Azure Active Directory - "Configure cross-tenant access settings for B2B collaboration" is not working as expected

demo test 1 Reputation point
2022-09-15T05:21:04.077+00:00

Hi team ,

I am testing on Azure AD - "Configure cross-tenant access settings for B2B collaboration" on test tenant through the document (https://learn.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration) .

when i started testing on between tenants through the settings mentioned in the above document it is not working as expected and getting the errors . The errors which i received are the same in this link (https://practical365.com/azure-ad-b2b-collaboration-cross/) .

Message AADST500213.The resource tenant's cross-tenant access policy does not allow this user to access this account.

As per the Practical 365 link they mentioned that it is still in developing mode and time line is not mentioned yet. Is the Issue still Persisting? Any Guidance or assistance on this Issue will be helpful.

241313-azure-b2b-collaboration-guest-aad-failure-768x968.jpg

Thanks in Advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,369 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Harpreet Singh Matharoo 7,861 Reputation points Microsoft Employee
    2022-09-16T04:55:55.547+00:00

    Hello @demo test

    Thank you for being patient while I was testing this in my lab tenant. I have managed to reproduce the issue and can confirm that error you are facing might be due to resource tenant having a restrictive inbound setting for users and applications. I would request you to please check the Cross-Tenant access settings or B2B collaboration settings on resource tenant to validate if there are any blocks. Below is the screenshot of the error which I was able to reproduce by blocking user and application access on resource tenant.

    241707-image.png 241620-image.png

    You can refer following article for more information: Manage external access with inbound and outbound settings

    Additionally, in my test repro I found below details which can be helpful to you in future:

    • Inbound block on resource tenant would result in error AADSTS500213: The resource tenant's cross-tenant access policy does not allow this user to access this tenant. This block occurred due to the resource tenant's cross-tenant access policy. Contact that tenant's administrator to ensure that these users are allowed access.
    • Outbound block on home tenant would result in error AADSTS500212: The user's administrator has set an outbound access policy that does not allow access to the resource tenant. The user's administrator must update their cross-tenant access policy to allow access to the resource tenant.

    I hope this helps you identify and fix the issue.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

  2. Harpreet Singh Matharoo 7,861 Reputation points Microsoft Employee
    2022-09-21T10:58:25.393+00:00

    Hello @demo test

    Thank you for being patient while I was testing this scenario. Please find my response below:

    Step 1: Created a similar inbound policy for users and Applications.

    243389-image.png

    Step 2: Invited the user.

    Step 3: Tried to accept the invite faced following error:

    243455-image.png

    What leads to this error and why this is expected to happen:

    • We noticed that when user clicks on accept invite the invitation status does changes to accepted, however they would still receive above error.
    • This happens since user is redirected to Microsoft App Access Panel (App ID: 0000000c-0000-0000-c000-000000000000) once the invite redemption completes.
    • Also, there is no way that Admins would be able to select the App "Microsoft App Access Panel" in the selected apps section on policy since it is not exposed there.
    • Hence to test if the access to other selected app work as expected, I shared a SharePoint site content from resource tenant A with user from Tenant B.
    • User from Tenant B was able to access the SharePoint site without any issues.

    I hope this helps us identify the issue and confirm that it is expected to occur if the selected apps are selected.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.