Cross-Tenant Access & Synchronisation

Why cross-tenant access matters

Simple explanation

Cross-tenant access is like a diplomatic agreement between two countries.

Each country (tenant) decides: who from the other country can visit (inbound), and which of our citizens can travel there (outbound). They might also agree to trust each other’s passport stamps (trust settings) so visitors don’t need extra checks.

Without these agreements, every visitor gets the default treatment — full security screening every time. With agreements, trusted partners get a smoother experience.

Cross-tenant access settings

Don’t confuse these two — the exam tests the boundary:

Feature	External Collaboration Settings	Cross-Tenant Access Settings
Purpose	Control guest invitation policies	Control trust and B2B flow with specific tenants
Scope	Tenant-wide defaults for all guests	Per-organisation policies (by tenant ID)
Controls	Who can invite, guest permissions, domain allow/deny	Inbound/outbound B2B collab, B2B direct connect, trust settings (MFA, device)
Where configured	External Identities → External collaboration settings	External Identities → Cross-tenant access settings
Key question it answers	Can our users invite guests at all?	How much do we trust Contoso's tenant specifically?

Found at: Entra admin center → External Identities → Cross-tenant access settings

Default settings vs organisational settings

Level	Applies To	Example
Default settings	ALL external tenants (unless overridden)	“By default, block B2B collaboration from all tenants”
Organisational settings	A SPECIFIC external tenant (overrides defaults)	“Allow B2B collaboration with Contoso’s tenant”

Inbound vs outbound

Direction	Who It Controls	Example
Inbound	External users accessing YOUR resources	”Contoso users can access our SharePoint”
Outbound	YOUR users accessing external resources	”Our users can access Contoso’s Teams channels”

For each direction, you can control:

B2B collaboration — guest user access (traditional invitations)
B2B direct connect — seamless access without creating guest accounts (used for Teams shared channels)

Trust settings

Trust settings let you honour security claims from external tenants:

Trust Setting	What It Means	Impact
Trust MFA	Accept MFA completion from the external tenant	Guest doesn’t re-do MFA in your tenant
Trust compliant devices	Accept Intune compliance from external tenant	Guest’s compliant device satisfies your CA policy
Trust Hybrid Entra Joined	Accept hybrid join status from external tenant	Guest’s domain-joined device is trusted

Scenario: Anika configures cross-tenant trust for a merger

Sentinel Partners is helping two companies (Alpha Corp and Beta Ltd) through a merger. Both have Entra tenants and need tight collaboration.

Anika configures cross-tenant access:

Alpha → Beta (inbound): Allow all Alpha users, trust their MFA and compliant devices
Beta → Alpha (inbound): Allow all Beta users, trust their MFA and compliant devices
B2B direct connect: Enabled for Teams shared channels between both tenants
Default settings: Remain restrictive (block collaboration with all other tenants)

Result: Alpha and Beta employees collaborate seamlessly in Teams shared channels without re-doing MFA, while all other external organisations are blocked.

Exam tip: B2B collaboration vs B2B direct connect

B2B collaboration: Creates a guest user object in your tenant. The external user appears in your directory. Traditional invitation-based.

B2B direct connect: No guest user object created. The external user accesses resources directly through their home tenant identity. Currently used primarily for Teams shared channels.

The exam tests this distinction. B2B direct connect is newer and lighter — no directory footprint in your tenant.

Cross-tenant synchronisation

Cross-tenant synchronisation automatically creates and manages B2B guest accounts in a target tenant based on users in a source tenant. It’s different from inviting guests manually — it’s automated, ongoing, and keeps accounts in sync.

When to use it:

Multi-tenant organisations (parent company + subsidiaries)
Mergers and acquisitions (before tenant consolidation)
Organisations with separate tenants for different regions or business units

How it works:

Source tenant has the users you want to sync
Target tenant receives guest accounts automatically
Scoping filters define WHICH users sync (by group, department, etc.)
Attribute mapping controls WHAT properties sync (name, department, job title)
Sync runs on a schedule — creates, updates, and optionally deprovisions users

Feature	Cross-Tenant Sync	Manual Guest Invitations
Automation	Automatic, ongoing	Manual, one-time
Scale	Thousands of users	Individual or bulk CSV
Lifecycle	Creates, updates, and deprovisions	Creates only — manual cleanup
Attribute sync	Keeps properties in sync automatically	Static at invitation time
Setup complexity	Higher (requires configuration in both tenants)	Lower (just send invitations)
Best for	Multi-tenant organisations	Ad-hoc partner collaboration

Scenario: Priya syncs users across Meridian's tenants

After acquiring a smaller clinic chain, Meridian Health has two tenants: MeridianHealth.com and CityClinic.com. Staff need to access resources in both.

Priya configures cross-tenant synchronisation:

Source: CityClinic.com (500 users)
Target: MeridianHealth.com
Scope: All CityClinic users in the “Clinical Staff” group
Attributes synced: Display name, department, job title, manager
Deprovisioning: When a user leaves CityClinic, their guest account in MeridianHealth is automatically disabled

This replaces the manual process of inviting each CityClinic employee — and keeps accounts clean when people leave.

Configuration steps (high-level)

Both tenants: Configure cross-tenant access settings to allow sync
Source tenant: Create a cross-tenant sync configuration (which users to sync, attribute mappings)
Target tenant: The inbound access policy must allow the sync
Test: Run an on-demand sync, verify guest accounts are created correctly
Enable schedule: Turn on the automatic sync schedule

🎬 Video walkthrough

Flashcards

Question

What is the difference between B2B collaboration and B2B direct connect?

Click or press Enter to reveal answer

Answer

B2B collaboration creates a guest user object in your directory (traditional invitations). B2B direct connect provides access without creating a guest object — the user accesses resources through their home identity. Direct connect is currently used mainly for Teams shared channels.

Click to flip back

Question

What are the three trust settings in cross-tenant access?

Click or press Enter to reveal answer

Answer

1) Trust MFA — accept MFA completion from the external tenant. 2) Trust compliant devices — accept Intune compliance claims. 3) Trust Hybrid Entra Joined devices — accept hybrid join status. These reduce friction for trusted partner organisations.

Click to flip back

Question

What does cross-tenant synchronisation do?

Click or press Enter to reveal answer

Answer

Automatically creates, updates, and deprovisions B2B guest accounts in a target tenant based on users in a source tenant. Used for multi-tenant organisations (subsidiaries, mergers) where thousands of users need ongoing access across tenants.

Click to flip back

Knowledge Check

Two companies are merging and need their 3,000 employees to access resources in both Entra tenants. Guest accounts should be created and maintained automatically, including deprovisioning when employees leave. Which solution fits?

Knowledge Check

Anika configures cross-tenant trust settings so her client's tenant trusts MFA from a partner tenant. What is the practical effect?

Next up: Hybrid Identity: Connect Sync vs Cloud Sync — bridge your on-premises Active Directory with Entra ID using the right synchronisation tool.