This chapter covers two critical identity and access features for multi-tenant Microsoft 365 environments: B2B Direct Connect and Cross-Tenant Sync. These technologies enable organizations to collaborate securely across Azure AD tenants without creating external user objects or sharing credentials. On the MS-102 exam, questions on this topic appear in approximately 5-8% of questions under Objective 2.3 (Manage identity and access for external users). You will be expected to understand the differences between B2B Collaboration, B2B Direct Connect, and Cross-Tenant Sync, and know when to use each. This chapter provides the deep technical detail you need to answer scenario-based questions confidently.
Jump to a section
Imagine two corporate office buildings owned by different companies. Each building has its own badge system, directory of employees, and internal phone network. B2B Collaboration (traditional guest access) is like building a shared visitor lobby between the two buildings. Visitors from Company A can enter Company B's lobby, but they can't go into the offices unless they are individually escorted. They also can't see the internal directory or use internal resources. B2B Direct Connect is like building a private, dedicated bridge between the two buildings at the executive floor level. Only designated employees from each company can use the bridge, and when they cross, they can access shared conference rooms, printers, and the other company's internal directory (with permissions). Cross-tenant sync is like automatically updating each building's badge system with a list of authorized visitors from the other company, including their role and department, so they can be recognized and granted appropriate access without manual intervention. Direct Connect provides the real-time bridge; sync provides the identity data. Without sync, you'd have to manually register each visitor. Without Direct Connect, you'd be limited to the shared lobby. Together, they enable seamless, secure cross-company collaboration with fine-grained access control.
What Are B2B Direct Connect and Cross-Tenant Sync?
B2B Direct Connect is a feature in Microsoft Entra External ID that allows users from one tenant to access resources in another tenant without being invited as guests. Instead, a mutual trust relationship is established through organizational settings. Cross-Tenant Sync is a separate feature that synchronizes user identities from one tenant to another as B2B collaboration users, enabling seamless access while maintaining user lifecycle management.
These features are designed for organizations that need to collaborate with partners or subsidiaries that have their own Azure AD tenants. They differ from B2B Collaboration (inviting guests via email) in that they require pre-configuration and mutual agreement.
How B2B Direct Connect Works
B2B Direct Connect relies on cross-tenant access settings and organizational relationships. Here's the mechanism:
Configuration: Tenant A admin configures an organizational relationship with Tenant B in the Azure AD portal under External Identities > Cross-tenant access settings. They specify an inbound policy to allow users from Tenant B, and optionally an outbound policy to allow their users to access Tenant B's resources.
Resource Access: When a user from Tenant B tries to access a resource in Tenant A (e.g., a SharePoint site or Teams shared channel), Tenant A's Azure AD checks if there is a cross-tenant access policy allowing Tenant B. If yes, the user is allowed to authenticate using their home tenant credentials.
User Object: No guest user object is created in Tenant A. The user remains a cloud-only object in Tenant B. Tenant A only has a reference to the user's identity via a B2B Direct Connect user type (visible in Azure AD but with limited properties).
Permissions: Access is controlled by the resource application (e.g., SharePoint or Teams). The user's home tenant attributes (like group memberships) can be used for authorization if the resource trusts them.
How Cross-Tenant Sync Works
Cross-Tenant Sync is a more recent feature that addresses the need for user lifecycle management across tenants. It uses the Microsoft Identity Synchronization Service (MISS) to replicate user objects from a source tenant to a target tenant as B2B collaboration users.
Sync Mechanism: The target tenant creates a configuration that specifies the source tenant and the users/groups to sync. The source tenant must consent. The sync runs periodically (default every 5 minutes) to keep user attributes updated.
User Objects: In the target tenant, synced users appear as B2B collaboration users with a UserType of 'Guest'. They have a UPN of the form user_<sourceTenantId>#EXT#@<targetTenant>.onmicrosoft.com.
Attributes: Only a subset of attributes are synced: display name, email, user principal name, user type, and group memberships (if groups are synced). Password hashes are NOT synced; users authenticate against their home tenant.
Lifecycle: When a user is deleted in the source tenant, they are soft-deleted in the target tenant after a sync cycle. The target admin can restore or permanently delete.
Key Components and Defaults
Cross-tenant access settings: Default policy is to block all inbound and outbound B2B Direct Connect. You must explicitly allow specific tenants.
Trust settings: You can trust multi-factor authentication (MFA), compliant device claims, and hybrid Azure AD join claims from the other tenant. Default is not to trust.
Default sync interval: 5 minutes for Cross-Tenant Sync. Cannot be changed.
