Entra ID tenant does not trust any incoming MFA from other tenants. To change the behavior, the inbound defaults must be edited. The following screenshots provide a walkthrough and show the desired configuration. The "Trust multifactor authentication from Microsoft Entra tenants" setting is disabled by default and must be enabled. 

 

 

Figure 2: Cross-tenant access settings in Microsoft Entra admin center

 

 

Figure 3: Cross-tenant access settings - Default Trust settings

 

This simple configuration enables B2B guest users to use their existing MFA in their home tenant to satisfy existing MFA requirements in the resource tenant.  

 

Once configured, B2B guest users can use additional authentication methods that have a higher authentication strength than MFA methods that are only available in a foreign resource tenant. This is a very important advantage because this configuration also enables the use of phishing-resistant authentication methods for B2B collaboration.  

 

Figure 4: Comparison of the authentication methods available in the home tenant and a resource tenant

 

For more information about available authentication methods, refer to the Microsoft Entra documentation about authentication strengths for external users. 

 

While this configuration is designed to enhance the user experience and ease the administrative efforts, it can inadvertently create security risks. For instance, guest users might opt for simpler, less secure authentication methods in their home tenant compared to the authentication methods typically used in the resource tenant.  

 

To avoid these risks, the cross-tenant access trust settings work seamlessly with Conditional Access and authentication strengths. Plus, with MFA trust, guest users can use the same phishing-resistant authentication methods used in their home tenant like Windows Hello for Business, FIDO2 keys, and certificate-based authentication to get access to the resource tenant. 

 

This key advantage can be used to increase the login security of guest users. When the default trust settings are adjusted, the Conditional Access policies and authentication strengths should be reviewed at the same time. 

 

We explored the benefits of using MFA trust to leverage the same strong authentication methods used by guest users in their home tenant to improve security, usability and efficiency. In the next chapter, we will look at how tenant administrators can control outbound collaboration settings. 

 

Outbound access restrictions  

 

With Microsoft Entra cross-tenant access settings, organizations can manage their collaboration with other Microsoft Entra organizations. These settings provide more granular control over access, allowing you to manage how you collaborate with external organizations. In this section, we will take a closer look at the outbound settings feature and its capabilities. 

 

Tenant restrictions vs. inbound and outbound settings 

 

Tenant restrictions and cross-tenant access settings are two powerful tools that can help you control access to your organization’s resources. While they are often configured together, it’s important to understand that they operate separately from one another. 

 

As per this Microsoft Learn article:  

 

“Although tenant restrictions are configured along with your cross-tenant access settings, they operate separately from inbound and outbound access settings. 

 

Cross-tenant access settings give you control when users sign in with an account from your organization.  

 

By contrast, tenant restrictions give you control when users are using an external account.” 

 

Think of cross-tenant access settings this way: 

 

  • Inbound settings control external account access to your internal apps. 
  • Outbound settings control internal account access to external apps. 
  • Tenant restrictions control external account access to external apps. 

 

To summarize, tenant restrictions allow you to create a policy to control access to external apps when users sign in with an external account from your networks or devices while the inbound and outbound access settings focus on guests accounts in your tenant or guest accounts in resource tenants (what your users is accessing and where). 

 

With this all cleared up let’s focus on using an outbound access setting and a real-world application.  

 

Real-world use case  

 

Let’s have a look at a real-world use case to leverage the outbound settings control. The Contoso organization is used in the following use case:  

 

Contoso would like to implement more detailed controls with B2B business collaborators. 

 

  • Contoso would like to only collaborate with specific organizations. This includes the ability to securely add or remove partner organizations as the need arises.   
  • Additionally, Contoso would need the ability to restrict applications that can be accessed in any partner resource tenant along with the ability to restrict and control user access to partner resource tenants. 

 

Setup and configuration 

 

To set up the outbound restriction for the needed use case, we will need to configure the outbound defaults. This essentially will block all outbound collaboration. Note that this can be scoped to either include all users, selected users or all or selected external applications.  

From within the Microsoft Entra Admin center, navigate to the External Identities menu and select the cross-tenant access setting feature. From here select the default settings config followed by edit outbound defaults.  Select Block access followed by the applies to option. We can either select a subset of users or apply this to all users. In this example all users are blocked and all external applications.  

 

 

Figure 5: Outbound defaults

 

 

Figure 6: Outbound block access

 

Attempting any access in a resource tenant will result in the below notification. This is expected since the tenant wide outbound access default setting is in place explicitly blocking any resource tenant level access.  

 

Figure 7: Resource tenant blocked

 

By looking at the user sign-in logs, we can establish the same conclusion via the failure reasoned and the resource tenant accessed.  

