Azure cross tenant access. " Attack Path 1: Lateral Movement Using Cross-Tenant Synchronization Adversaries can achieve initial foothold by compromising Azure tenants in multiple ways, including but not limited to vulnerabilities in public-facing applications or APIs, leaked credentials, stolen identities and zero-day exploits. To configure trust settings or apply access settings to specific users, groups, or applications, you need a Microsoft Entra ID P1 license. This means that you can access ACR without going over the public internet, which provides a more secure and reliable connection. Feb 11, 2022 · Microsoft says that Azure Monitor service subscribers can use the cross-tenant access activity workbook to gain insights about all inbound and outbound collaboration. Moreover, this storage account does not have public network access… Apr 21, 2025 · In this page, I explore Azure Lighthouse and provide some of the scenarios, tips and design decisions needed to enable cross-tenant operations in Azure. These settings determine both the level of inbound access users in external Microsoft Entra organizations have to your resources, and the level of outbound access your users have to external organizations. If you don’t have permission to access the customer tenant, the resource ID of the storage account will still work. This blog will walk you through the steps to set up cross-tenant connectivity between Azure Databricks and Azure Storage account May 29, 2025 · Important Cross-tenant access for Fabric data-warehouses is a generally available feature for guest tenants, however it's currently only available to a limited set of providers. Dec 31, 2024 · For example, a workload in Tenant A can securely access resources in Tenant B using only its managed identity, simplifying cross-tenant integrations. Now you’ll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. This blog will explore how to achieve cross-tenant secure integration of Azure resources using Logic App Standard and Azure Virtual WAN. Jul 26, 2023 · Hi all, i try to implement Cross-Tenant-Synchronization and if i test the connection i get following error: Testing connection to Contoso(xxx) to Contoso(xxx) You appear to have entered invalid credentials. If so what would… May 26, 2023 · Learn how to implement cross-tenant sync in Azure and how to create customized address lists to separate internal users from external in the GAL. Jul 28, 2025 · How to Allow users from one domain (external tenant) to access an application hosted in another Domain (your Azure AD tenant) without adding them as guests. Mar 15, 2024 · Azure cross-tenant synchronization introduced a new attack surface on Microsoft Entra ID where attackers can move to a partner tenant or existing tenant. Feb 5, 2023 · Cross tenant sync is a feature I've been waiting to see for a while and with the announcement of cross tenant access settings, I knew it wouldn't be long. What is cross tenant sync?Cross tenant sync bridges the gap when two separate organisations need to come together as one, yet they have their own tenants. Oct 16, 2025 · When you need to create a data connection for an Azure Event Hubs or Azure Event Grid service in a different tenant, use the Create Data Connections API to build the connection. Enhance security by replacing app secrets with managed identities, simplify setup, and enable seamless cross-tenant access to Entra-protected resources like Azure and Microsoft Graph. Jan 6, 2023 · Hello guys, a short and simple question. While many articles outline the advantages, there are concerns that need to be addressed: How are users with devices not enrolled… Dec 17, 2023 · Want to check on access provisioning for Azure blobs (Gen1) and SQL using MI and SPN for cross tenant use-cases. Oct 27, 2025 · Cross-tenant support in Azure Virtual Network Manager lets organizations centrally manage virtual networks across multiple tenants and their subscriptions. Aug 21, 2025 · Common considerations for multitenant user management provides guidance for these considerations: cross-tenant synchronization, directory object, Microsoft Entra Conditional Access, additional access control, and Office 365. Select the checkboxes next to the external Microsoft Azure clouds you want to enable. Oct 5, 2023 · To share private ACR access to cross-tenant AKS clusters, you can use Azure Private Link. Check with your provider to confirm support. Aug 30, 2023 · Learn more about using cross-tenant access settings to restrict B2B invitations. The following diagram shows the cross-tenant access inbound and Apr 18, 2022 · The introduction of cross-tenant access controls for both Azure AD B2B Collaboration and Azure AD Direct Connect gives administrators more flexibility over how they allow inbound and outbound sharing to happen. As always, let us know if you have any feedback by reaching out to us through the Azure forum or tagging @AzureAd on Jan 17, 2025 · Up until now there has been no good way to have a managed service identity on tenant A granted access to resources or graph scopes in tenant B. . Select the checkboxes next to the external Azure clouds you want to enable. Aug 22, 2023 · How to implement Cross-tenant Synchronization using Azure AD / Entra ID, how to monitor and verify its deployment thereafter, and some example use cases for the feature. Nov 4, 2024 · Learn how to