This chapter covers cross-tenant access settings in Microsoft Entra ID (formerly Azure AD), a critical feature for managing collaboration between organizations. Cross-tenant access settings allow you to control how users from other Azure AD tenants access your resources and how your users access external tenants. On the SC-900 exam, this topic appears in approximately 5-10% of questions, typically in the context of identity governance and secure collaboration. You must understand the difference between inbound and outbound settings, how they relate to B2B collaboration and B2B direct connect, and the default behavior when no explicit policy is configured.
Jump to a section
Imagine a large gated community with multiple separate neighborhoods (tenants). Each neighborhood has its own entrance gate and security team. Normally, residents can only enter their own neighborhood. However, some residents need to visit a gym or pool in another neighborhood. Instead of giving everyone a master key to all gates, the community management sets up cross-tenant access settings. Each neighborhood can publish a list of amenities it shares and specify which other neighborhoods can use them. When a resident from Neighborhood A arrives at Neighborhood B's gate, the guard checks a digital directory: Is Neighborhood A authorized? Is this resident a valid member? The guard does not need to know every resident from A; it just verifies the pass against a shared trust policy. The guard also logs the visit for auditing. If Neighborhood A later revokes access, the guard immediately denies entry. This mirrors how Azure AD cross-tenant access settings allow organizations to define inbound and outbound trust policies, control which external tenants can access resources, and enforce conditional access policies for external users without duplicating identities.
What Are Cross-Tenant Access Settings?
Cross-tenant access settings are policies in Microsoft Entra ID that govern authentication and resource access between two Azure AD tenants. They replace the older, less granular approach of allowing or blocking all B2B collaboration with a tenant. With cross-tenant access settings, you can define separate controls for inbound and outbound access, apply conditional access policies to external users, and enable B2B direct connect for Teams Connect shared channels.
These settings are part of the External Identities feature set and are configured under Azure Active Directory > External Identities > Cross-tenant access settings. The settings apply at the organizational level (whole tenant) or for specific external tenants (partner tenants).
Why Cross-Tenant Access Settings Exist
Before cross-tenant access settings, organizations had only a binary choice: allow or block B2B collaboration invitations from all external tenants. This was coarse and insecure. For example, if you allowed all B2B invitations, users from a compromised tenant could potentially access your resources. Cross-tenant access settings provide granular control:
Inbound settings: Control what external users from a specific tenant can access your resources.
Outbound settings: Control what your users can access in a specific external tenant.
Trust settings: Enable automatic redemption of invitations (no need for users to accept consent prompts) and apply your conditional access policies to external users.
How Cross-Tenant Access Settings Work Internally
When a user from Tenant B tries to access a resource in Tenant A, the following flow occurs:
Discovery: The user attempts to access a resource (e.g., a SharePoint site or app) in Tenant A. Tenant A's Azure AD checks if the user is from an external tenant.
Policy evaluation: Tenant A's Azure AD evaluates the inbound cross-tenant access settings for Tenant B. If no explicit policy exists, the default settings apply (allow all B2B collaboration, block B2B direct connect).
Authentication: If inbound access is allowed, Azure AD issues a token for the user based on the trust settings. If automatic redemption is enabled, the user does not see a consent prompt; otherwise, the user must accept a permission request.
Conditional Access: If Tenant A has configured conditional access policies that apply to external users, those policies are evaluated. For example, require MFA for all external users.
Access granted/denied: Based on the policy evaluation, the user either gains access or is blocked.
Key Components, Values, and Defaults
- Default settings: Initially, all B2B collaboration is allowed (both inbound and outbound). B2B direct connect is blocked by default. You can change the default to block all or allow specific tenants. - Inbound settings: - B2B collaboration: Allow or block invitations to users from specific tenants. - B2B direct connect: Allow or block Teams Connect shared channels with specific tenants. - Trust settings: Checkboxes to trust MFA, compliant devices, and hybrid Azure AD joined devices from the external tenant. - Outbound settings: - B2B collaboration: Allow or block your users from being invited to specific tenants. - B2B direct connect: Allow or block your users from accessing shared channels in specific tenants. - Automatic redemption: When enabled, users from the external tenant do not need to accept a consent prompt. This is useful for seamless collaboration but reduces user awareness. - Conditional Access for external users: You can target conditional access policies to external users by using the "External users" or "Guest or external users" user type in the policy assignment.
