This chapter covers cross-tenant access policies in Microsoft Entra ID, a critical security feature for organizations using Microsoft 365 that collaborate with external tenants. For the MS-900 exam, this topic appears in approximately 5-8% of questions under Domain 3 (Security and Compliance), specifically objective 3.3. Understanding how to control inbound and outbound access between tenants, configure trust settings, and manage B2B collaboration is essential for securing hybrid work environments and preventing data leakage.
Jump to a section
Imagine two companies, Contoso and Fabrikam, in the same office building. Each has its own security guards and badge systems. Normally, a Contoso employee cannot enter Fabrikam's floor without a specific visitor badge. To allow collaboration, the two companies agree to a cross-tenant access policy. They set up a shared visitor kiosk in the lobby. When a Contoso employee wants to enter Fabrikam's floor, they present their Contoso badge at the kiosk. The kiosk scans the badge, checks a pre-approved list (the outbound trust settings from Contoso), and then communicates with Fabrikam's security system to issue a temporary Fabrikam visitor badge (inbound trust settings). The employee then uses that temporary badge to access specific areas (like shared meeting rooms) and not the entire Fabrikam floor. The kiosk logs every entry and exit. If the employee tries to enter a restricted lab, Fabrikam's guard checks the badge and denies access because the policy only allows meeting rooms. Similarly, if a Fabrikam employee visits Contoso, the same process happens in reverse, but only if Contoso has configured inbound trust for Fabrikam. Without the cross-company policy, each visit would require a manual, separate visitor registration, which is slow and insecure. The kiosk acts like Entra ID's cross-tenant access policy—it automates trust, enforces granular access, and logs all cross-tenant activity.
What Are Cross-Tenant Access Policies?
Cross-tenant access policies in Microsoft Entra ID (formerly Azure Active Directory) allow organizations to manage how users from external Microsoft Entra tenants access their resources and how their own users access resources in external tenants. These policies are essential for B2B collaboration, enabling seamless yet controlled access across organizational boundaries.
Why They Exist
Before cross-tenant access policies, organizations had limited control over B2B collaboration. External users were either invited as guests with default settings or blocked entirely. There was no granular way to restrict which external tenants could access what, or to enforce trust for multi-factor authentication (MFA) and device compliance. Cross-tenant access policies solve this by providing a centralized, policy-driven approach to manage inbound and outbound access.
How It Works Internally
Cross-tenant access policies operate at the tenant level and are enforced during authentication and authorization flows. When a user from Tenant B attempts to access a resource in Tenant A, the following steps occur:
User initiates access: The user tries to access a resource (e.g., a SharePoint site) in Tenant A.
Tenant A checks policies: Tenant A's Entra ID evaluates its inbound cross-tenant access policy for Tenant B. If no explicit policy exists, the default behavior applies (block or allow, depending on the default setting).
Trust evaluation: If an inbound policy exists, Tenant A checks whether it trusts claims from Tenant B for MFA, device compliance, or Hybrid Azure AD Join. These trust settings are part of the policy.
Tenant B issues tokens: Tenant B authenticates the user and issues a token containing claims about MFA status, device compliance, etc.
Tenant A validates and authorizes: Tenant A validates the token and checks trust settings. If trust is enabled, Tenant A accepts the claims without re-prompting. Then Tenant A applies its own access policies (e.g., conditional access) to grant or deny access.
For outbound access (users in Tenant A accessing resources in Tenant B), Tenant A can configure outbound policies to control which external tenants their users can access and what trust they will accept from those tenants.
Key Components, Values, Defaults, and Timers
Default policy: By default, all cross-tenant access is blocked for both inbound and outbound unless explicitly allowed. However, B2B collaboration invitations still work unless blocked separately.
Policy types: Inbound (external users accessing your tenant) and Outbound (your users accessing external tenants).
