Cross-Tenant Access Settings and Synchronization

Cross-Tenant Access Settings and Synchronization – Complete Guide for SC-300

Cross-Tenant Access Settings and Synchronization

Why Is This Important?
In modern organizations, mergers, acquisitions, partnerships, and multi-subsidiary structures often result in multiple Microsoft Entra ID (formerly Azure AD) tenants that need to collaborate. Without proper cross-tenant configuration, users in one tenant cannot seamlessly access resources in another. Cross-tenant access settings and synchronization solve this by enabling controlled, secure collaboration between tenants while maintaining governance and compliance. For the SC-300 exam, this topic is critical because it sits at the intersection of identity governance, external identities, and B2B collaboration — all key pillars of the Identity Administrator role.

What Is Cross-Tenant Access?
Cross-tenant access settings in Microsoft Entra ID allow you to manage how users in your organization collaborate with users in external Microsoft Entra organizations. These settings provide granular control over both inbound and outbound collaboration:

• Inbound access settings: Control whether users from external tenants can access resources in YOUR tenant. You define which external users, groups, and applications are allowed or blocked.

• Outbound access settings: Control whether YOUR users can access resources in an external tenant. You define which of your users, groups, and applications can participate in external collaboration.

• Trust settings: Determine whether your Conditional Access policies will trust claims from external tenants, such as multifactor authentication (MFA), compliant devices, and hybrid Azure AD joined devices.

• Tenant restrictions: Control which external tenants your users can access when using your network or devices.

What Is Cross-Tenant Synchronization?
Cross-tenant synchronization is a feature that allows you to automatically create, update, and delete B2B collaboration users across tenants within your multi-tenant organization. Instead of manually inviting guest users, this feature provisions them automatically based on scoping rules.

Key characteristics of cross-tenant synchronization:
• It creates B2B collaboration users (member or guest type) in the target tenant.
• It is one-way per configuration — from a source tenant to a target tenant. To synchronize in both directions, you need to set up two configurations.
• Users provisioned via cross-tenant sync maintain a link to their home tenant identity.
• It uses the SCIM-based provisioning engine already available in Microsoft Entra ID.
• It supports attribute mapping, scoping filters, and user type conversion (e.g., setting synchronized users as Members instead of Guests).

How Does It Work? Step-by-Step

Step 1: Configure Cross-Tenant Access Settings
In the target tenant:
1. Navigate to Microsoft Entra admin center → External Identities → Cross-tenant access settings.
2. Add the source tenant's organization (by tenant ID).
3. Under Inbound access, enable B2B collaboration and allow automatic redemption (this suppresses the consent prompt for users).
4. Under Trust settings, optionally trust MFA claims and/or compliant device claims from the source tenant.
5. Under the Cross-tenant sync tab for that organization, enable Allow users sync into this tenant. This is a critical step — without it, synchronization will be blocked.

In the source tenant:
1. Similarly, add the target tenant under cross-tenant access settings.
2. Under Outbound access, configure which users and applications are allowed for B2B collaboration.
3. Enable Automatic redemption so that users do not need to manually accept invitations.

Step 2: Configure Cross-Tenant Synchronization
In the source tenant:
1. Navigate to Microsoft Entra admin center → External Identities → Cross-tenant synchronization.
2. Create a new configuration that targets the desired tenant.
3. Provide admin consent for the required permissions in the target tenant.
4. Configure provisioning:
  - Set the provisioning mode to Automatic.
  - Define scope — select which users and groups should be synchronized (via scoping filters or group assignment).
  - Configure attribute mappings — map source attributes to target user attributes. You can customize these mappings as needed.
  - Optionally change the target user type from Guest to Member to give synchronized users more native-like access in the target tenant.
5. Start provisioning. The initial cycle processes all in-scope users. Subsequent incremental cycles handle changes.

Step 3: Verify and Monitor
• Check the provisioning logs in the source tenant to verify that users are being created, updated, or skipped as expected.
• In the target tenant, verify that the synchronized users appear with the correct user type and attributes.
• Review the audit logs in both tenants for governance and troubleshooting.

Key Concepts to Understand for the Exam

1. Default vs. Organizational Settings
Cross-tenant access has default settings that apply to all external tenants, and organizational settings that override the defaults for specific tenants. Organizational settings always take precedence when configured.

2. Automatic Redemption
When automatic redemption is enabled on both sides (outbound in source, inbound in target), users do not see a consent prompt when accessing the target tenant. This must be enabled on both the source and target tenant for it to work.

3. Trust Settings
Trust settings in inbound access determine if the target tenant accepts MFA, compliant device, or hybrid Azure AD joined device claims from the source tenant. This avoids requiring users to re-authenticate or re-register devices in the target tenant.

4. User Type: Guest vs. Member
By default, B2B users are created as Guest type with limited permissions. Cross-tenant sync allows you to configure provisioned users as Member type, giving them broader access similar to internal users. This is especially useful in multi-tenant organizations.