Configuration Examples
To configure cross-tenant access settings, you can use the Azure portal or Microsoft Graph API. Below is a PowerShell example using the Microsoft Graph Beta module:
Connect-MgGraph -Scopes "Policy.ReadWrite.CrossTenantAccess"
# Create a cross-tenant access policy for a specific tenant
$params = @{
displayName = "Contoso Access Policy"
tenantId = "contoso.com"
inboundTrust = @{
isMfaAccepted = $true
isCompliantDeviceAccepted = $true
isHybridAzureADJoinedDeviceAccepted = $false
}
b2bCollaborationInbound = @{
usersAndGroups = @{
accessType = "allowed"
targetType = "user"
targetId = "All"
}
}
}
New-MgPolicyCrossTenantAccessPolicyPartnerDefault -BodyParameter $paramsInteraction with Related Technologies
B2B Collaboration: Cross-tenant access settings control whether B2B collaboration invitations are allowed. They do not replace the invitation process but govern the trust level.
B2B Direct Connect: Used for Teams Connect shared channels. Cross-tenant access settings must explicitly enable B2B direct connect for a tenant.
Conditional Access: Policies can be applied to external users via the "External users" identity type. However, trust settings (MFA, compliant device) are required for certain policy conditions.
Identity Governance: Cross-tenant access settings work alongside entitlement management and access reviews to manage external identities.
Common Defaults and Timers
Default B2B collaboration: Allowed for all tenants.
Default B2B direct connect: Blocked for all tenants.
Automatic redemption: Disabled by default.
Trust settings: All trust checkboxes are unchecked by default (no trust).
Policy changes: Take effect within 1-2 minutes for most scenarios, but full propagation can take up to 30 minutes in large environments.
Verification
To verify cross-tenant access settings, use the Azure portal: navigate to Azure AD > External Identities > Cross-tenant access settings. You can see the default settings and any organizational-level policies. For a specific tenant, view the partner configuration. You can also use Microsoft Graph to list policies:
Get-MgPolicyCrossTenantAccessPolicyPartnerDefaultOr via Graph API:
GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partnersIdentify Collaboration Requirements
Before configuring cross-tenant access settings, determine which external tenants need access to your resources (inbound) and which tenants your users need to access (outbound). Also decide whether B2B collaboration (invitations) or B2B direct connect (Teams shared channels) is needed. Document the trust requirements: does the external tenant enforce MFA? Do they use compliant devices? This analysis determines the policies you will create. For each partner tenant, you will define separate inbound and outbound settings.
Configure Default Settings
Navigate to Azure AD > External Identities > Cross-tenant access settings > Default settings. Here you can change the default behavior for all tenants not explicitly configured. For example, you may want to block all B2B collaboration by default and then allow only specific partners. The default settings apply to any tenant without a specific policy. Changing the default affects all existing and future collaborations. Be cautious: if you block inbound B2B collaboration by default, all existing guest users from tenants without explicit policies may lose access until you create specific allow policies.
Add Partner Tenant and Set Inbound Policy
Under Cross-tenant access settings, click "Add organization" and enter the domain name or tenant ID of the partner. Configure inbound settings: for B2B collaboration, choose to allow or block invitations to users from that tenant. For B2B direct connect, allow or block Teams shared channels. Under Trust settings, check the boxes for MFA, compliant devices, and hybrid Azure AD joined devices if you trust the partner's claims. If you trust their MFA, your conditional access policies can rely on that instead of requiring separate MFA.
Configure Outbound Policy for Partner
In the same partner configuration, switch to the Outbound access tab. Here you control whether your users can be invited to the partner tenant (B2B collaboration) and whether they can access the partner's Teams shared channels (B2B direct connect). For example, you might allow outbound B2B collaboration to a trusted partner but block it to others. You can also enable automatic redemption for outbound access, so your users do not see consent prompts when accessing partner resources.
Test and Verify Access
After configuring policies, test the access from both directions. For inbound, try inviting a user from the partner tenant and verify they can access the resource without unnecessary prompts. For outbound, have a user from your tenant accept an invitation from the partner. Use the Azure AD sign-in logs to review authentication details. Check the Cross-tenant access settings page to confirm the policies are applied. If issues arise, verify that the partner has also configured their cross-tenant access settings appropriately, as both sides need to allow the traffic.
