Cross-Tenant Access Risks

Cross-tenant access is Microsoft’s way to let one company’s Microsoft 365 users work inside another company’s apps without making them full internal accounts. Microsoft says the controls sit in Microsoft Entra External ID and govern both inbound access to your resources and outbound access to partner tenants. (learn.microsoft.com) The setup covers business-to-business collaboration and business-to-business direct connect, the feature Microsoft uses for shared Teams channels. Microsoft says admins can set a default policy for all outside tenants, then add organization-specific rules that override the default for named partners. (learn.microsoft.com 1) (learn.microsoft.com 2) Those rules are split into two directions: inbound, which controls what an external organization’s users can do in your tenant, and outbound, which controls where your users can go in theirs. Microsoft also lets tenants decide whether to trust a partner’s multifactor authentication and device claims instead of challenging users again. (learn.microsoft.com) The risk is that a collaboration shortcut can become a standing trust path if nobody treats it like an exception. Microsoft warns that changing broad defaults can break or expose business-critical access, and says admins should identify required access before they open or block tenant-wide settings. (learn.microsoft.com) Princeton IT Services, in a guide published April 22, 2026, frames Microsoft 365 cross-tenant access as a way to collaborate across identities, data, and security policies while still keeping explicit controls. The guide tells admins to configure partner relationships deliberately, review guest sign-in behavior, and enforce policies on external users instead of relying on ad hoc invites. (princetonits.com) Microsoft’s own documentation points to the same pressure points. External collaboration settings let organizations allow or block domains, limit who can invite guests, and review cross-tenant settings so inbound and outbound collaboration is scoped to specific users, groups, and applications. (learn.microsoft.com 1) (learn.microsoft.com 2) Defaults matter here. Microsoft says business-to-business collaboration is enabled by default in both inbound and outbound directions, while business-to-business direct connect starts blocked inbound and outbound until both organizations explicitly enable it. (learn.microsoft.com 1) (learn.microsoft.com 2) That split means the biggest operational mistake is often not a hack but a mismatch: one tenant assumes a partner is tightly scoped, while the other leaves broader guest or app access in place. Microsoft says organization-specific settings can be narrowed to named users, groups, and applications, and those settings take precedence over the tenant-wide baseline. (learn.microsoft.com) (learn.microsoft.com) Princeton’s recommendation is to treat every partner tenant like a formal trust exception and monitor it that way. The guide calls for logging partner-tenant activity, flagging first-seen external administrators, and tracking application access so security teams can tell routine collaboration from a new trust path. (princetonits.com) The practical test is simple: if a partner tenant lost control of one admin account tonight, your logs should show what that tenant could reach, which apps were in scope, and which trust settings made the access possible. Cross-tenant access works best when those answers are configured before the first shared channel or guest invite goes live. (learn.microsoft.com) (princetonits.com)