Trust settings: MFA (trust that external user's MFA claim is valid), Compliant Device (trust device compliance claim), Hybrid Azure AD Joined (trust that device is hybrid joined). These are optional and per-tenant.
Scope: Policies can apply to all external tenants or specific tenants. Specific tenant policies override the default.
B2B direct connect: A separate feature for Teams Connect shared channels, managed via cross-tenant access policies with B2B direct connect settings.
Timers: Tokens issued by external tenants have a default lifetime of 90 days for guest users, configurable via authentication session management.
Maximum number of policies: You can create up to 400 inbound and 400 outbound policies per tenant (including default).
Configuration and Verification Commands
Cross-tenant access policies can be configured via the Microsoft Entra admin center or Microsoft Graph PowerShell. Key PowerShell commands:
# Get the default cross-tenant access policy
Get-MgPolicyCrossTenantAccessPolicyDefault
# Update default inbound trust settings
Update-MgPolicyCrossTenantAccessPolicyDefault -InboundTrust @{ IsMfaAccepted = $true; IsCompliantDeviceAccepted = $true; IsHybridAzureADJoinedDeviceAccepted = $false }
# Create a new partner-specific inbound policy
$params = @{
DisplayName = "Contoso Inbound Policy"
TenantId = "contoso.onmicrosoft.com"
InboundTrust = @{
IsMfaAccepted = $true
}
B2BCollaborationInbound = @{
Applications = @{
IncludeApplications = @("All")
},
UsersAndGroups = @{
IncludeUsers = @("All")
IncludeGroups = @()
}
}
}
New-MgPolicyCrossTenantAccessPolicyPartner -BodyParameter $params
# Verify policy
Get-MgPolicyCrossTenantAccessPolicyPartner -Filter "tenantId eq 'contoso.onmicrosoft.com'" | Format-ListInteraction with Related Technologies
Conditional Access: Cross-tenant access policies work alongside Conditional Access. Even if inbound trust is set, Conditional Access policies in the resource tenant still apply (e.g., require MFA for guest users).
B2B Collaboration: Cross-tenant access policies control the trust and access for B2B guest users. They do not replace B2B invitations but enhance them.
B2B Direct Connect: For Teams Connect shared channels, B2B direct connect settings within cross-tenant access policies allow users to access channels without being guests.
Entra ID Identity Protection: Identity Protection can detect risky behavior from external users, and Conditional Access can block access accordingly.
Microsoft 365 Groups: External group members are treated as B2B guests and are subject to cross-tenant access policies.
Common Misconfigurations
Overly permissive default: Setting default inbound policy to allow all external tenants can open your tenant to unwanted access. Best practice is to block by default and explicitly allow trusted partners.
Not configuring outbound policies: Outbound policies control where your users can go. Without them, users may inadvertently share sensitive data with untrusted tenants.
Missing trust settings: If you trust MFA claims but the external tenant does not enforce MFA, the trust setting is ineffective. Ensure the external tenant actually enforces MFA.
Ignoring B2B direct connect: For Teams shared channels, you must configure B2B direct connect separately from B2B collaboration settings.
Exam-Relevant Details
MS-900 tests the concept of cross-tenant access policies, not the PowerShell syntax. Focus on understanding what they do, the difference between inbound and outbound, and trust settings.
The exam may ask: "Which trust settings can be configured in a cross-tenant access policy?" Answer: MFA, Compliant Device, Hybrid Azure AD Joined.
Know that cross-tenant access policies are part of External Identities in Microsoft Entra ID.
Understand that B2B collaboration and B2B direct connect are both managed via cross-tenant access policies.
Be aware that cross-tenant access policies do not replace Conditional Access; they complement it.
Identify External Tenant
The first step is to identify the external Microsoft Entra tenant that you want to collaborate with. This is typically done by specifying the tenant ID or domain name (e.g., contoso.onmicrosoft.com). In the Microsoft Entra admin center, you navigate to External Identities > Cross-tenant access settings and click 'Add organization'. You then enter the tenant ID or domain. At the protocol level, Entra ID resolves the domain to a tenant ID using a DNS lookup of the tenant's verified domain. If the tenant does not exist or the domain is not verified, the policy creation fails. The system stores the tenant ID as a unique identifier for all subsequent policy evaluations.
