Recently we ran into a fun experience when adjusting the Cross-Cloud meetings within the Teams Admin Center which caused Entra ID Cross-Tenant Access Settings to be changed. This behavior didn’t seem to be documented anywhere and did cause some head-scratching before we figured out why B2B invitations weren’t automatically being accepted any longer.
What are Cross-Tenant access settings?
Cross-tenant access settings can be defined between any Microsoft Entra ID tenant to specify what level of inbound and/or outbound access is allowed between the users of these tenants. This allows for things such as B2B Collaboration or Direct Connect to take place or we can specify that our tenant trusts compliant devices enrolled in another tenant. This can affect things such as Teams, OneDrive, and SharePoint or Applications access by B2B Guests to/from your tenant to the specified organizations.
Common use cases are allowing for trust between two partner tenants for example. By default, Microsoft leaves these settings fairly open to all Microsoft tenants but for security reasons we generally recommend tuning the defaults down and explicitly adding known organizations (depending on your organizations threat model off course). You can even go so far as to specify specific users and groups that are allowed to use B2B Collaboration/Direct Connect between two tenants to give you even further granular fine-tune control.
All these settings are neatly configured and saved within Entra ID, but affect services such as Teams, where we’ve now figured out that the Cross-cloud meetings settings reflect the same organizations (in essence, it’s synchronized with Entra ID):
Notice here however, that we don’t see the resolved user-friendly display name of the tenant (in this case, Mindcore), but instead the raw Tenant ID.
Also note that editing the settings are Teams specific:
The Problem
So far, this is fine (aside from the slightly less user-friendly Tenant ID being show in the Teams Admin Center). The problem arises when an Administrator (with the correct amount of permission, see further below) is troubleshooting within the Teams Admin Center and decides to remove the Tenant ID and re-add it again.
When you decide to do this, it will also delete the tenant under the cross-tenant access settings within Entra ID including any custom inbound/outbound access you may have defined:
If you now add the tenant back in (either from Teams Admin center or Entra ID portal):
It now shows the default settings are inherited within Entra ID:
This has effectively wiped any custom settings that were previously defined! Ouch…
In the Audit log, this can be seen as follows:
Note that it shows that it was initiated from the Microsoft Teams Admin Portal.
Permissions and Roles Help
From some brief testing with roles and permissions, it appears as though the Cross-cloud meetings settings won’t show up if the user doesn’t have the appropriate permissions to change the Cross-Tenant Access Settings in Entra ID.
In the screenshot below, the test admin user on the left only has Teams Admin permissions while the MOD Administrator on the right is a Global Administrator.
From what I can gather from the documentation is that the user requires at least ‘Security Administrator’ permissions to see this setting. That’s a good thing but still means that administrators that do have enough permissions should be careful in adding/removing tenants within the Teams Admin Center if custom configurations have been made under the cross-tenant access settings.
Conclusion
At the end of the day, I wouldn’t expect this to cause issues for many people, but it’s still something to be aware of. It also shows that change-tracking is a huge help in troubleshooting scenarios to track down who changed what and when. Tracking changes in Entra ID can be done natively through audit logs (using the category of CrossTenantAccessSettings to filter) or by using something like EntraExporter alongside a Git repository to get a super powerful change tracking system that would also show exactly which settings were previously configured for any given tenant (something the Audit Logs don’t show).
Security consultant with focus on infrastructure, cloud, and automation.