Scenario 1: Large Enterprise with Multiple Acquisition Tenants
A global company with 50,000 employees acquires a smaller company with its own Azure AD tenant. The acquisition company needs to collaborate on projects while maintaining separate tenants during the integration period. The IT team configures cross-tenant access settings to allow inbound B2B collaboration from the acquired tenant, but only for specific groups. They enable trust settings for MFA and compliant devices because the acquired company uses Intune. They also enable automatic redemption to avoid consent prompts. Performance is fine for up to a few thousand guest users, but sign-in logs become voluminous. The main issue is that if the acquired company's tenant is compromised, the trust settings could allow compromised devices to access resources. To mitigate, the parent company applies conditional access policies that require additional controls for external users.
Scenario 2: Healthcare Provider with Partner Network
A healthcare organization uses Teams Connect shared channels to collaborate with external labs and pharmacies. They need B2B direct connect enabled. They configure cross-tenant access settings to allow B2B direct connect only with specific partner tenants. For each partner, they trust the partner's MFA but not their device compliance (because they cannot enforce the partner's device policies). They also set up conditional access policies to require MFA for all external users, but since they trust the partner's MFA, the policy is satisfied. A common mistake is forgetting to enable B2B direct connect on both sides; if only one tenant enables it, the shared channel fails. Also, if a partner changes their tenant ID (e.g., due to domain change), the policy breaks and must be updated.
Scenario 3: SaaS Provider with Customer Tenants
A SaaS company provides a multi-tenant application that customers access via B2B collaboration. The SaaS company's tenant invites users from customer tenants. They configure cross-tenant access settings to allow inbound B2B collaboration from all tenants (default allow) but block specific tenants known for abuse. They do not enable trust settings because customers have varying security postures. Instead, they apply conditional access policies that require MFA from external users. The challenge is managing a growing list of blocked tenants. They use automation via Microsoft Graph to periodically update the block list. If the default is accidentally changed to block all, all customers lose access immediately, so they use Azure policy to audit changes to cross-tenant access settings.
SC-900 Exam Focus on Cross-Tenant Access Settings
The SC-900 exam tests your understanding of cross-tenant access settings under objective Describe the capabilities of Microsoft Entra ID (2.1). Specifically, you need to know:
The difference between inbound and outbound settings.
The default behavior for B2B collaboration (allowed) and B2B direct connect (blocked).
That trust settings (MFA, compliant device, hybrid Azure AD join) are optional and disabled by default.
That cross-tenant access settings are separate from B2B collaboration settings (though they control them).
Common Wrong Answers and Traps
"Cross-tenant access settings are the same as B2B collaboration settings." Reality: B2B collaboration is a feature; cross-tenant access settings *govern* B2B collaboration and B2B direct connect. They are not the same.
"By default, all cross-tenant access is blocked." Reality: B2B collaboration is allowed by default; only B2B direct connect is blocked. Candidates often confuse the two.
"You can trust an external tenant's MFA only if you also trust their compliant devices." Reality: Trust settings are independent checkboxes. You can trust MFA without trusting compliant devices.
"Cross-tenant access settings apply to all users, including internal users." Reality: They only apply to access between tenants; internal access within a tenant is unaffected.
Specific Numbers and Terms on the Exam
Default B2B collaboration: Allowed.
Default B2B direct connect: Blocked.
Automatic redemption: Disabled by default.
Trust settings: MFA, compliant device, hybrid Azure AD join — all unchecked by default.
Policy propagation: Up to 30 minutes for full effect.
Edge Cases the Exam Loves
What happens if you block inbound B2B collaboration for a tenant but existing guest users are still in your directory? Answer: Existing guest users retain access because the policy only affects new invitations. However, if you change the default to block all, existing guest users may lose access after token refresh.
Can you apply conditional access policies to external users without trusting their MFA? Yes, but the policy would require the external user to perform MFA again, even if they already did in their home tenant.
If you enable automatic redemption for a partner, does that bypass conditional access? No, conditional access policies are still evaluated. Automatic redemption only skips the consent prompt.
How to Eliminate Wrong Answers
When you see a question about cross-tenant access settings, first identify whether it's about inbound or outbound. Then check default vs. explicit settings. If the question mentions "B2B direct connect," remember it's blocked by default. If it mentions "trust settings," remember they are optional and independent. Eliminate answers that conflate cross-tenant access settings with B2B collaboration.
Cross-tenant access settings control inbound and outbound access for B2B collaboration and B2B direct connect between Azure AD tenants.
By default, B2B collaboration is allowed for all tenants; B2B direct connect is blocked.