use the cross-tenant access activity workbook in Microsoft Entra ID to monitor the resources your external users are accessing. In this article, you'll learn how to give cluster access to principals from another tenant. To participate as a May 30, 2025 · To enforce tenant restrictions for Teams, you need to configure tenant restrictions v2 in your Microsoft Entra cross-tenant access settings. A separate tenant creates a new boundary, and therefore decoupled management of Microsoft Entra directory roles, directory objects, Conditional Access policies, Azure resource groups, Azure management groups, and other controls as described in previous sections. Apr 13, 2023 · Hello, we are trying to work out if its possible to host an Azure SQL Server with Databases on one Tenant and then allow our other customer tenants to access the SQL Server without needing Guest External Users or Creating 2nd accounts. Apr 7, 2022 · Azure AD cross-tenant access settings or policies define how your tenant collaborates with other Microsoft 365 tenants. Mar 28, 2025 · To configure cross-tenant access settings in the Azure portal, you need an account with at least Security Administrator, or a custom role. Aug 26, 2025 · The cross-tenant access settings provide granular control over inbound and outbound access, allowing you to trust multifactor authentication (MFA) and device claims from other organizations. Mar 18, 2024 · The introduction of cross-tenant access settings for Microsoft Entra External ID marked a pivotal shift in how organizations manage security and collaboration across different tenants. Jan 13, 2025 · Monitor Access: Use Azure Monitor and Entra ID logs to track cross-tenant access and detect anomalies. This architecture ensures that traffic remains on the Microsoft backbone network, completely bypassing the public internet. Here are the primary goals of cross-tenant synchronization: Seamless collaboration for a multitenant organization Automate Mar 28, 2025 · The external identities cross-tenant access settings manage how you collaborate with other Microsoft Entra organizations. In this article, you learn how to use PowerShell to create a cross-tenant Event Hubs data connection and auxiliary tokens to authenticate. The Cross-cloud synchronization settings check box applies to synchronization across clouds. A look at the fantastic cross-tenant access settings capability. Simplify management of multi-tenant environments without secret sharing Jul 21, 2022 · With inbound cross-tenant access settings, more of you are trusting security claims from external Azure AD organizations for MFA to ensure external users perform MFA in their home tenant when required by Conditional Access polices. To avoid this issue, we recommend configuring your outbound settings to allow your users to access this app ID: 00000012-0000-0000-c000-000000000000. Jan 1, 2024 · This article shows how to use cross-tenant access settings to manage B2B collaboration and B2B direct connect with external Azure AD organizations — even across clouds. Jul 28, 2025 · Learn how your organization can define custom roles to manage cross-tenant access settings, allowing for precise control without relying on built-in management roles. Jul 28, 2025 · Organizations can enforce Conditional Access policies for external B2B collaboration users in the same way that they’re enabled for full-time employees and members of the organization. Mar 20, 2024 · By leveraging Shared Access Signatures (SAS) and potentially Role-Based Access Control (RBAC), you can establish a secure and efficient mechanism for accessing Azure Storage resources across different tenants without relying on Managed Service Identity (MSI). Jun 8, 2023 · Behind the scenes and transparent to the user, the sync process leverages the Azure AD B2B functionality and is fully integrated with Azure AD’s security and governance capabilities such as conditional access, cross-tenant access settings, and entitlement management. Jul 16, 2025 · Learn how to use the cross-tenant access activity workbook in Microsoft Entra ID to monitor the resources your external users are accessing. Apr 14, 2025 · Browse to Entra ID > External Identities > Cross-tenant access settings, then select Microsoft cloud settings. Once attackers acquire the necessary access and privileges defined in the earlier section, then Jan 22, 2025 · When creating a multitenant application, you might need to handle authentication requests for resources in different tenants. It provisions, synchronizes, and deprovisions users in the scope of synchronization from source tenants. May 15, 2025 · The problem statement is, I have an application that resides in consumer tenant and a storage account that resides in provider tenant. May 8, 2025 · Announcing the GA of Managed Identities as Federated Identity Credentials for Microsoft Entra. May be a long shot, but I wonder if somebody knows how to give access to an Azure apps service principal from one tenant on a different tenant. Mar 19, 2024 · With cross-tenant access and outbound access settings, customers can granularly restrict and control collaboration with external resource tenants. Read the blog for a walkthrough of managing external access with inbound and outbound settings, default settings, organizational settings and others. This article describes scenarios, benefits, and