Configure Inbound Trust
Next, you configure inbound trust settings for that external tenant. Inbound trust determines whether your tenant will accept claims from the external tenant regarding MFA, device compliance, or Hybrid Azure AD Join. For example, setting 'IsMfaAccepted = $true' means that if the external user has completed MFA in their home tenant, your tenant will trust that claim and not prompt for MFA again. This is stored as a boolean value in the policy. When the external user attempts to access a resource, your tenant's authentication pipeline checks the inbound trust settings. If trust is enabled, it skips the corresponding claim validation and proceeds to authorization.
Configure Inbound Access
Now you define which users and groups from the external tenant can access which applications in your tenant. You can allow all users or specific groups. Similarly, you can allow all applications or specific apps (e.g., SharePoint Online, Teams). This is done under the 'B2B collaboration' inbound settings. The policy creates an access control list (ACL) that is evaluated during token issuance. If a user from the external tenant is not in the allowed list, access is denied. The ACL is stored as part of the cross-tenant access policy object in Entra ID and is replicated across all authentication endpoints.
Configure Outbound Settings
Outbound settings control how your users access resources in the external tenant. You can configure outbound trust (whether your tenant will accept MFA, device compliance, and Hybrid Azure AD Join claims from the external tenant) and outbound access (which users in your tenant can access which applications in the external tenant). This is symmetrical to inbound but for the opposite direction. For example, you might allow only your IT department to access a partner's admin portal. The outbound policy is enforced when a user from your tenant tries to access a resource in the external tenant. The external tenant will evaluate its own inbound policy, but your outbound policy determines what claims you present.
Test and Monitor
After configuration, test access from both directions. Use a test account from the external tenant to access a resource in your tenant, and vice versa. Monitor sign-in logs in Microsoft Entra ID for any failures. The logs show whether access was denied due to cross-tenant policy, Conditional Access, or other reasons. You can also use the 'What If' tool in Conditional Access to simulate access. In production, it's critical to monitor for unexpected access attempts. Failed attempts due to policy mismatches are logged with error code 'CrossTenantAccessPolicyDenied'. Regularly review the logs to ensure policies are working as intended and adjust trust settings if necessary.
Scenario 1: Merger and Acquisition Integration
When two companies merge, they often need to provide cross-tenant access during the integration period. For example, Contoso acquires Fabrikam. Both have separate Microsoft 365 tenants. Cross-tenant access policies allow Contoso users to access Fabrikam's SharePoint sites and Teams channels without migrating data immediately. The IT team configures inbound trust for Fabrikam's tenant, trusting MFA and device compliance. They also create outbound policies to allow Fabrikam users to access Contoso's resources. During the transition, they use B2B collaboration to add Fabrikam employees as guests to specific teams. The policies are set to allow only the necessary applications (e.g., SharePoint, Teams) and block access to sensitive apps like Dynamics 365. Common issues: if trust settings are not configured correctly, users may be prompted for MFA repeatedly, causing frustration. Also, if the default policy is set to block, all access fails until partner-specific policies are created. Performance is generally not an issue because policies are evaluated at authentication time, which adds minimal latency.
Scenario 2: Partner Collaboration with Compliance Requirements
A healthcare organization, HealthCo, partners with a research lab, LabCorp. HealthCo must comply with HIPAA and requires that all external users complete MFA and use compliant devices. HealthCo configures a cross-tenant access policy for LabCorp with inbound trust for MFA and compliant device. They also set outbound policies to restrict HealthCo users from accessing LabCorp resources except for a specific research SharePoint site. LabCorp configures its own inbound policies to trust HealthCo's MFA claims. This setup ensures that only authorized, authenticated, and compliant users can access sensitive health data. A common pitfall is that if LabCorp does not enforce MFA for its own users, the trust setting is meaningless. HealthCo's Conditional Access policies should also require MFA for guest users as a backup. The policies are tested with a pilot group before rolling out to all users.