Trust settings (MFA, compliant device, hybrid Azure AD join) are optional and independent of each other.
Automatic redemption is disabled by default; when enabled, external users do not see consent prompts.
Cross-tenant access settings do not apply to Microsoft Account guests or other non-Azure AD identities.
Conditional access policies can be applied to external users regardless of trust settings.
Policy changes propagate within 1-2 minutes typically, but full replication can take up to 30 minutes.
Cross-tenant access settings are configured per partner tenant or via default settings for all tenants.
These come up on the exam all the time. Here's how to tell them apart.
B2B Collaboration
Users appear as guest users in the resource tenant's directory.
Supports inviting users to apps, SharePoint, Teams (non-channel).
Requires the user to accept an invitation (unless auto-redemption enabled).
Governed by inbound/outbound B2B collaboration settings in cross-tenant access.
Supported for any Azure AD tenant and some non-Azure AD identities (MSA, Google).
B2B Direct Connect
Users are not represented as guest objects in the resource tenant's directory.
Only supports Teams Connect shared channels (channels shared with external users).
No invitation acceptance required; access is based on cross-tenant access settings.
Governed by inbound/outbound B2B direct connect settings in cross-tenant access.
Supported only between Azure AD tenants.
Mistake
Cross-tenant access settings apply to all external users, including Microsoft Account (MSA) guests.
Correct
Cross-tenant access settings only apply to users from other Azure AD tenants. Guests with Microsoft accounts (MSA) or Google accounts are not governed by these settings; they are managed by B2B collaboration settings under External Identities.
Mistake
If you allow inbound B2B collaboration for a tenant, all users from that tenant can access all your resources without restriction.
Correct
Allowing inbound B2B collaboration only permits invitations to be sent and accepted. Access to specific resources is still controlled by application permissions, SharePoint sharing settings, and conditional access policies. The cross-tenant setting is just a gate at the identity level.
Mistake
You must explicitly configure cross-tenant access settings for every external tenant you collaborate with.
Correct
The default settings apply to all tenants not explicitly configured. If the default allows B2B collaboration, you do not need to add each partner tenant. Explicit policies are only needed when you want different settings (e.g., block a specific tenant or enable trust).
Mistake
Enabling automatic redemption for a tenant means you trust all their users unconditionally.
Correct
Automatic redemption only bypasses the consent prompt that the user sees when accepting an invitation. It does not change conditional access enforcement or trust settings. The user still must meet any conditional access policies you apply.
Mistake
Cross-tenant access settings can be configured only via the Azure portal.
Correct
They can also be configured via Microsoft Graph API and PowerShell (Microsoft Graph PowerShell module). The Azure portal is the most common interface for manual configuration, but automation is supported.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
B2B collaboration is a feature that allows you to invite external users to your tenant as guests. Cross-tenant access settings are the policies that govern whether B2B collaboration (and B2B direct connect) is allowed with specific tenants, and what trust level is applied. In short, cross-tenant access settings control the behavior of B2B collaboration.
Yes. Change the default inbound B2B collaboration setting to 'Block' under Default settings. Then add each partner tenant as an organization and set their inbound B2B collaboration to 'Allow'. This ensures only explicitly allowed tenants can invite users to your tenant.
The trust setting is a claim that you accept from the external tenant. If the external tenant does not enforce MFA, their users will not have an MFA claim in their token. Your conditional access policies that rely on that trust may fail or require the user to perform MFA again in your tenant. It is recommended to only trust MFA from tenants that enforce MFA.
Existing guest users are not immediately affected by changes to cross-tenant access settings. The settings control new invitations and token issuance. However, when a guest user's token expires and they try to refresh, the new policy is evaluated. If you block a tenant after guests have been added, those guests will eventually lose access when their tokens expire.
No. Cross-tenant access settings only apply to users from other Azure AD tenants. For external users with Microsoft accounts, Google accounts, or other identity providers, you manage access via B2B collaboration settings under External Identities, not cross-tenant access settings.
Cross-tenant access settings operate at the tenant level, not the user level. You cannot allow specific users from a tenant while blocking others using these settings alone. To control individual users, you must rely on application-level permissions, dynamic groups, or conditional access policies that target specific users or groups.
There is no hard limit on the number of partner tenants you can add, but there is a limit on the number of policies per tenant. As of current limits, you can have up to 1000 partner configurations. For most organizations, this is sufficient.
You've just covered Cross-Tenant Access Settings — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?