![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 43%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
25,149 questions
- How are users with devices not enrolled in Intune from one tenant (child) affected when accessing a tenant with active Conditional Access Policies (CAPs) (primary)? Does the synchronization take precedence over the CAPs? There are two things 'Cross-Tenant Synchronization' and 'Cross-tenant access settings'. Cross-tenant synchronization enables you to automate provisioning/de-provisioning identities (B2B users) across tenants in your organization and simplify collaboration within your organization. Cross-tenant access settings are intended to manage collaboration with external Microsoft Entra tenants. In the last one you control if you trust device compliance from the other tenancies (Entra ID > External Identities > Cross-tenant access settings > Inbound access settings - <organization name> > Trust Settings). If you are using CA policies that evaluate device compliance you may need to make sure the device is marked as compliant in its home tenant (you can use Intune, but also any other MDM supported by Entra ID).
- Are there any impacts on guest user (B2B) access? 'Cross-Tenant Synchronization' just automates the provisioning of identities (B2B users), and it does via B2B collaboration. So it literally creates these guests accounts for you based on parameters you decide (like being member of a group). And provides some attribute mapping capabilities (Mappings) that allow you to define how data should flow between your tenant and the target tenant.
- How does this synchronization affect existing SharePoint and OneDrive sharing access? Are the sharing settings still applicable? Existing Sharing policies and settings apply in all the Microsoft 365 services (SPO, Teams, OD, 365 Groups), so you need to make sure these services support sharing with existing guest accounts at least after you activate the T2T synchronization.
- When synchronizing identities, is there granular control over what gets synced and to which resources? You would like to control who gets replicated (via group membership), but access to resources is controlled at the resource level. Meaning, you will need to provide access specifically to each resource, or restrict sharing with guests if needed.
- The known issues section mentions problems with special characters. Have there been any issues in child tenants located in the EU, Africa, and China that use these characters? I have no specific insights on this.
Check the following references:
- https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview
- https://learn.microsoft.com/en-us/entra/identity/multi-tenant-organizations/cross-tenant-synchronization-configure
- https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration
I hope it helps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)