Lately I’ve had the pleasure of working more closely with the Microsoft security experts at my company. To say I’ve learned a lot is an understatement! My biggest feat has been going down (or falling rather) the rabbit hole that is Cross Tenant Access within the Entra admin center.
In an environment where organizations often work together across boundaries, isolated tenant environments can limit productivity. The organizations of today are frequently interacting with partners, vendors, and clients who are in different tenants. This separation results in communication barriers, duplicated efforts, and challenges in data sharing. Cross-tenant access can solve these issues by allowing secure and efficient interactions between different tenant environments.
This certainly isn’t the answer for every organization, nor should it be. However, for partner organizations looking to increase collaboration capabilities within its subsidiaries, these capabilities could be the key. When considering the different layers of access functionalities within Teams, my understanding of each is below.
Teams access functionalities:
- External Access gives external users (users with a different domain than yours) additional chat capabilities. Simply put, external users can chat inside and outside of meetings with your users from their own tenants.
- B2B Direct Connect equates to the Front Porch if you’ve ever heard my “Microsoft Teams teams as a house” analogy. Configuring B2B Direct Connect enables the Shared Channel functionality in Teams.
- Cross Tenant Access is the configuration of B2B Direct Connect AND B2B Collaboration, which can be personalized as needed.
- Cross Tenant Synchronization brings the external user entities into your environment so you can see the names/objects within your environment. The best way I’ve understood this is similar to guest access, where the guests now have their own set of individual permissions.
- Multi-tenant Organizations (MTO) is the full guest experience: free/busy and all the above are included EXCEPT B2B Direct Connect features such as shared channels would require the additional step of B2B Direct Connect or full Cross Tenant access configurations (which includes B2B direct connect).
For more information on the differences between these, check out this awesome article: Cross-tenant access overview – Microsoft Entra External ID | Microsoft Learn
Now here’s the big question with Teams and Cross Tenant Access functionality: how does this work with Copilot? This has been on our minds as to how we can control the permissions of AI between organizations and to date we have seen Copilot capabilities in Teams meetings limited to only the hosting organization.
In recent policy reviews, I’ve identified that a new setting: “Allow Copilot for B2B members”. The following setting is ON by DEFAULT! This policy allows users with an assigned Copilot license (from their EXTERNAL tenant) the ability to utilize these capabilities within YOUR tenant – that means summarizing and detailing your Teams meetings! For privacy reasons, many organizations I work with may want this one turned off. Otherwise, a thorough review and update to your privacy policy practices may be required.
For end users out there without admin center rights to make these changes, that might mean adjusting your Copilot settings on the individual meeting level in the “meeting options”. From your Teams meeting invitation, you’ll see the option to select “meeting options” (only available for the organizer) and Copilot capabilities can be adjusted at the bottom of this list.
The capabilities of cross-tenant access within the Microsoft Entra Admin Center are revolutionizing the way organizations collaborate and communicate. By breaking down barriers between tenants, this powerful feature empowers end users to work more efficiently, securely, and cohesively with external partners. As the digital landscape continues to evolve, cross-tenant access stands as a testament to Microsoft’s commitment to enabling seamless and productive collaboration across organizational boundaries. Despite there being greater control in determining which users and which applications to allow access to on either side, I hope to see even more granular controls around which users have access to which applications (and an updated applications menu too!).