Maximum number of synced objects: 50,000 users per sync configuration (as of latest documentation).
Supported resource types for Direct Connect: SharePoint Embedded, Teams shared channels, and Microsoft 365 groups (limited).
Configuration and Verification Commands
Using Microsoft Graph PowerShell:
To configure cross-tenant access settings:
# Install module
Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser
# Connect
Connect-MgGraph -Scopes "Policy.ReadWrite.CrossTenantAccess"
# Create a cross-tenant access policy for a partner tenant
$params = @{
@odata.type = "#microsoft.graph.crossTenantAccessPolicyConfigurationPartner"
tenantId = "partner-tenant-id"
inboundTrust = @{
isMfaAccepted = $true
isCompliantDeviceAccepted = $true
isHybridAzureADJoinedDeviceAccepted = $false
}
b2bDirectConnectOutbound = @{
usersAndGroups = @{
accessType = "allowed"
targets = @(
@{
@odata.type = "#microsoft.graph.crossTenantAccessPolicyTarget"
targetType = "user"
targetId = "allUsers"
}
)
}
}
}
New-MgPolicyCrossTenantAccessPolicyPartner -BodyParameter $paramsTo configure Cross-Tenant Sync:
# Install module
Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser
# Connect
Connect-MgGraph -Scopes "CrossTenantUserProfileSharing.ReadWrite.All"
# Create a cross-tenant sync configuration (target tenant perspective)
$params = @{
displayName = "Sync with Partner"
sourceTenantId = "source-tenant-id"
userSyncInbound = @{
isSyncAllowed = $true
}
}
New-MgPolicyCrossTenantAccessPolicyDefault -BodyParameter $paramsInteraction with Related Technologies
B2B Collaboration: Unlike Direct Connect, B2B Collaboration creates guest user objects in the target tenant. Cross-Tenant Sync actually creates B2B Collaboration users, so it's a way to automate guest creation.
Azure AD B2C: Not related; B2C is for consumer-facing identity.
Conditional Access: Policies can target B2B Direct Connect users, but since no user object exists, some conditions (like location) may not apply. For Cross-Tenant Sync users, they are regular guest objects and fully subject to CA.
Microsoft 365 Groups: Direct Connect users can be added to groups in the resource tenant if the group allows external members.
Common Misconfigurations
Missing trust settings: If MFA trust is not enabled, users from the partner tenant may be prompted for MFA again even if they already completed it at home.
Incorrect tenant ID: The partner tenant ID must be exact; otherwise, the policy doesn't apply.
Sync scope too broad: Syncing all users can exceed the 50,000 limit. Use scoping filters.
Permissions: To configure cross-tenant settings, you need at least the Security Administrator role. Cross-Tenant Sync requires Global Administrator or a custom role with CrossTenantUserProfileSharing.ReadWrite.All.
1. Identify collaboration requirements
Determine whether you need B2B Direct Connect (no user objects, real-time access) or Cross-Tenant Sync (user objects, lifecycle management). For Teams shared channels, Direct Connect is required. For SharePoint sites where you want users to appear in people picker, you need Sync. Evaluate security requirements: do you need to trust MFA or device claims? Document the partner tenant ID and domain names.
2. Configure cross-tenant access settings
In the Azure AD portal, go to External Identities > Cross-tenant access settings. Add an organizational relationship for the partner tenant. Set inbound and outbound policies for B2B Direct Connect and B2B Collaboration. Specify trust settings for MFA, compliant devices, and hybrid Azure AD join. Use Microsoft Graph or PowerShell for automation.
3. (Optional) Configure Cross-Tenant Sync
In the target tenant, go to External Identities > Cross-tenant sync. Create a new sync configuration. Select the source tenant (must have organizational relationship already). Choose users or groups to sync. Optionally apply scoping filters. The source tenant must consent to the sync. After consent, the sync starts and runs every 5 minutes.
4. Verify user objects and access
For Direct Connect, check that users can access shared resources (e.g., Teams shared channel). For Sync, verify that guest user objects appear in Azure AD with correct attributes. Test authentication: users should be redirected to their home tenant login. Check sign-in logs for cross-tenant authentication events (Event ID: 50097).
5. Monitor and troubleshoot
Use Azure AD audit logs to track cross-tenant access events. Common issues: users not appearing due to sync latency (up to 5 minutes). Access denied because of missing trust settings. For Sync, check the provisioning logs for errors. Use the 'Cross-tenant access settings' blade to review effective policies.
