Let users from other Azure AD tenant sign-in to apps in my tenant without inviting them as guests?

Question

Hi,

I work with 2 Azure AD tenants which I will call contoso.com (I don't manage) and mytenant.com (I am Global Admin).

I would like to let users from contoso.com sign-in to apps in mytenant.com.

Earlier I had to invite all users from contoso.com to mytenant.com as guests (thousands of them) and they can sign-in to apps on mytenant.com without issues. However, the problem is I (or other admins) have to keep inviting new users from contoso.com when there are new employees.

Now I just noticed that there is a preview feature in Azure AD called "Cross-tenant access settings" which looks promising and I would like to ask if it can let users from contoso.com tenant sign-in to apps in mytenant.com without having to inviting them as guests first?

If inviting guests is still needed, what is the benefit of using "Cross-tenant access settings" feature anyways?

Thanks.

Ref: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-overview

Answer 1

Hi @Pitawat • Thank you for reaching out.

Based on the details that you have provided in your question, I understand that you want to provide access to the users of contoso.com to the apps in mytenant.com without inviting Contoso users to your tenant. However, the "Cross-tenant access settings" won't help you to achieve this.

Cross-tenant access settings are just to control:

1. whether your users can access resources in an external organization.
2. whether users from external Azure AD organizations can access your resources.
3. whether your Conditional Access policies will trust the multi-factor authentication (MFA), compliant device, and hybrid Azure AD joined device claims from an external organization

How to allow external users to access your application without inviting them to your tenant?

As of today, to allow external users with access to your in-house developed applications, without inviting them to your tenant, you have the option to configure your application(s) as Multi-tenant applications. In this case, when users from contoso.com will access the application and accept the consent prompt, a service principal corresponding to your App will be created in the contoso.com tenant and the Contoso tenant can then issue a token for your multi-tenant application(s). You will have to update your application code to Validate the Issuer to accept and perform authorization using the token issued by the Contoso tenant.

Ref: Sign in any Azure Active Directory user using the multi-tenant application pattern

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

You can use cross tenant access to allow or restrict external user access. .

You can control whether you need to allow specific users or all users by clicking the link for inboud or outbound access. You have the options to select all users or specific groups to grant access, once you are done, you are not required to give individual access.

Refer: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration#modify-inbound-access-settings

Hope this helps

Answer 3

Cross-tenant access settings currently only cover the good old B2B model, which requires Guest users. Going forward, it will include the new "direct connect" model, as leveraged by Teams shared channels. Direct connect does not require Guest users, though it will likely require code changes (few additional claims are added). That's still in private preview though. For the time being, you'll need to stick to inviting Guests.