Azure AD Cross Tenant Settings

testuser7 271 Reputation points


We can now have "Cross Tenant Access Policy" (aka XTAP) in our tenant.

So I have configured Inbound XTAP policy for one external tenant ( like to allow guest-user U1 of contoso but block my tenant's application A1

In this scenario, when the app A1 sends the request to my tenant, will this guest-user U1 be able pass this XTAP configuration so that my tenant can send the token back to A1 ??


Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,761 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,669 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,541 Reputation points Microsoft Employee

    Thank you for your post and I apologize for the delayed response!

    When it comes to Configuring cross-tenant access settings for B2B collaboration, I'll summarize your issue below so I can gain a better understanding of your issue.

    **Scenario: **

    • You've configuring the Inbound Access Settings for an external tenant (i.e.
    • The inbound access setting will allow Guest Users (i.e. guest-user U1) from to access your Azure AD tenant.
    • The inbound access setting will block your tenant's application (i.e. A1).

    Because your inbound access setting allows Guest Users from to access your Azure AD tenant. If guest-user U1 sends a request to your tenant via App1, will the Guest User be able to gain access to your tenant so that a token can be retrieved by the Application (A1)?


    From your issue description, because your inbound access setting will block your tenant's application (A1), if the Guest User is sending a request through Application A1, then the request should be blocked since your tenant's application is sending the request, and the inbound access setting is set to block A1.

    Note: If you want to apply access settings to specific users, groups, or applications in an external organization, please contact the organization for information before configuring your settings. Obtain their user object IDs, group object IDs, or application IDs (client app IDs or resource app IDs) so you can target your settings correctly.

    Additional Link:
    Important considerations - Changing the default inbound or outbound settings to block access could block existing business-critical access to apps in your organization.

    I hope this helps! If I misread your or incorrectly summarize your issue, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.