how to establish cross-tenant connections. Scenario is: We have an azure app on one tenant that needs to access the Azure Analysis Services on another tenant. This enables more control over what your internal accounts can access externally and where. Then each tenant must configure inbound and outbound cross-tenant access with the tenant in the other cloud. May 19, 2025 · Describes how to publish and deliver events across tenants using an Azure Event Grid topic with a user-assigned identity. Feb 20, 2024 · The best approach to enable cross-tenant AVD access while ensuring users can log in with their existing credentials? Strategies for implementing auto-scaling of VMs in the host pool to accommodate fluctuating user numbers? Jul 25, 2022 · Microsoft has announced the general availability of new Azure AD cross-tenant collaboration settings. Azure Private Link enables you to access Azure services (in this case, ACR) over a private endpoint in your virtual network. Nov 22, 2024 · Learn Azure Cross Tenant Sync best practices and setup for seamless identity and data sharing across multiple tenants. Jan 4, 2024 · Cross-tenant delivery in Azure Event Grid - Azure Event Grid Describes how to publish and deliver events across tenants using an Azure Event Grid topic with a user-assigned identity. Control inbound and outbound access, trust MFA, and device claims from other organizations. Jun 20, 2024 · Cross-tenant access settings let you manage both B2B collaboration and B2B direct connect for your organization. I’m sure there are plenty of use cases Mar 7, 2025 · Hi All, I am looking at option(s) in relation to Multitenant Collaboration vs Cross-tenant access in 365/Entra/Azure portals, I am finding my search for documentation challenging- I have found a non Microsoft page which describes the… May 19, 2025 · Set up cross-tenant access settings in Microsoft Entra ID with the organization that you want to collaborate with. Apr 3, 2023 · I will not deep-dive into all the toolings around it, such as Conditional access or other features you get available by using Azure AD Premium. The feature was first announced back in February, and it Jul 7, 2025 · To set up B2B collaboration between tenants in different clouds, both tenants need to configure their Microsoft cloud settings to enable collaboration with the other cloud. Nov 14, 2024 · In the current Azure environment, a user from another tenant can be represented by various identity objects. Jul 15, 2025 · Azure Storage also provides identity-based access control through Microsoft Entra ID. Is it possible to grant access to an Azure subscriptions to users from an external Azure AD via B2B collaboration? Thanks for help! Greetz, Chris Azure Cross-Tenant Storage Account Access via Private Endpoint using Private Link This document outlines two scenarios for securely accessing an Azure Storage Account in a customer tenant (Tenant B) from a provider tenant (Tenant A) using Private Endpoints, without exposing secrets. Finally there is a way to achieve this! There is a li… Dec 31, 2024 · When I saw post Effortlessly access cloud resources across Azure tenants without using secrets I immediately wanted to take it for a spin. This allows admins of the remote resource tenant to add and provision your app into their tenant. Most users have a cloud guest account, while a On both tenants, when I go to Azure > External Identities >Cross-tenant access settings > Default Settings> Inbound and Outbound defaults for B2B direct connect and collaboration are all se to "All allowed". Currently, when trying to… Nov 8, 2022 · Introduction Azure AD Home and resource tenants eSTS Multi-factor authentication (MFA) and Conditional Access (CA) Room for abuse Bypassing MFA and CA Exploiting Detecting Preventing Cross-tenant access settings Communication with Microsoft Correspondence Final response from Microsoft Security Response Center (MSRC): Summary Summary of the home tenant control options Recommendations Credits This attack vector enables an attacker operating in a compromised tenant to abuse a misconfigured Cross-Tenant Synchronization (CTS) configuration and gain access to other connected tenants or deploy a rogue CTS configuration to maintain persistence within the tenant. Nov 21, 2024 · Tenant A and Tenant B are B2B connected with device trust enabled, and there are devices registered in Intune for both tenants. The interval is fixed and Sep 28, 2023 · B2B direct connect access settings determine whether users from external Microsoft Entra tenants (Not Azure) can access your resources without being added to your tenant as guests and vice versa Cross-tenant synchronization is to sync identities between two azure tenants. Oct 1, 2025 · Learn how to manage cross-tenant access settings for B2B collaboration and direct connect in Microsoft Entra External ID. To set the trustedExternalTenants on the cluster, use ARM Templates, AZ CLI, PowerShell, Azure Resource Explorer, or send an API request. Azure Resource Manager provides a header value for storing auxiliary tokens to authenticate the requests to different tenants. The primary login on the devices is from their respective tenants, but users have accounts in both. Apr 7, 2022 · Azure cross-tenant access policies control collaboration with external tenants using features like Teams Shared Channels. Please confirm