-
Notifications
You must be signed in to change notification settings - Fork 288
/
cross-tenant-access-settings-b2b-collaboration.yml
436 lines (291 loc) · 33.6 KB
/
cross-tenant-access-settings-b2b-collaboration.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
### YamlMime:HowTo
---
metadata:
title: Configure B2B collaboration cross-tenant access
description: Use cross-tenant collaboration settings to manage how you collaborate with other Microsoft Entra organizations. Learn how to configure outbound access to external organizations and inbound access from external Microsoft Entra organizations for B2B collaboration.
author: msmimart
ms.author: mimart
manager: celestedg
ms.date: 06/07/2024
ms.service: entra-external-id
ms.topic: how-to
ms.collection: M365-identity-device-management
ms.custom:
- it-pro
- ge-structured-content-pilot
title: |
Configure cross-tenant access settings for B2B collaboration
introduction: |
[!INCLUDE [applies-to-workforce-only](./includes/applies-to-workforce-only.md)]
Use External Identities cross-tenant access settings to manage how you collaborate with other Microsoft Entra organizations through B2B collaboration. These settings determine both the level of *inbound* access users in external Microsoft Entra organizations have to your resources, and the level of *outbound* access your users have to external organizations. They also let you trust multifactor authentication (MFA) and device claims ([compliant claims and Microsoft Entra hybrid joined claims](~/identity/conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Microsoft Entra organizations. For details and planning considerations, see [Cross-tenant access in Microsoft Entra External ID](cross-tenant-access-overview.md).
**Collaboration across clouds:** Partner organizations in different Microsoft clouds can set up B2B collaboration with each other. First, both organizations must enable collaboration with each other as described in [Configure Microsoft cloud settings](cross-cloud-settings.md). Then each organization can optionally modify their [inbound access settings](#modify-inbound-access-settings) and [outbound access settings](#modify-outbound-access-settings), as described below.
> [!IMPORTANT]
> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](./faq.yml#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
prerequisites:
summary: |
> [!CAUTION]
> Changing the default inbound or outbound settings to **Block access** could block existing business-critical access to apps in your organization or partner organizations. Be sure to use the tools described in [Cross-tenant access in Microsoft Entra External ID](cross-tenant-access-overview.md) and consult with your business stakeholders to identify the required access.
- Review the [Important considerations](cross-tenant-access-overview.md#important-considerations) section in the [cross-tenant access overview](cross-tenant-access-overview.md) before configuring your cross-tenant access settings.
- Use the tools and follow the recommendations in [Identify inbound and outbound sign-ins](cross-tenant-access-overview.md#identify-inbound-and-outbound-sign-ins) to understand which external Microsoft Entra organizations and resources users are currently accessing.
- Decide on the default level of access you want to apply to all external Microsoft Entra organizations.
- Identify any Microsoft Entra organizations that need customized settings so you can configure **Organizational settings** for them.
- If you want to apply access settings to specific users, groups, or applications in an external organization, you need to contact the organization for information before configuring your settings. Obtain their user object IDs, group object IDs, or application IDs (*client app IDs* or *resource app IDs*) so you can target your settings correctly.
- If you want to set up B2B collaboration with a partner organization in an external Microsoft Azure cloud, follow the steps in [Configure Microsoft cloud settings](cross-cloud-settings.md). An admin in the partner organization needs to do the same for your tenant.
- Both allow/block list and cross-tenant access settings are checked at the time of invitation. If a user's domain is on the allowlist, they can be invited, unless the domain is explicitly blocked in the cross-tenant access settings. If a user's domain is on the blocklist, they can't be invited regardless of the cross-tenant access settings. If a user isn't on either list, we check the cross-tenant access settings to determine whether they can be invited.
procedureSection:
- title: |
Configure default settings
summary: |
[!INCLUDE [portal updates](~/includes/portal-update.md)]
Default cross-tenant access settings apply to all external organizations for which you haven't created organization-specific customized settings. If you want to modify the Microsoft Entra ID-provided default settings, follow these steps.
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
- |
Browse to **Identity** > **External Identities** > **Cross-tenant access settings**, then select **Cross-tenant access settings**.
