Configure Microsoft cloud settings for B2B collaboration (Preview)

Note

Microsoft cloud settings are preview features of Azure Active Directory. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

When Azure AD organizations in separate Microsoft Azure clouds need to collaborate, they can use Microsoft cloud settings to enable Azure AD B2B collaboration. B2B collaboration is available between the following global and sovereign Microsoft Azure clouds:

  • Microsoft Azure commercial cloud and Microsoft Azure Government
  • Microsoft Azure commercial cloud and Microsoft Azure China 21Vianet

To set up B2B collaboration between partner organizations in different Microsoft Azure clouds, each partner mutually agrees to configure B2B collaboration with each other. In each organization, an admin completes the following steps:

  1. Configures their Microsoft cloud settings to enable collaboration with the partner's cloud.

  2. Uses the partner's tenant ID to find and add the partner to their organizational settings.

  3. Configures their inbound and outbound settings for the partner organization. The admin can either apply the default settings or configure specific settings for the partner.

After each organization has completed these steps, Azure AD B2B collaboration between the organizations is enabled.

Note

B2B direct connect is not supported for collaboration with Azure AD tenants in a different Microsoft cloud.

Before you begin

  • Obtain the partner's tenant ID. To enable B2B collaboration with a partner's Azure AD organization in another Microsoft Azure cloud, you'll need the partner's tenant ID. Using an organization's domain name for lookup isn't available in cross-cloud scenarios.
  • Decide on inbound and outbound access settings for the partner. Selecting a cloud in your Microsoft cloud settings doesn't automatically enable B2B collaboration. Once you enable another Microsoft Azure cloud, all B2B collaboration is blocked by default for organizations in that cloud. You'll need to add the tenant you want to collaborate with to your Organizational settings. At that point, your default settings go into effect for that tenant only. You can allow the default settings to remain in effect. Or, you can modify the inbound and outbound settings for the organization.
  • Obtain any required object IDs or app IDs. If you want to apply access settings to specific users, groups, or applications in the partner organization, you'll need to contact the organization for information before configuring your settings. Obtain their user object IDs, group object IDs, or application IDs (client app IDs or resource app IDs) so you can target your settings correctly.

Enable the cloud in your Microsoft cloud settings

In your Microsoft cloud settings, enable the Microsoft Azure cloud you want to collaborate with.

  1. Sign in to the Azure portal using a Global administrator or Security administrator account. Then open the Azure Active Directory service.

  2. Select External Identities, and then select Cross-tenant access settings.

  3. Select Microsoft cloud settings (Preview).

  4. Select the checkboxes next to the external Microsoft Azure clouds you want to enable.

    Screenshot showing Microsoft cloud settings.

Note

Selecting a cloud doesn't automatically enable B2B collaboration with organizations in that cloud. You'll need to add the organization you want to collaborate with, as described in the next section.

Add the tenant to your organizational settings

Follow these steps to add the tenant you want to collaborate with to your Organizational settings.

  1. Sign in to the Azure portal using a Global administrator or Security administrator account. Then open the Azure Active Directory service.

  2. Select External Identities, and then select Cross-tenant access settings.

  3. Select Organizational settings.

  4. Select Add organization.

  5. On the Add organization pane, type the tenant ID for the organization (cross-cloud lookup by domain name isn't currently available).

    Screenshot showing adding an organization.

  6. Select the organization in the search results, and then select Add.

  7. The organization appears in the Organizational settings list. At this point, all access settings for this organization are inherited from your default settings.

    Screenshot showing an organization added with default settings.

  8. If you want to change the cross-tenant access settings for this organization, select the Inherited from default link under the Inbound access or Outbound access column. Then follow the detailed steps in these sections:

Sign-in endpoints

After enabling collaboration with an organization from a different Microsoft cloud, cross-cloud Azure AD guest users can now sign in to your multi-tenant or Microsoft first-party apps by using a common endpoint (in other words, a general app URL that doesn't include your tenant context). During the sign-in process, the guest user chooses Sign-in options, and then selects Sign in to an organization. The user then types the name of your organization and continues signing in using their Azure AD credentials.

Cross-cloud Azure AD guest users can also use application endpoints that include your tenant information, for example:

  • https://myapps.microsoft.com/?tenantid=<your tenant ID>
  • https://myapps.microsoft.com/<your verified domain>.onmicrosoft.com
  • https://contoso.sharepoint.com/sites/testsite

You can also give cross-cloud Azure AD guest users a direct link to an application or resource by including your tenant information, for example https://myapps.microsoft.com/signin/Twitter/<application ID?tenantId=<your tenant ID>.

Supported scenarios with cross-cloud Azure AD guest users

The following scenarios are supported when collaborating with an organization from a different Microsoft cloud:

  • Use B2B collaboration to invite a user in the partner tenant to access resources in your organization, including web line-of-business apps, SaaS apps, and SharePoint Online sites, documents, and files.
  • Use B2B collaboration to share Power BI content to a user in the partner tenant.
  • Apply Conditional Access policies to the B2B collaboration user and opt to trust multi-factor authentication or device claims (compliant claims and hybrid Azure AD joined claims) from the user’s home tenant.

Next steps

See Configure external collaboration settings for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.