Microsoft Commercially Releases Azure Active Directory Cross Tenant Access Setting
Microsoft on Thursday announced the "general availability" commercial release of its cross-tenant access settings for external collaborations feature, which is part of its Azure Active Directory External Identities service offering.
The idea behind the cross-tenant access settings for external collaborations feature is to make it easier for organizations to share access with trusted organizations. It lets organizations enforce settings like multifactor authentication without also encumbering guest users with multiple sign-in prompts if their organization also enforces multifactor authentication, for instance.
The feature gives IT pros control over "outbound access" settings, allowing organizations to specify which external organizations their users can collaborate with. There also are inbound access settings for specifying which external users can access an organization's resources. Organizations also can specify inbound trust settings, such as indicating that an external organization's multifactor authentication is also trusted when guest users access your organization's resources.
Microsoft had described how the cross-tenant access settings for external collaborations feature works when it announced the public preview of it back in February. At that time, Robin Goldstein, product team leader of authentication experiences at Microsoft, had explained how it could "minimize friction" for Azure AD B2B (Business-to-Business) service users, in a comment:
One of the most frequent pieces of feedback we got from existing customers who enable B2B collaboration is that they wanted to minimize friction while still enabling secure collaboration. So if an organization I trust, say my main customer or supplier, has MFA policies for users who authenticate in their tenant, then I'm OK not asking that user to register for MFA in my tenant. It's a better user experience and less error prone. However, not all customers will have that level of trust with other organizations and tenants, that's why the policy is configurable.
The feature lets organizations enforce security requirements for collaborations while "not having to manage MFA registrations for your external users, thereby reducing your support costs," Goldstein further explained, in the Thursday announcement. The feature also will enforce any Azure AD Conditional Access policies for devices that were set by an organization.
The same sort of collaboration policies also apply when using Microsoft's Teams Shared Channels feature, which is yet another collaboration enhancement that reached the general availability release stage this week. Here's Goldstein's explanation to that effect:
If you mainly collaborate with external users on Teams and SharePoint, Teams shared channels enables seamless collaboration where you can chat, share files and collaborate with users from multiple organizations simultaneously. The inbound and outbound cross-tenant access policies that we discussed above apply to B2B direct connect users of Teams shared channels as well.
Before using the cross-tenant access settings for external collaborations feature, Microsoft wants IT pros to go through a workbook, as described in this document. It's designed to help them understand various aspects associated with inbound and outbound organizational collaborations.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.