 

Figure 8: Sign-in logs

 

To enable collaboration when the outbound access default setting is applied, a tenant ID or domain name of a resource tenant or origin must be included in the cross-tenant access settings of Microsoft Entra. In the example below, the tenant of Contoso’s partner organization “Wingtip Toys” is added and the outbound access configuration setup to allow collaboration with selected Contoso users. In this case, the users with group membership to External-TR-ContosoAccess will be allowed access to selected application as per figure 9.  

 

In addition, a Privileged Access Group (PAG) can be used allowing no permeant standing access. Access must be requested via Privileged Identity Management (PIM). The PIM activation process can be set up to require an approver, MFA or additional authentication context via Conditional Access. E.g. step-up authentication or location-based policy restrictions.   

 

Figure 9: Outbound access settings users and groups

 
 

 

Figure 10: Outbound access settings external applications

 

Upon configuring the needed outbound access settings any user that is part of the selected user or group outbound configuration setting will be allowed access to the selected external applications. In the below example we can see the demo user accessed a selected external application as per previous configuration.  

 

Figure 11: sign-in log successful

 
 

With cross-tenant access and outbound access settings, customers can granularly restrict and control collaboration with external resource tenants. This enables more control over what your internal accounts can access externally and where.  

 

A word of caution: Before enabling, it’s important to understand this is a tenant wide configuration and you will need to understand and evaluate your organizations collaboration needs and scope the outbound access setting and allowed organizations accordingly.   

 

More info can be found here 

 

Summary 

 

In this blog post, we explored how to use cross-tenant access and outbound access settings in Microsoft Entra to manage and secure external collaboration. Cross-tenant access allows you to share your resources with users from other tenants, while outbound access settings and tenant restrictions let you control which external tenants your users can access. You can configure both features at the tenant level and specify the allowed or blocked organizations according to your business needs. Additionally, we have discussed how to use Default MFA Trust to use existing, strong authentication methods from foreign tenants in cross-tenant access scenarios and improve your security posture.  

 

In the next blog, we will look more closely at tenant restrictions and authentication strengths and contexts. Keep following this blog series, post your feedback, and we hope you join us again. 

   

Morne Naude, Senior Consultant 
Heiko Bischoff, Senior Consultant 

  

 

Learn more about Microsoft Entra: 

Updated Mar 15, 2024
Version 1.0
  • C_the_S's avatar
    C_the_S
    Bronze Contributor

    It would have been useful to know what level of licenses are needed for this functionality as it isn't available for base tenants.

    According to my info a tenant needs to have Entra ID P1 or P2 licenses for this to work.

  • BorisBerkelaar's avatar
    BorisBerkelaar
    Copper Contributor

    Brian Reid C_the_S You only require licenses for users of your own organization, with a minimum of one license. All other users (that you could mark as guest user or external member in Entra ID) are not required to have a license! There is one other limitation: a guest to member ratio of 5:1. However, you may switch to monthly active users (MAU) using a subscription, where the first few users are actually free. I believe it's 50.000. Other benefit of attaching a subscription is that you become eligible for support. 

     

    What I find the downside, is that it's impossible to block access to all apps and only allow specific ones. For example the admin portals: if you only allow admin portals, access will be blocked because of some service principal AADIBIZAUX not being included in allowing access to the admin portals.

     

    Unfortunately this service principal cannot be added to the allow list. Feedback from Microsoft is that it's a known issue with no known date of a fix. 

  • toddnelson-work's avatar
    toddnelson-work
    Copper Contributor

    Being able to enforce MFA for guest was great before cross-tenant access came along.  Now that we can trust MFA for specific Azure tenants (or globally for all Azure tenants) is a step in the right direction.  We still have hundreds of guests that are not part of an Azure tenant and it is painful to manage MFA for mobile devices that those guests replace or lose.  Can't wait to see when there will be an option for non-Azure tenants.

  • As C_the_S noted, this requires Entra P1 or higher licenses and so real notes from the field completely miss the fact that this does not work for any, probably smaller, company without this license. With Security Defaults enabled in the home tenant guests need to create an additional MFA prompt/account for any home tenant they are invited into.

     

    If you really want a better end user experience then the MFA Trust setting would not be license restricted. 

     

    This one feature needs revisiting and considering again from a licence perspective. 

  • Its not possible to know what method  of mfa the guest users home tenant is enforcing or allowing the guest user to use.  I would say trust the guest users tenant if you trust the guest users tenant. 

  • NicolasHon's avatar
    NicolasHon
    Brass Contributor

    Thank you for this great article.

    So if I understand well, if I don't trust SMS as an MFA method in my tenant and that I activate cross tenant trust settings, the user from the other tenant will be able to use his SMS method even if it is disabled in my tenant till I configure the Conditional Access to request strongest method, right?

     

    By the way, how can we trust a second factor method in another tenant in a zero-trust world?

  • Mike_Walley's avatar
    Mike_Walley
    Copper Contributor

    Very informative and helpful article. Thank you.

     

    Does anyone have insight into what happens in the scenario that the B2B user tenant has no MFA requirement?