Cross-Tenant Access Settings Come to Azure Active Directory
Microsoft this week announced that cross-tenant access settings for external collaboration are now available in public preview for Azure Active Directory users.
The new feature gives IT control on how users in an organization can securely collaborate with others in outside Azure Active Directory organizations. It's also bringing with it the ability to trust outside security claims, like multifactor authentication.
Microsoft's Robin Goldstein, product team leader of authentication experiences at Microsoft, said the feature was created by community feedback, and a strong need for more control over aspects like access to internal apps by external users, and insight into what and how they are accessing those apps.
Delving into the new inbound settings, Goldstein said the new feature does just that. "You can allow all external users to collaborate with you, or you can limit access to only allow specific users and groups from specific organizations," said Goldstein. "You can also specify the apps in your organization you want these users to be able to access."
This is done by giving IT control over three new options:
- Outbound access settings: Direct control of whether members in an organization can access external resources from another Azure Active Directory organization. Specific settings can be broadly applied across the whole organization or limited to specific groups or individuals.
- Inbound access settings: Gives IT control on who can access internal resources and apps. It can also be applied broadly or more specifically.
- Trust settings: Related to inbound access settings, this will allow an organization's Conditional Access policies to allow "multi-factor authentication (MFA), compliant device, and hybrid Azure AD joined device-claims" from an outside source.
Microsoft notes that cross-tenant access settings will be applied to all external Azure Active Directory organizations by default, allowing internal users to invite outside users to collaborate. If you want to apply cross-tenant access settings to external users, you'll have to contact the external organization first to obtain the user object IDs, group object IDs or application IDs.
One consideration is that if app access is blocked by IT, users cannot read e-mails that have been encrypted with Microsoft Rights Management Service. Microsoft said that making an exception with app ID 00000012-0000-0000-c000-000000000000 will allow access to encrypted e-mails, but keep all other apps and resources blocked.
Microsoft also said that those Azure Monitor service subscribers can view inbound and outbound sign-ins with the cross-tenant access activity workbook.
To get started with cross-tenant access settings, follow these instructions.