Scenario 3: External Contractor Management
A large enterprise, MegaCorp, works with hundreds of external contractors, each from different tenants. MegaCorp uses cross-tenant access policies to manage access for these contractors. They set a default inbound policy that blocks all external tenants, then create specific policies for each contractor tenant with limited access to only the applications they need (e.g., a contractor portal). They do not trust MFA or device compliance from any contractor tenant because they cannot enforce those policies. Instead, MegaCorp requires contractors to use their own MFA and then uses Conditional Access to require MFA for all guest users. This layered approach ensures security. The challenge is managing hundreds of policies. MegaCorp uses PowerShell scripts to automate policy creation based on a spreadsheet of contractor tenants. They also monitor sign-in logs for anomalous access attempts. Misconfiguration often occurs when a new contractor tenant is added but the policy is not created, causing access denials.
MS-900 Objective 3.3: Describe capabilities of Microsoft Entra ID
Cross-tenant access policies fall under the 'External Identities' capability of Microsoft Entra ID. The exam expects you to understand:
The purpose of cross-tenant access policies (to manage B2B collaboration access and trust).
The difference between inbound and outbound policies.
The three trust settings: MFA, compliant device, Hybrid Azure AD join.
That cross-tenant access policies are configured in the Microsoft Entra admin center under External Identities.
That they complement Conditional Access, not replace it.
Common Wrong Answers on the Exam
'Cross-tenant access policies replace Conditional Access.' This is false. Conditional Access still applies to guest users. Cross-tenant access policies only control trust and basic access, not granular conditions like location or risk.
'Cross-tenant access policies apply to all external identities including personal Microsoft accounts (MSAs).' False. Cross-tenant access policies only apply to external Microsoft Entra tenants, not MSAs or Google accounts. Those are managed via B2B collaboration settings.
'You can configure cross-tenant access policies in the Microsoft 365 admin center.' False. They are configured in the Microsoft Entra admin center (or via Graph API/PowerShell), not the M365 admin center.
'Trust settings include password hash sync.' False. Password hash sync is an internal synchronization feature, not a cross-tenant trust. Trust settings are MFA, compliant device, and Hybrid Azure AD join.
Specific Numbers and Terms on the Exam
The term 'B2B collaboration' and 'B2B direct connect' appear verbatim.
The default behavior is 'block all external tenants' for inbound and outbound.
Maximum of 400 policies per direction.
Trust settings are optional and per-partner.
Edge Cases and Exceptions
If you configure an inbound policy for a tenant but also have a Conditional Access policy that requires MFA for guest users, the user will be prompted for MFA even if trust is enabled, because Conditional Access evaluates after trust.
Cross-tenant access policies do not affect B2B invitations already sent; they only affect future access.
For Teams Connect shared channels, you must enable B2B direct connect in the policy, which is separate from B2B collaboration settings.
How to Eliminate Wrong Answers
If a question asks about controlling access for external users from other Microsoft 365 tenants, the answer is cross-tenant access policies. If the question mentions trust for MFA or device compliance, look for options that include those terms. If the answer mentions 'Microsoft Entra admin center' vs 'M365 admin center', choose Entra admin center. Remember that cross-tenant access policies are about tenant-to-tenant trust, not about individual user invitations.
Cross-tenant access policies control inbound and outbound access between Microsoft Entra tenants.
They are configured in the Microsoft Entra admin center under External Identities > Cross-tenant access settings.
Default behavior is to block all external tenants for both inbound and outbound.
Trust settings include MFA, compliant device, and Hybrid Azure AD join, configured per partner.
Up to 400 inbound and 400 outbound partner policies can exist per tenant.
