Microsoft Admin Portals app cannot be add in Cross-Tenant Access Policies (inbound and outbound)

Question

Microsoft Admin Portals app cannot be add in Cross-Tenant Access Policies (inbound and outbound)

Guillaume Bossiroy 25

Hi,

I have noticed that the Microsoft Admin portals application cannot be added in the inbound access trust settings for an organization in Microsoft Entra ID. While adding other applications, like the Windows Azure Service Management API, works perfectly, adding the Microsoft Admin portals apps return the following error when trying to save the B2B collaboration inbound access policy: "Cross-tenant access settings, Found invalid target for Applications"

The Audit Log returns the following:

Is this the expected behavior? Why is it failing for that application in particular? This app suits perfectly our use case and would therefore like to have this working. I didn't see any limitations or remarks about this app in particular in the documentation.

Step to reproduce

In Entra ID > External Identities > Cross-tenant access settings
Add an organization and modify its inbound access settings or adapt the inbound access setting of an existing organization
Under B2B collaboration, select Customize settings:

Under external users and groups, select Allow access and All Organization users and groups
Under Applications, select Allow access and select Select applications. Then, click on Add Microsoft applications, search for Microsoft Admin Portals, select it and add it.

Click on Save
The error as show above is returned

Thank you in advance,

Guillaume

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-12-22T09:54:43.8633333+00:00

@Guillaume Bossiroy Thank you for reaching out to us, let me research on your ask and revert back.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-01-03T16:27:00.4933333+00:00

@Guillaume Bossiroy Apologies for the delayed response, awaiting for update from my team.
Guillaume Bossiroy 25 Reputation points

2024-01-04T10:13:15.02+00:00

@Givary-MSFT No worries, thank you for your follow up

1 answer

Your answer

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-12-22T09:54:43.8633333+00:00

@Guillaume Bossiroy Thank you for reaching out to us, let me research on your ask and revert back.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-01-03T16:27:00.4933333+00:00

@Guillaume Bossiroy Apologies for the delayed response, awaiting for update from my team.
Guillaume Bossiroy 25 Reputation points

2024-01-04T10:13:15.02+00:00

@Givary-MSFT No worries, thank you for your follow up

Answer 1

Givary-MSFT 35,626 Microsoft Employee Moderator

@Guillaume Bossiroy Thank you for reaching out to us, apologies for the delayed response on this, the only valid app for selecting via GUI today is "Office 365" however if you want to add another app, you can leverage Graph API and add via AppId.

Follow the below steps to achieve your ask.

Open Graph Explorer https://aka.ms/ge and sign in with tenant Global Administrator and also make sure necessary permissions are provided while making the below changes - https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicy-update?view=graph-rest-1.0&tabs=http
Run a request to GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners/abc12345-5XXX-XXXX-XXXX-04XXX03XXX7f0?$select=b2bCollaborationInbound , replacing partner tenant ID with the partner you wish to modify inbound XTAP policy for.
Review the response section to verify the current b2bCollaborationInbound policy is returned.
Copy the entire response section result, and paste it in the top half of Graph Explorer labelled the Request Body
In the Request Body section you have populated, locate the applications section, and the list of target apps.
Add a new target app to the list by adding a comma after the existing target app and adding a new app to the list. for reference below screenshot

User's image

change the Graph Explorer request type from GET to PATCH as we will be saving our updates to the policy. And then click Run query to update the policy.

8.If all is successful, the Graph Explorer response should show a 204-response code

Browsing back to the Azure Portal's XTAP inbound policy applications list, should have the desired application which we added.

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Guillaume Bossiroy 25 Reputation points

2024-01-10T09:16:48.63+00:00

Hi @Givary-MSFT ,

Thank you for your answer.

(In the XTAP inbound policy, it is already possible to select other applications than "Office 365". I was able to select and save the policy for the "Windows Azure Service Management API" application, for instance.)

I have tried the proposed solution, however, it still does not work for the "MicrosoftAdminPortals" application (see attached image):

Moreover, I was not able to find an Application ID / Object ID for the "MicrosoftAdminPortals". Would you know which value should be used in the request body for it?

Thank you in advance,

Guillaume
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-01-11T05:39:13.55+00:00

@Guillaume Bossiroy As you are aware Microsoft Admin Portals (current list of Applications that are included in the Microsoft Admin Portals App Group)

Review the above link, you need to need application id manually via above steps. Application IDs of commonly used Microsoft applications only thing you need to watch for whenever new application ids are added to Microsoft Admin Portal, you need to update this list. I have shared the feedback to my team regarding this, however would request to share the same on https://feedback.azure.com/d365community which is closely monitored by our team.

Let me know if you have any further questions, feel free to post back.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-01-16T12:56:19.5933333+00:00

@Guillaume Bossiroy Just wanted to check does the above steps, help to resolve your issue, feel free to post back if you have any further questions.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Guillaume Bossiroy 25 Reputation points

2024-01-17T08:27:06.79+00:00

@Givary-MSFT Thank you for the follow up on this. The admin portals included in the Microsoft Admin Portals cloud application, such as Microsoft 365 Defender portal, SharePoint Admin portal, M365 Admin Center, etc., cannot be targeted specifically as there are no dedicated Application IDs for them as far as I know and could see in the portal and in the documentation (based on the resources that you shared above). Therefore, I assume that my use case cannot be solved currently. I will however share this via the link you provided.
SEAN KALINICH 0 Reputation points

2025-06-08T22:55:21.2+00:00

I am seeing a lot of people having similar issues with this as well as Tenant Restrictions. Even when using "All External Applications" Items are missing in Entra, Intune and other admin portals. Looking at Devices, Compliance, etc shows Unkown or Unauthorized.
The only thing that seems to fix this is to either disable the GSA client or disable Universal Tenant Restrictions.
This seems to be a pretty big gap here.
I have tried adding apps in manually via MSGprah, but nothing corrects this behavior.

Share via

Microsoft Admin Portals app cannot be add in Cross-Tenant Access Policies (inbound and outbound)

1 answer

Your answer