Entra ID Cross-Tenant Access Settings vs. Teams Cross-Cloud meetings – Who wins?

Entra ID Cross-Tenant Access Settings vs. Teams Cross-Cloud meetings – Who wins?

Recently we ran into a fun experience when adjusting the Cross-Cloud meetings within the Teams Admin Center which caused Entra ID Cross-Tenant Access Settings to be changed. This behavior didn’t seem to be documented anywhere and did cause some head-scratching before we figured out why B2B invitations weren’t automatically being accepted any longer.

What are Cross-Tenant access settings?

Cross-tenant access settings can be defined between any Microsoft Entra ID tenant to specify what level of inbound and/or outbound access is allowed between the users of these tenants. This allows for things such as B2B Collaboration or Direct Connect to take place or we can specify that our tenant trusts compliant devices enrolled in another tenant. This can affect things such as Teams, OneDrive, and SharePoint or Applications access by B2B Guests to/from your tenant to the specified organizations.

Common use cases are allowing for trust between two partner tenants for example. By default, Microsoft leaves these settings fairly open to all Microsoft tenants but for security reasons we generally recommend tuning the defaults down and explicitly adding known organizations (depending on your organizations threat model off course). You can even go so far as to specify specific users and groups that are allowed to use B2B Collaboration/Direct Connect between two tenants to give you even further granular fine-tune control.

All these settings are neatly configured and saved within Entra ID, but affect services such as Teams, where we’ve now figured out that the Cross-cloud meetings settings reflect the same organizations (in essence, it’s synchronized with Entra ID):

Notice here however, that we don’t see the resolved user-friendly display name of the tenant (in this case, Mindcore), but instead the raw Tenant ID.

Also note that editing the settings are Teams specific:

The Problem

So far, this is fine (aside from the slightly less user-friendly Tenant ID being show in the Teams Admin Center). The problem arises when an Administrator (with the correct amount of permission, see further below) is troubleshooting within the Teams Admin Center and decides to remove the Tenant ID and re-add it again.

When you decide to do this, it will also delete the tenant under the cross-tenant access settings within Entra ID including any custom inbound/outbound access you may have defined:

If you now add the tenant back in (either from Teams Admin center or Entra ID portal):

It now shows the default settings are inherited within Entra ID:

This has effectively wiped any custom settings that were previously defined! Ouch…

In the Audit log, this can be seen as follows:

Note that it shows that it was initiated from the Microsoft Teams Admin Portal.

Permissions and Roles Help

From some brief testing with roles and permissions, it appears as though the Cross-cloud meetings settings won’t show up if the user doesn’t have the appropriate permissions to change the Cross-Tenant Access Settings in Entra ID.

In the screenshot below, the test admin user on the left only has Teams Admin permissions while the MOD Administrator on the right is a Global Administrator.

From what I can gather from the documentation is that the user requires at least ‘Security Administrator’ permissions to see this setting. That’s a good thing but still means that administrators that do have enough permissions should be careful in adding/removing tenants within the Teams Admin Center if custom configurations have been made under the cross-tenant access settings.

Conclusion

At the end of the day, I wouldn’t expect this to cause issues for many people, but it’s still something to be aware of. It also shows that change-tracking is a huge help in troubleshooting scenarios to track down who changed what and when. Tracking changes in Entra ID can be done natively through audit logs (using the category of CrossTenantAccessSettings to filter) or by using something like EntraExporter alongside a Git repository to get a super powerful change tracking system that would also show exactly which settings were previously configured for any given tenant (something the Audit Logs don’t show).

+ posts

Security consultant with focus on infrastructure, cloud, and automation.

Table of Contents

Share this post
Search blog posts
Search
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.

Modern Workplace consultant and a Microsoft MVP in Windows and Devices.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & security specialist with focus on Microsoft 365.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

Modern workplace and infrastructure architect with a focus on Microsoft 365 and security.

follow us in feedly
Categories

Follow on SoMe