Cross-tenant access policies complement Conditional Access; they do not replace it.
B2B collaboration and B2B direct connect are separate features managed via cross-tenant access policies.
Cross-tenant access policies do not apply to personal Microsoft accounts (MSAs) or other identity providers.
These come up on the exam all the time. Here's how to tell them apart.
B2B Collaboration
Creates guest user objects in the resource tenant's directory.
Allows access to all integrated applications (SharePoint, Teams, etc.).
Supports trust settings for MFA, device compliance, Hybrid Azure AD join.
Guest users are visible in the directory and can be managed like internal users.
Used for traditional cross-tenant resource sharing.
B2B Direct Connect
Does not create guest user objects; uses an external identity instead.
Limited to Teams Connect shared channels.
Does not support trust settings; each tenant enforces its own policies.
Users are not visible in the directory; no guest management overhead.
Used for seamless Teams channel collaboration without directory clutter.
Mistake
Cross-tenant access policies allow you to block all external access to your tenant.
Correct
They block access from external Microsoft Entra tenants, but they do not block access from personal Microsoft accounts (MSAs), Google, or other identity providers. To block those, you need to configure B2B collaboration settings separately.
Mistake
Enabling inbound trust for MFA means you don't need to enforce MFA for guest users.
Correct
Trust only means you accept the external tenant's MFA claim. You can still enforce MFA via Conditional Access. In fact, it's recommended to have both for defense in depth.
Mistake
Cross-tenant access policies automatically apply to all external users once configured.
Correct
Policies apply only to the specific tenants you configure. The default policy (block or allow) applies to all other tenants. You must explicitly add trusted tenants.
Mistake
B2B direct connect and B2B collaboration are the same thing.
Correct
B2B direct connect is specifically for Teams Connect shared channels and does not create guest user objects. B2B collaboration creates guest accounts in your directory. Both are managed via cross-tenant access policies but have separate settings.
Mistake
Cross-tenant access policies can control access to on-premises applications.
Correct
They control access to cloud applications integrated with Microsoft Entra ID. On-premises applications require separate configuration (e.g., via Application Proxy).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default behavior is to block all inbound and outbound access to and from external tenants. However, B2B collaboration invitations still work unless you explicitly block them. You can change the default to allow, but this is not recommended for security. Instead, create partner-specific policies to allow access only to trusted tenants.
Yes. In the inbound or outbound policy, you can specify which applications (e.g., SharePoint Online, Teams, Exchange Online) the external users can access. You can also restrict access to specific users or groups from the external tenant. This allows granular control over cross-tenant collaboration.
Cross-tenant access policies apply to new authentication requests. Existing guest users who have already been invited and have active sessions are not immediately affected. However, when their token expires or they sign in again, the policies will be enforced. You can revoke sessions to force re-evaluation.
You can configure trust for three claims: MFA (multi-factor authentication), Compliant Device (device compliance via Intune or MDM), and Hybrid Azure AD Joined (device is domain-joined and registered in Azure AD). These are optional and per-partner. Trusting a claim means your tenant will accept the external tenant's assertion without re-verifying.
B2B collaboration settings (e.g., guest invite settings, allow/block list) control who can be invited and how guests are managed. Cross-tenant access policies control the actual access and trust once the guest is invited. They work together: B2B settings manage invitations, cross-tenant policies manage runtime access.
No. Cross-tenant access policies only apply to external Microsoft Entra tenants. For social identity providers like Google or Facebook, you must manage access via B2B collaboration settings and Conditional Access policies.
By default, all external tenants are blocked for inbound and outbound access. However, B2B collaboration invitations sent to users from other tenants will still work, and those users will be able to sign in with default settings (no trust for MFA, device compliance, etc.). To enhance security, you should configure policies to explicitly allow trusted tenants and set appropriate trust.
You've just covered Cross-Tenant Access Policies in Entra ID — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?