you are using the correct… Feb 19, 2025 · As you configure cross-tenant access settings, if you block access to all apps by default, users will be unable to read emails encrypted with Microsoft Rights Management Service (also known as OME). Using the feature may provide access to features and functionality not specifically targeted for collaboration. Oct 15, 2024 · Learn how to configure cross-tenant synchronization in Microsoft Entra ID using Microsoft Graph PowerShell or Microsoft Graph API. Aug 12, 2024 · Principals from multiple tenants can run queries and commands in a single Azure Data Explorer cluster. Jan 20, 2023 · I want to access (Read/Write blob) containers in a storage account existing in a different tenant using user assigned manage identity. In the video, we walk through the steps to set this up and explore key considerations for using this feature and its current limitations. May 17, 2024 · Microsoft provides tools and guidance for IT administrators to set up and manage these cross-tenant access configurations through the Microsoft Entra Admin Center and Azure Portal. Jul 2, 2025 · Browse to Identity > External Identities > Cross-tenant access settings, then select Microsoft cloud settings. Add Tenant B and allow inbound/outbound B2B collaboration for necessary permissions. Jul 7, 2025 · Learn how to configure B2B direct connect with other Microsoft Entra organizations, using cross-tenant access settings to manage outbound and inbound access. May 13, 2024 · The organizational settings on the Cross-tenant access settings plane underneath External Identites in the Entra portal, allow admins to add an organization by tenant ID or DNS domain name. By default, collaboration using Azure B2B Direct Connect is disabled, so some work is needed to prepare for Teams shared channels. Entra ID synchronizes tenant directories every 40+ min using the information defined in the cross-tenant synchronization configuration. Three key areas of focus, include: The critical aspect of trusting multifactor authentication Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. New controls for guest accounts both inbound and outbound and you can finally get rid of dou Aug 26, 2025 · Monitor for changes to cross-tenant access policies using the audit logs UI, API, or Azure Monitor integration (for proactive alerts). Note that tenants in Microsoft Azure Government (Microsoft 365 GCC High and DoD) can't create a cross-tenant connection with tenants in Microsoft Azure China. Jun 23, 2025 · Cross-tenant synchronization automates creating, updating, and deleting Microsoft Entra B2B collaboration users across tenants in an organization. Sep 1, 2023 · Cross-tenant synchronization feature supplements and upgrades Azure B2B collaboration, allowing users to join their tenant without sending an invitation to other users across tenants to share access to services and resources. Jul 7, 2021 · The Azure AD application model provides a great way for someone to build an app running in their developer tenant while allowing their customers to use that app in the customer’s tenant. Restrict inbound traffic to a web app or function app. Jan 30, 2025 · Go to Microsoft Entra ID (Azure AD) > External Identities > Cross-Tenant Access Settings. Sep 19, 2024 · Azure Lighthouse enables and enhances cross-tenant experiences in many Azure services. The audit events use the categories "CrossTenantAccessSettings" and "CrossTenantIdentitySyncSettings. It enables users to access applications and collaborate across tenants, while still allowing the organization to evolve. This flow applies to both B2B collaboration and B2B direct connect, except as noted in step 6. Oct 22, 2025 · Working with Azure API Management across multiple tenants? Tired of managing service principal secrets and certificates? In this blog post, I’m going to show you how to set up passwordless cross-tenant authentication using User-Assigned Managed Identities and Federated Credentials. This article covers cross-tenant access settings for managing B2B collaboration with external Microsoft Entra organizations, including across Azure clouds. Nov 20, 2024 · Setting up cross-tenant SMB access for Azure Files between Tenant A and Tenant B need to consider several steps. You also need to set up federation controls in the Teams admin portal and restart Teams. This blog post dives into the essence of these settings, focusing on their significance for secure B2B collaboration. Jul 7, 2025 · This diagram shows how cross-tenant access settings work with Conditional Access policies, such as multifactor authentication, to determine if the user can access resources. Feb 2, 2024 · If you are doing this manually, via the portal, and you have permission to access the customer tenant, you can choose the storage account from the dropdowns. From authentication and DNS resolution to policy and connectivity, we’ll dive into a real-world scenario and show how Azure Lighthouse can be used to make cross-tenant access possible. Aug 21, 2025 · For more detailed information, see Multi-tenant user management. Most examples of this pattern showcase how an admin can consent the app in their tenant and get access to Microsoft Graph data in that tenant. Aug 25, 2024 · Cross-tenant synchronization is a flexible and ready-to-use solution to provision accounts and facilitate seamless collaboration