- |
Select the **Default settings** tab and review the summary page.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-defaults.png" alt-text="Screenshot showing the Cross-tenant access settings Default settings tab.":::
- |
To change the settings, select the **Edit inbound defaults** link or the **Edit outbound defaults** link.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-defaults-edit.png" alt-text="Screenshot showing edit buttons for Default settings.":::
- |
Modify the default settings by following the detailed steps in these sections:
- [Modify inbound access settings](#modify-inbound-access-settings)
- [Modify outbound access settings](#modify-outbound-access-settings)
- title: |
Add an organization
summary: |
Follow these steps to configure customized settings for specific organizations.
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
- |
Browse to **Identity** > **External Identities** > **Cross-tenant access settings**, then select **Organizational settings**.
- |
Select **Add organization**.
- |
On the **Add organization** pane, type the full domain name (or tenant ID) for the organization.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-add-organization.png" alt-text="Screenshot showing adding an organization.":::
- |
Select the organization in the search results, and then select **Add**.
- |
The organization appears in the **Organizational settings** list. At this point, all access settings for this organization are inherited from your default settings. To change the settings for this organization, select the **Inherited from default** link under the **Inbound access** or **Outbound access** column.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/org-specific-settings-inherited.png" alt-text="Screenshot showing an organization added with default settings.":::
- |
Modify the organization's settings by following the detailed steps in these sections:
- [Modify inbound access settings](#modify-inbound-access-settings)
- [Modify outbound access settings](#modify-outbound-access-settings)
- title: |
Modify inbound access settings
summary: |
With inbound settings, you select which external users and groups are able to access the internal applications you choose. Whether you're configuring default settings or organization-specific settings, the steps for changing inbound cross-tenant access settings are the same. As described in this section, you navigate to either the **Default** tab or an organization on the **Organizational settings** tab, and then make your changes.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
2. Browse to **Identity** > **External Identities** > **Cross-tenant access settings**.
3. Navigate to the settings you want to modify:
- **Default settings**: To modify default inbound settings, select the **Default settings** tab, and then under **Inbound access settings**, select **Edit inbound defaults**.
- **Organizational settings**: To modify settings for a specific organization, select the **Organizational settings** tab, find the organization in the list (or [add one](#add-an-organization)), and then select the link in the **Inbound access** column.
4. Follow the detailed steps for the inbound settings you want to change:
- [To change inbound B2B collaboration settings](#to-change-inbound-b2b-collaboration-settings)
- [To change inbound trust settings for accepting MFA and device claims](#to-change-inbound-trust-settings-for-mfa-and-device-claims)
### To change inbound B2B collaboration settings
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
2. Browse to **Identity** > **External Identities** > **Cross-tenant access settings**, then select **Organizational settings**
3. Select the link in the **Inbound access** column and the **B2B collaboration** tab.
4. If you're configuring inbound access settings for a specific organization, select an option:
- **Default settings**: Select this option if you want the organization to use the default inbound settings (as configured on the **Default** settings tab). If customized settings were already configured for this organization, you need to select **Yes** to confirm that you want all settings to be replaced by the default settings. Then select **Save**, and skip the rest of the steps in this procedure.
- **Customize settings**: Select this option if you want to customize the settings to enforce for this organization instead of the default settings. Continue with the rest of the steps in this procedure.
5. Select **External users and groups**.
6. Under **Access status**, select one of the following:
- **Allow access**: Allows the users and groups specified under **Applies to** to be invited for B2B collaboration.
- **Block access**: Blocks the users and groups specified under **Applies to** from being invited to B2B collaboration.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-access.png" alt-text="Screenshot showing selecting the user access status for B2B collaboration.":::
7. Under **Applies to**, select one of the following:
- **All external users and groups**: Applies the action you chose under **Access status** to all users and groups from external Microsoft Entra organizations.
- **Select external users and groups** (requires a Microsoft Entra ID P1 or P2 subscription): Lets you apply the action you chose under **Access status** to specific users and groups within the external organization.
> [!NOTE]
> If you block access for all external users and groups, you also need to block access to all your internal applications (on the **Applications** tab).
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-target.png" alt-text="Screenshot showing selecting the target users and groups.":::
8. If you chose **Select external users and groups**, do the following for each user or group you want to add:
- Select **Add external users and groups**.
- In the **Add other users and groups** pane, in the search box, type the user object ID or group object ID you obtained from your partner organization.
