Azure Cross-Tenant (B2B Direct) and Sharepoint access - how does it work?

YoinkZ 21 Reputation points
2022-10-05T09:23:41.997+00:00

Hi,

I'm currently looking into Cross-Tenant access with another company. Currently we both own our own tenants and it needs to stay like this for quite some time.
We have therefore started to look into the Cross-Tenant possibilities with the B2B Direct.

So far, I have managed to use a test domain, where the Cross-Tenant has been configured and I have under the B2B direct set the Inbound and Outbound settings.
As of now, it seems that I can create a Shared Channels on Teams and invite from the other tenant without adding the users first, but I was wondering if it is possible to also share my Sharepoint within each company, without having to invite each user from each others tenant?

At the moment, we have a very strict External sharing policy, where only whitelisted domains with only invited guests can access Sharepoint.

How can I share my Sharepoint on tenant a with tenant b, without having to invite the users as guest in each tenant - is it even possible?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,733 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,662 questions
0 comments
Accepted answer
  1. Olga Os - MSFT 5,836 Reputation points Microsoft Employee
    2022-10-05T19:17:19.023+00:00

    Hey @YoinkZ ,

    Welcome to the MS Q&A Forum.

    I understand your end goal to provide access to SharePoint over the Azure Cross-Tenant collaboration,

    From what I know, besides setting which you already mentioned, where are additional settings on the SharePoint side.

    Manage sharing settings article describes how Global Administrators and SharePoint Administrators in Microsoft 365 can change their organization-level sharing settings for Microsoft SharePoint and Microsoft OneDrive. (If you want to share a file or folder, read Share SharePoint files or folders or Share OneDrive files and folders.

    Below, I am just sharing the high level of settings which you could configure. More details you will find in the article itself.

    247873-image.png

    Hope above answers your questions and concerns.

    --------------------------------------------------------

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    Sincerely,
    Olga Os

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. YoinkZ 21 Reputation points
    2022-10-05T19:31:24.273+00:00

    Hi @Olga Os - MSFT ,

    The settings under SharePoint has already been set to "New and Existing Guest."

    Below that we have also chosen to only allow sharing with Whitelisted domains, but that domain (tenant b) has already been added.

    So when I open a SharePoint page and click Share, then I get the error "Your orginizations policies doesnt allow sharing with these users".

    But why not? New and Existing Guest are allowed to be shared with, their domain is also Whitelisted, and the B2B Direct Inbound amd Outbound on each has been set accordingly. Do we really have to invite each user as a "guest"? If that's the case, then I don't get the point of B2B Direct and the purpose of allowing access to "all applications".

  2. YoinkZ 21 Reputation points
    2022-10-06T13:16:09.837+00:00

    Hi @Olga Os - MSFT ,

    We do indeed have the target domains set up and for some reason I might have been stuck between two things here.

    The first one:

    • Even though you set the global policy in SharePoint Admin Center to allow "New and Existing Guest" and have added domains in the "Limit external sharing by domain", then it does not apply when creating a new site. I have to open that site and add the same rules. Next I also think I might have applied the settings and then I the domain under the global policy, which then doesn't update accordingly under the site settings :(. So looks like that was one of the issues.
    • Next thing: Some of the mentioned errors was probably related to the fact the target domain in my Azure AD Collaboration settings. Seems that when I invite a user, even though Cross-Tenant and B2B has been setup, then if "Allow invitations only to the specified domains (most restrictive) is enabled, then the domain has to be present, so Azure AD can create the user.

    I might be mistaken, but overall, the goal is of course to keep the strict sharing policy, but ease it up when starting to collaborate with the other tenant we will be merged with in the long run. But as for now, it seems that the other tenant can use their account to connect with and respect the MFA settings set under the Trust.

    Thank you for your help :).

    0 comments