Hi @Siqing Zheng ,
You can apply inbound or outbound access settings to grant or block access to specific resources or users.
As mentioned in the article, the same multitenant application can be used to access keys in any number of tenants. Each tenant has its own instance of the application with a separate object ID, and each instance would be authorized independently. If the tenant is not authorized to access the resources in the other tenants, it will not be able to access them. https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview
You can also apply conditional access policies to further protect the resources . https://techcommunity.microsoft.com/t5/microsoft-entra-blog/cross-tenant-access-settings-for-secure-collaboration-now/ba-p/3575844