across tenants in an organization. A deep dive into the new cross-tenant access settings that have recently been added to Microsoft's Azure Active Directory. Feb 9, 2025 · When you need to create a data connection for an Azure Event Hubs or Azure Event Grid service in a different tenant, use the Create Data Connections API to build the connection. With the introduction of cross-tenant access settings, you can also trust MFA and device claims from external Microsoft Entra organizations. This capability enables attribute-based access control, which provides fine-grained access to blob paths or to blobs tagged with a specific tenant ID. We hope you’re excited about these improvements in cross-tenant access settings and can leverage them to work towards a zero-trust posture. Oct 21, 2025 · Learn how to manage cross-tenant access settings for B2B collaboration in Microsoft Entra External ID. It's built on trust Microsoft aims the Cross-tenant Synchronization feature for collaboration between Azure AD tenants within the same organization. Feb 20, 2022 · Cross Tenant Access Overview (Source — Microsoft) In a nutshell it allows for fine grained control on the interaction between different Azure Tenants. Jan 31, 2023 · Behind the scenes and transparent to the user, the sync process leverages our robust Azure AD B2B functionality and is fully integrated with Azure AD’s security and governance capabilities such as conditional access, cross-tenant access settings, and entitlement management. Aug 28, 2023 · What is Entra ID Cross-Tenant Sync? Entra ID Cross-Tenant Sync is a cloud-based service to support B2B scenarios and when organizations have multiple tenants. Out of box, external collaboration settings: Jul 7, 2025 · Learn how your organization can define custom roles to manage cross-tenant access settings, allowing for precise control without relying on built-in management roles. Use private endpoints in Azure to give consumer tenants secure access to provider tenant apps. My application needs to access this storage account. Jan 4, 2024 · Understanding Cross-Tenant Access Settings: Inbound & Outbound Settings Vs. Azure AD settings & invitation process Tenant A is a new Tenant, out-of-box, with no customization done to External collaboration settings. Combine with Conditional Access: Strengthen security by enforcing conditional access policies for federated identity credentials. Here are the few steps that may solve your issue. A word of caution: Before enabling, it’s important to understand this is a tenant wide configuration and you will need to understand and evaluate your May 19, 2025 · Azure Private Link enables private and secure connectivity to Azure PaaS services across different tenants by leveraging private endpoints. Aug 11, 2024 · Learn how to implement cross-tenant access in Azure using Multi-Tenant Enterprise app. For ex, if my WebJob wants to access SQL in a different tenant, how is it possible to access the same via MI, it fails for me. Dec 18, 2024 · To access resources in other tenants, use the same FIC configuration and ensure your App Registration is Multitenant. A common scenario is when a virtual machine in one tenant must join a virtual network in another tenant. For background information, please check out the article first. Jun 2, 2023 · 4. It's perfect for mergers, acquisitions or if you are simply looking to restructure Apr 25, 2025 · Azure cross tenant access to Fabric Warehouse and Lakeshouse Can Azure Data Factory from Tenant B connect to a Fabric Data Warehouse in Tenant A? A customer recently needed to connect their Azure Data Factory pipelines—hosted in a separate tenant—to a Microsoft Fabric Data Warehouse using a service principal instead of guest access. Oct 1, 2025 · Learn how to use Azure Key Vault in multitenant solutions, including isolation models, tenant-specific vaults, shared vaults, and multitenancy features. Jumping directly to my demo architecture: Dec 2, 2024 · There is interest in the Azure Cross-Tenant Synchronization feature and its potential benefits for managing four tenants. This article describes how Microsoft Apr 4, 2022 · Well now, with cross-tenant access policies becoming available, we have the option of configuring policies that allow our Azure AD tenant to accept user sign-ins, and more importantly authentication tokens, from businesses we work with, or share data with on a regular basis, that also have an Azure AD tenant. The service is available with Azure AD Premium P1 or P2 licenses. To use cross-tenant access as a guest, work with a trusted provider that has already onboarded to this feature, and follow the steps in this document. In today's interconnected world, enterprise-level systems often need to integrate resources across different Azure tenants securely. Cross-tenant synchronization automatically manages user identity lifecycle across tenants. Tenant Restrictions Before we dive headfirst into the Cross-Tenant Access Settings including the new Tenant Restrictions, let us just quickly review one other area in the Microsoft Entra portal that deals with External collaboration. For details, see Microsoft cloud settings. Apr 21, 2022 · Azure AD cross-tenant access settings bring both power and confusion to Azure AD tenants, in this post we attempt to clarify their use. dnt afxjq 7jzsx maw9f qobj r3g hh fu 5u3xd vphrn