EXT-05: Cross-Tenant Access Policy Review

Overview

This guide walks you through reviewing and tightening your cross-tenant access settings, the controls that govern B2B collaboration between your Microsoft Entra tenant and other organizations. You will review the default inbound and outbound settings, decide how permissive the default should be, and add partner-specific configurations for the organizations you actually work with. The goal is that external collaboration is explicitly controlled rather than open to any tenant on the internet.

Control ID: EXT-05 Category: Guest & External Access Baseline Level: Level 2 (Enhanced Security) Severity: High License Required: None (cross-tenant access settings are available on all Microsoft Entra tiers)

Why This Matters

Permissive cross-tenant defaults allow any external organization to collaborate with your tenant. Restricting defaults and configuring partner-specific policies ensures only approved organizations can access your resources.

Cross-tenant access settings decide, at the organization level, who can be invited in, who your users can reach out to, and whether you trust another tenant's MFA and device compliance claims. Left at wide-open defaults, this is a large, quiet external attack surface. A deliberate default plus named partner policies turns "anyone, anywhere" into "these organizations, on these terms."

Expected State

  • Default cross-tenant access policy is not overly permissive
  • Partner-specific configurations exist for known collaborators
  • Inbound and outbound B2B access is explicitly controlled

Prerequisites

RequirementDetails
Role RequiredSecurity Administrator or Global Administrator
License RequiredNone
AccessMicrosoft Entra admin center (entra.microsoft.com)

Before You Start

  1. Inventory your real collaborators. List the partner tenants (by tenant ID or domain) your organization legitimately works with. These become your named partner configurations.
  2. Understand the two directions:
    • Inbound = external users and other tenants accessing your resources.
    • Outbound = your users accessing other tenants' resources.
  3. Know your MFA/device trust stance. Inbound trust settings let you accept a partner's MFA or compliant-device claims so your guests are not double-prompted. Decide which partners you trust that far.

Time Estimate

TaskDuration
Inventory partner tenants20-30 minutes
Review and set default inbound/outbound settings20 minutes
Add partner-specific (organizational) configurations10 minutes per partner
Validate collaboration still works20 minutes
Total~1 to 1.5 hours

TrueConfig Remediation

This control supports one-click enablement / auto-remediation. TrueConfig can restrict overly permissive cross-tenant access defaults for you, tightening the baseline so that unknown tenants are not implicitly allowed. Partner-specific (organizational) configurations for the collaborators you name are then added as explicit allowances. You can also perform the full review manually with the steps below. Change defaults deliberately: tightening them affects all external collaboration that is not covered by a named partner policy.


Step-by-Step Instructions

Step 1: Open Cross-Tenant Access Settings

  1. Sign in to the Microsoft Entra admin center.
  2. Go to External Identities > Cross-tenant access settings.
  3. You will see two areas:
    • Default settings (apply to every organization you have not configured explicitly)
    • Organizational settings (per-partner overrides)

Step 2: Review and Set the Default Settings

  1. Open the Default settings tab and review Inbound access:
    • B2B collaboration: decide whether, by default, external users and groups can be invited/allowed. Restricting this is the core of "not overly permissive".
    • Trust settings: by default, do not blanket-trust MFA / compliant device / hybrid-joined claims from unknown tenants. Enable trust only for named partners (Step 4).
  2. Review Outbound access:
    • Decide whether your users may, by default, access external tenants and which of them.
  3. Set the default to your intended baseline. A common posture is a restrictive default, then explicit partner allowances.
  4. Save.

Step 3: Identify Known Partner Tenants

  1. From your inventory, gather each partner's tenant ID or a domain in that tenant.
  2. These are the organizations that will get explicit, possibly more permissive, configurations.

Step 4: Add Partner-Specific Configurations

For each real collaborator:

  1. On the Organizational settings tab, click + Add organization.
  2. Enter the partner's domain or tenant ID and select it.
  3. Configure inbound and outbound access for that partner specifically. For trusted partners you may:
    • Allow B2B collaboration scoped to specific users/groups and apps.
    • Under Trust settings, choose to trust MFA and/or trust compliant / hybrid-joined device claims from that partner, so shared users are not re-challenged unnecessarily.
  4. Save the organization configuration.

Repeat for each partner. Anything not listed here falls back to your (now restricted) defaults.

Step 5: Validate Collaboration

  1. Confirm existing legitimate guests and cross-tenant sync (if used) still work.
  2. Have a user at a named partner test access to a shared resource.
  3. Confirm that collaboration attempts from unlisted, untrusted tenants are handled per your restricted default.

Verification Checklist

  • Default inbound settings are not blanket-permissive
  • Default settings do not trust MFA/device claims from unknown tenants
  • Default outbound settings reflect your intended posture
  • Each known collaborator has an explicit organizational configuration
  • Trust settings (MFA/device) are enabled only for named, trusted partners
  • Existing legitimate collaboration still works after the change
  • Access from unlisted tenants falls back to the restricted default

Troubleshooting

"After tightening defaults, a partner can no longer collaborate"

That partner is relying on the default and is not in your organizational settings. Add an explicit configuration for their tenant (Step 4) with the access they need.

"Guests from a trusted partner are prompted for MFA twice"

You have not enabled inbound MFA trust for that partner. In their organizational configuration, under trust settings, choose to trust their MFA claims so your tenant accepts the MFA they already performed.

"Our users cannot reach an external tenant they need"

Outbound access to that tenant is blocked by your default or by their org config. Adjust the outbound settings for that specific organization.

"How does this relate to guest invitation and allowlisting?"

Cross-tenant access settings are the organization-to-organization layer. Who may send invitations is EXT-01, and restricting guests to allowlisted domains is EXT-03. Use them together: cross-tenant settings define trusted tenants, EXT-01/EXT-03 govern the invitation and domain rules.

"We use cross-tenant synchronization"

Cross-tenant sync depends on inbound settings in the target tenant and outbound in the source. If sync breaks after tightening, confirm the paired organizations have the required inbound/outbound and automatic redemption settings enabled.


Cost Considerations

ComponentCost Impact
LicenseNone. Cross-tenant access settings are available on all Entra tiers, including Free.
OperationalOne-time review plus ongoing maintenance as partners are added or removed.
Risk reductionRemoves implicit trust of unknown tenants, closing a broad external collaboration attack surface.

Note: Some inbound trust conveniences (accepting a partner's compliant-device claim) depend on that partner running device compliance, which is a P1/Intune capability on their side, not a license cost to you.


Related Controls

Additional Resources