Cross-tenant users can’t access shared resources after moving to a new tenant

Question

We recently moved one of our teams to a new Azure tenant, but they still need access to some resources in our old tenant. I added them as guest users through Entra ID, but they keep getting “Access Denied” when trying to open anything.

I’ve checked permissions a few times and everything seems fine. Not sure if I’m missing something with cross-tenant access settings or role assignments.

Answer 1

Hello Peter,

The “Access Denied” issue your team is experiencing is expected after moving users to a new tenant. Even though you’ve added them as guest users in the old tenant, there are several steps required to ensure proper cross-tenant access,

1. Guest Invitation Status:

Confirm that all users from the new tenant have accepted their guest invitations in the old tenant.

If an invitation is still pending, the user cannot access any resources.

Sometimes it helps to delete the existing guest account and re-invite the user to reset the invitation state.

2. Cross-Tenant Access Settings:

In the old tenant, navigate to:

Entra ID → External Identities → Cross-tenant access settings.

Ensure inbound access allows guest users from your new tenant.

Policies should not block external users or require device compliance that the guest cannot meet.

3. Resource Permissions:

Being a guest does not automatically grant access. Users must be explicitly assigned permissions to each resource:

SharePoint/OneDrive: Add the guest to the site or folder.

Teams: Add the guest as a member or owner.

Enterprise applications: Assign the guest to the app and its roles.

4. Conditional Access Policies:

Check Tenant A → Security → Conditional Access.

Ensure no policies block external users or enforce requirements that the guest cannot satisfy (MFA, compliant device, named locations).

If the issue persists, could you share what type of resources they are trying to access (Azure resources, SharePoint, Teams, etc.)? This will help us guide you with exact steps.

Answer 2

When cross-tenant users are experiencing "Access Denied" messages after moving to a new Azure tenant, there are a few potential issues to consider:

1. Cross-Tenant Access Settings: Ensure that the cross-tenant access settings are configured correctly in both the old and new tenants. If these settings are not properly configured, it can block access for guest users from the new tenant to resources in the old tenant.
2. Conditional Access Policies: Check if there are any Conditional Access policies in place that might be affecting guest access. For example, if the policies require multi-factor authentication (MFA) or device compliance, and the guest users do not meet those requirements, they may be denied access.
3. Role Assignments: Verify that the guest users have been assigned the necessary roles and permissions to access the shared resources. Even if they are added as guest users, they may still need specific permissions to access certain applications or resources.
4. User State: The state of the user in their home tenant does not convey to the resource tenant. This means that even if the user is compliant in their home tenant, they may not be compliant in the resource tenant without proper configuration.

To resolve this issue, you may need to review and adjust the cross-tenant access settings, ensure that Conditional Access policies are appropriately set up, and confirm that the guest users have the necessary role assignments in the old tenant.

---

References:

• Common considerations for multitenant user management
• Error "Selected user account does not exist" when new guests access a SharePoint resource