5. One-Way Sync
Cross-tenant synchronization is unidirectional per configuration. If bidirectional sync is needed, two separate configurations must be created (one in each tenant pointing to the other).

6. Multi-Tenant Organization (MTO)
Microsoft introduced the multi-tenant organization feature, which works alongside cross-tenant access settings and synchronization. MTO allows tenants to formally define themselves as part of the same organization, enabling richer collaboration scenarios such as people search across tenants in Microsoft Teams and shared channels. Cross-tenant sync is a key enabler for MTO.

7. Deprovisioning
When a user goes out of scope (removed from the group or no longer matches the scoping filter), cross-tenant sync can soft-delete the B2B user in the target tenant. Note that by default, it performs a soft delete, not a hard delete.

Common Scenarios

• Scenario 1: A company acquires another company with its own Entra ID tenant. They configure cross-tenant sync to automatically provision users from the acquired tenant into the parent tenant so employees can access shared applications without manual invitation.

• Scenario 2: Two partner organizations want to collaborate on a project. They configure cross-tenant access settings to allow only specific groups of users to collaborate, and they trust each other's MFA claims to avoid double authentication.

• Scenario 3: A large enterprise with multiple subsidiaries creates a multi-tenant organization. They enable cross-tenant sync between all tenants and set synchronized users as Member type to provide seamless access to shared Microsoft 365 resources.

---

Exam Tips: Answering Questions on Cross-Tenant Access Settings and Synchronization

Tip 1: Know Where Each Setting Is Configured
Exam questions often test whether you know which tenant (source or target) a setting must be configured in. Remember:
- Inbound access and Allow users sync into this tenant are configured in the target tenant.
- Outbound access and the cross-tenant synchronization configuration (including provisioning, scoping, and attribute mapping) are configured in the source tenant.

Tip 2: Automatic Redemption Requires Both Sides
If a question mentions that users are still seeing consent prompts, check whether automatic redemption is enabled on both the source (outbound) and target (inbound) tenants. Both must have it enabled.

Tip 3: Enabling Sync in the Target Tenant Is a Prerequisite
A very common exam trap: even if you configure everything in the source tenant, synchronization will fail unless you enable Allow users sync into this tenant in the target tenant's cross-tenant access settings for that organization. Look for this option in answer choices.

Tip 4: Trust Settings Reduce Friction
If a question describes a scenario where users are being prompted for MFA twice (once in each tenant), the solution is to configure trust settings in the target tenant's inbound access to trust the source tenant's MFA claims.

Tip 5: Understand the Difference Between B2B Collaboration and B2B Direct Connect
Cross-tenant synchronization uses B2B collaboration (creates a user object in the target tenant). B2B direct connect does not create a user object — users access resources directly from their home tenant (used primarily for Teams shared channels). Know which scenario requires which type.

Tip 6: Scoping Filters and Group Assignments
Questions may ask how to limit which users are synchronized. The answer is to use scoping filters or assign specific groups to the cross-tenant synchronization configuration. If a question says sync all users, the provisioning scope should be set to Sync all users and groups.

Tip 7: Member vs. Guest Type
If a question states that synchronized users need the same level of access as internal users (e.g., accessing certain apps that require Member type), the solution is to configure the attribute mapping in cross-tenant sync to set the userType to Member.

Tip 8: Cross-Tenant Sync Is Not Bidirectional by Default
If a scenario requires users from Tenant A to appear in Tenant B AND users from Tenant B to appear in Tenant A, you need two separate configurations — one in each tenant. A single configuration does not handle bidirectional sync.

Tip 9: Licensing
Cross-tenant synchronization requires Microsoft Entra ID P1 licenses (at minimum) in both the source and target tenants. Some advanced governance features may require P2. If a question mentions licensing, remember this requirement.

Tip 10: Watch for Order of Operations
In drag-and-drop or ordering questions, the typical sequence is:
1. Add the external organization in cross-tenant access settings (both tenants).
2. Configure inbound/outbound access and trust settings.
3. Enable Allow users sync into this tenant in the target tenant.
4. Create the cross-tenant synchronization configuration in the source tenant.
5. Configure provisioning scope and attribute mappings.
6. Start the provisioning job.

Tip 11: Conditional Access and Cross-Tenant Access
Conditional Access policies in the target tenant apply to inbound B2B users. If the target tenant has a policy requiring MFA but trusts the source tenant's MFA, users won't be prompted again. If trust is NOT configured, users must satisfy the target tenant's MFA requirement independently.

Tip 12: Know the Admin Roles
Configuring cross-tenant access settings requires the Security Administrator or Global Administrator role. Configuring cross-tenant synchronization provisioning typically requires the Hybrid Identity Administrator or Application Administrator role in the source tenant, plus acceptance of permissions in the target tenant.

By mastering these concepts and tips, you will be well-prepared to handle any SC-300 exam question related to cross-tenant access settings and synchronization.