Enterprise Scenario 1: Merger and Acquisition Integration
A large financial services firm acquires a smaller fintech company. Both use Microsoft 365 with separate Azure AD tenants. The goal is to allow the fintech employees to access shared project sites in the parent tenant without creating duplicate accounts. The parent tenant configures B2B Direct Connect with trust for MFA and compliant devices. The fintech users can access Teams shared channels and SharePoint sites without being guests. Additionally, Cross-Tenant Sync is configured to replicate the fintech user directory into the parent tenant for visibility in people picker and for lifecycle management. The sync scope is limited to 500 users (the fintech workforce). This avoids the 50,000 limit and reduces noise. The main challenge is ensuring that the fintech users' home tenant MFA policies align with the parent's trust settings. Misconfiguration could lead to users being prompted for MFA twice, causing confusion.
Scenario 2: Multi-Subsidiary Collaboration
A global manufacturing company has three subsidiaries, each with its own Azure AD tenant. They need to collaborate on a joint product launch. The corporate IT team sets up a hub-and-spoke model: the corporate tenant is the hub, and each subsidiary tenant is a spoke. B2B Direct Connect is configured between the hub and each spoke. Cross-Tenant Sync is used to sync a subset of users (e.g., project managers) from each spoke into the hub. The hub hosts shared resources like SharePoint sites and Teams channels. Performance considerations: with three spokes, the hub's cross-tenant policies must be carefully scoped to avoid overlapping or conflicting rules. The sync interval of 5 minutes is acceptable for this scenario. A common pitfall is forgetting to enable outbound access from the hub to the spokes, which would prevent hub users from initiating collaboration.
Scenario 3: Healthcare Provider Partnership
Two healthcare organizations need to share patient data for a joint research project, subject to HIPAA regulations. They use B2B Direct Connect but do NOT trust MFA from the partner tenant because each organization has its own MFA policies. Instead, each user must authenticate with their home tenant MFA and then satisfy the resource tenant's MFA requirement. This results in double MFA prompts, which is acceptable for compliance. Cross-Tenant Sync is not used because the partner users should not appear as guests in the directory (audit concerns). The resource tenant uses Conditional Access to require device compliance from the partner tenant, which is possible if trust for compliant device claims is enabled. The main challenge is that B2B Direct Connect does not support granular authorization based on group membership from the home tenant unless the resource application supports it. Therefore, SharePoint site permissions must be assigned manually to each user or to a security group in the resource tenant that contains the external users.
What MS-102 Tests on This Topic (Objective 2.3)
The exam focuses on:
Differentiating between B2B Collaboration, B2B Direct Connect, and Cross-Tenant Sync.
Understanding when to use each: Direct Connect for Teams shared channels and SharePoint Embedded; Cross-Tenant Sync for user lifecycle and people picker; B2B Collaboration for ad-hoc guest access.
Knowing the trust settings: MFA, compliant device, hybrid Azure AD join.
Default policies: all cross-tenant access is blocked by default.
The fact that Cross-Tenant Sync creates B2B Collaboration guest users, not Direct Connect users.
The sync interval (5 minutes) and maximum synced objects (50,000).
Common Wrong Answers and Why Candidates Choose Them
'Cross-Tenant Sync uses Direct Connect': Wrong. Sync creates B2B Collaboration guest objects. Direct Connect does not create objects. Candidates confuse the two because both involve cross-tenant trust.
'B2B Direct Connect can be used for any SharePoint site': Wrong. Direct Connect only works with SharePoint Embedded and Teams shared channels. Regular SharePoint sites require B2B Collaboration or Sync.
'You can sync password hashes with Cross-Tenant Sync': Wrong. Passwords are never synced; users always authenticate against their home tenant. Candidates think of Azure AD Connect sync.
'The default cross-tenant access policy allows all tenants': Wrong. The default is to block all inbound and outbound B2B Direct Connect and B2B Collaboration. You must explicitly add allowed tenants.
'Cross-Tenant Sync works without an organizational relationship': Wrong. You must first configure cross-tenant access settings (organizational relationship) before sync can be set up.
Numbers and Terms That Appear on the Exam
Sync interval: 5 minutes.
Maximum synced users per configuration: 50,000.
Trust options: IsMfaAccepted, IsCompliantDeviceAccepted, IsHybridAzureADJoinedDeviceAccepted.
UserType for synced users: Guest.
UPN format: user_<sourceTenantId>#EXT#@<targetTenant>.onmicrosoft.com.
Edge Cases and Exceptions
If you enable both B2B Direct Connect and B2B Collaboration for the same tenant, a user may be able to access via both methods. The resource application decides which to use.
Cross-Tenant Sync can sync users from one source tenant to multiple target tenants, but each target tenant must have its own sync configuration.
