Share via

I am still having Cross-Tenant Access setup issues.

alicia stover 0 Reputation points
2026-04-17T16:42:27.74+00:00

Greetings Helpdesk support, I had requested assistance previously for cross tenant access help and I am getting the same errors and issues despite following helpdesk setup directions. This can be observed in the following screenshots. My tenant is GCC-High trying to communicate with a GCC company. My Entra ID status is P2 and the GCC company's Entra ID is P1. However, P2 has everything P1 has, so, this should not be an issue. Is there a way to fix this perhaps by giving another account tied to my name access? I had errors before tied to my outlook account name. Can you give access by using another email account belonging to me and giving it Microsoft Authentication access via invite?

Screenshot 2026-04-17 111517.png

Screenshot 2026-04-17 111539.png Screenshot 2026-04-17 111615.png

Screenshot 2026-04-17 111702.png Screenshot 2026-04-17 111915.png

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-17T16:42:52.68+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The errors shown in the screenshots are consistent with cross-tenant access and cross-tenant synchronization policy configuration issues between tenants, not with the specific user account or P1 vs P2 licensing.

    For GCC ↔ GCC High cross-tenant scenarios, the relevant points from the documentation are:

    1. When testing cross-tenant synchronization or cross-cloud synchronization, failures such as AzureActiveDirectoryCrossTenantSyncPolicyCheckFailure, ExternalTenantNotFound, or AzureActiveDirectoryTokenExpired are caused by missing or incorrect cross-tenant access settings between the source and target tenants, not by the user’s Outlook address.
    2. For cross-tenant synchronization, both tenants must explicitly allow the relationship in their cross-tenant access policies and, where required, enable automatic user consent/automatic redemption.
    3. The Automatic redemption setting requires Microsoft Entra ID P1 or P2. If the checkbox is disabled, the tenant does not have P1/P2. In the provided context, P1 vs P2 is not a compatibility issue; the problem is whether each tenant has at least P1 and has configured the trust settings correctly.
    4. For cross-cloud synchronization (for example, GCC High to GCC), the target tenant must enable cross-cloud synchronization for the source tenant under Microsoft cloud settings, and the configuration must be created with Setup cross-tenant synchronization across Microsoft clouds checked. If this is not done, test connection errors such as ExternalTenantNotFound or AzureActiveDirectoryTokenExpired occur.

    Based on the documented symptoms and resolutions, the concrete steps that need to be verified and corrected are:

    1. In the GCC tenant (target for GCC High):
      • Under Microsoft cloud settings, enable cross-cloud synchronization for the GCC High tenant as described in “Step 1: Enable cross-cloud settings in both tenants”.
      • Ensure the inbound cross-tenant access policy allows inbound synchronization from the GCC High tenant and, if using automatic redemption, that inbound automatic user consent is enabled for that tenant.
    2. In the GCC High tenant (source):
      • When creating the cross-tenant synchronization configuration, ensure the Setup cross-tenant synchronization across Microsoft clouds checkbox is selected. If a configuration was created without this option, delete it and recreate it with the checkbox selected, as described under the ExternalTenantNotFound symptom.
      • Ensure the outbound cross-tenant access policy is configured to allow automatic user consent to the GCC tenant if automatic redemption is required.
    3. If the test connection fails with AzureActiveDirectoryCrossTenantSyncPolicyCheckFailure:
      • Follow the documented “Step 3: Automatically redeem invitations in the target tenant” and “Step 4: Automatically redeem invitations in the source tenant” so that both inbound and outbound policies are correctly configured for automatic user consent.
    4. If the test connection fails with AzureActiveDirectoryTokenExpired:
      • In the target tenant, on Microsoft cloud settings, select the cross-cloud synchronization checkbox for the source tenant as described in “Step 1: Enable cross-cloud settings in both tenants”.

    Changing to another email account for the same person or inviting a different account with Microsoft Authenticator does not address these policy-level requirements. The documented resolutions focus on tenant-level cross-tenant access and cross-cloud settings, not on per-user account changes.

    If, after verifying all of the above, errors persist, the next step is to open a support ticket with Microsoft, providing the exact error codes and correlation details from the Entra admin center notifications so support can review the cross-tenant configuration.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.