B2B Direct Connect does not support group-based authorization from the home tenant unless the resource app explicitly reads group claims.
Deleting a sync configuration does not remove existing guest users; you must delete them manually.
How to Eliminate Wrong Answers
If the question mentions 'user objects are created in the target directory', the answer involves Cross-Tenant Sync or B2B Collaboration, not Direct Connect.
If the question mentions 'no guest user object', the answer is B2B Direct Connect.
If the question mentions 'automatically update user attributes', the answer is Cross-Tenant Sync.
If the question mentions 'ad-hoc invitation via email', the answer is B2B Collaboration.
B2B Direct Connect does not create guest user objects; Cross-Tenant Sync creates B2B collaboration guest objects.
Default cross-tenant access policy blocks all inbound and outbound traffic. You must explicitly allow partner tenants.
Cross-Tenant Sync interval is 5 minutes; maximum 50,000 users per sync configuration.
Trust settings: MFA, compliant device, hybrid Azure AD join can be trusted from partner tenant.
B2B Direct Connect only works with SharePoint Embedded and Teams shared channels.
Cross-Tenant Sync does not sync password hashes; users authenticate against home tenant.
To configure Cross-Tenant Sync, you must first establish an organizational relationship in cross-tenant access settings.
These come up on the exam all the time. Here's how to tell them apart.
B2B Direct Connect
No guest user object created in target tenant.
Used for Teams shared channels and SharePoint Embedded.
Real-time access; no synchronization.
Requires cross-tenant access policy with trust settings.
User attributes not visible in target directory.
Cross-Tenant Sync
Creates B2B collaboration guest user objects.
Used for any resource that supports guests (SharePoint, Teams, etc.).
Periodic sync every 5 minutes.
Requires cross-tenant access policy plus sync configuration.
User attributes (display name, email, etc.) visible in target directory.
Mistake
B2B Direct Connect and Cross-Tenant Sync are the same thing.
Correct
They are distinct. Direct Connect provides real-time access without user objects; Sync creates guest user objects for lifecycle management and directory visibility.
Mistake
Cross-Tenant Sync requires Azure AD Connect.
Correct
It does not. Cross-Tenant Sync uses the Microsoft Identity Synchronization Service (MISS) built into Azure AD, not Azure AD Connect. It syncs only between Azure AD tenants, not from on-premises.
Mistake
You can use B2B Direct Connect to share any SharePoint site.
Correct
Direct Connect only works with SharePoint Embedded and Teams shared channels. For regular SharePoint sites, you must use B2B Collaboration or Cross-Tenant Sync.
Mistake
Cross-Tenant Sync syncs password hashes for seamless authentication.
Correct
Passwords are never synced. Users always authenticate against their home tenant. The target tenant only stores a reference to the user's identity.
Mistake
The default cross-tenant access policy allows all tenants.
Correct
The default policy blocks all inbound and outbound access for both B2B Direct Connect and B2B Collaboration. You must explicitly add allowed tenants.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
B2B Collaboration creates guest user objects in the target tenant and uses email invitations. B2B Direct Connect does not create guest objects; it relies on a mutual trust relationship and is limited to specific resources like Teams shared channels. For the exam, remember that Direct Connect is for 'no object, real-time access' while Collaboration is for 'guest objects, broad resource support'.
First, configure a cross-tenant access policy (organizational relationship) with the partner tenant. Then, in the target tenant, go to External Identities > Cross-tenant sync and create a sync configuration. Select the source tenant, choose users/groups, and set scoping filters. The source tenant must consent. The sync will start automatically and run every 5 minutes.
Only for SharePoint Embedded. For regular SharePoint sites, you must use B2B Collaboration or Cross-Tenant Sync. Direct Connect is not supported for standard SharePoint libraries or lists. This is a common exam trap.
No. Cross-Tenant Sync is a cloud-only feature that syncs between Azure AD tenants. It does not involve on-premises directories. Azure AD Connect is for syncing on-premises AD to Azure AD.
You can trust multi-factor authentication (MFA), compliant device claims, and hybrid Azure AD join claims from the partner tenant. These are configured in the cross-tenant access policy. Default is not to trust any of them.
If you delete the user from the source tenant, the sync will soft-delete them in the target tenant after the next sync cycle. To permanently remove, you can delete the guest user object in the target tenant. Alternatively, remove the user from the sync scope.
Up to 50,000 users per sync configuration. If you need more, you can create multiple sync configurations, but each has its own limit. This is a hard limit enforced by the service.
You've just covered B2B Direct Connect and Cross-Tenant Sync — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?