- In the menu next to the search box, choose either **user** or **group**.
- Select **Add**.
> [!NOTE]
> You cannot target users or groups in inbound default settings.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-add-new.png" alt-text="Screenshot showing adding users and groups.":::
9. When you're done adding users and groups, select **Submit**.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-submit.png" alt-text="Screenshot showing submitting users and groups.":::
10. Select the **Applications** tab.
11. Under **Access status**, select one of the following:
- **Allow access**: Allows the applications specified under **Applies to** to be accessed by B2B collaboration users.
- **Block access**: Blocks the applications specified under **Applies to** from being accessed by B2B collaboration users.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-applications-access.png" alt-text="Screenshot showing applications access status.":::
12. Under **Applies to**, select one of the following:
- **All applications**: Applies the action you chose under **Access status** to all of your applications.
- **Select applications** (requires a Microsoft Entra ID P1 or P2 subscription): Lets you apply the action you chose under **Access status** to specific applications in your organization.
> [!NOTE]
> If you block access to all applications, you also need to block access for all external users and groups (on the **External users and groups** tab).
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-applications-target.png" alt-text="Screenshot showing target applications.":::
13. If you chose **Select applications**, do the following for each application you want to add:
- Select **Add Microsoft applications** or **Add other applications**.
- In the **Select** pane, type the application name or the application ID (either the *client app ID* or the *resource app ID*) in the search box. Then select the application in the search results. Repeat for each application you want to add.
- When you're done selecting applications, choose **Select**.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-applications-add.png" alt-text="Screenshot showing selecting applications.":::
14. Select **Save**.
### Add the Microsoft Admin Portals app to B2B collaboration
You can't directly add the [Microsoft Admin Portals app](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#microsoft-admin-portals) to the inbound and outbound cross-tenant access settings in the Microsoft Entra admin center. However, you can add the apps listed below individually by using the [Microsoft Graph API](/graph/api/crosstenantaccesspolicy-post-partners).
The following apps are part of the Microsoft Admin Portals app group:
- Azure portal (c44b4083-3bb0-49c1-b47d-974e53cbdf3c)
- Microsoft Entra Admin Center (c44b4083-3bb0-49c1-b47d-974e53cbdf3c)
- Microsoft 365 Defender Portal (80ccca67-54bd-44ab-8625-4b79c4dc7775)
- Microsoft Intune Admin Center (80ccca67-54bd-44ab-8625-4b79c4dc7775)
- Microsoft Purview Compliance Portal (80ccca67-54bd-44ab-8625-4b79c4dc7775)
### Configure redemption order
To customize the order of identity providers that your guest users can use to sign in when they accept your invitation, follow these steps.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as at least a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator). Then open the **Identity** service on the left hand side.
2. Select **External Identities** > **Cross-tenant access settings**.
3. On the **Default settings** tab, under **Inbound access settings**, select **Edit inbound defaults**.
4. On the **B2B collaboration** tab, select the **Redemption order** tab.
5. Move the identity providers up or down to change the order in which your guest users can sign in when they accept your invitation. You can also reset the redemption order to the default settings here.
:::image type="content" source="media/cross-tenant-access-overview/redemption-order-tab-entra.png" alt-text="Screenshot showing the redemption order tab." lightbox="media/cross-tenant-access-overview/redemption-order-tab-entra.png":::
6. Select **Save**.
You can also customize the redemption order via the Microsoft Graph API.
1. Open the [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
2. Sign in as at least a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) to your resource tenant.
3. Run the following query to get the current redemption order:
```http
GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/default
```
4. In this example, we'll move the SAML/WS-Fed IdP federation to the top of the redemption order above Microsoft Entra identity provider. Patch the same URI with this request body:
```http
{
"invitationRedemptionIdentityProviderConfiguration":
{
"primaryIdentityProviderPrecedenceOrder": ["ExternalFederation ","AzureActiveDirectory"],
"fallbackIdentityProvider": "defaultConfiguredIdp "
}
}
```
5. To verify the changes run the GET query again.
6. To reset the redemption order to the default settings, run the following query:
```http
{
"invitationRedemptionIdentityProviderConfiguration": {
"primaryIdentityProviderPrecedenceOrder": [
"azureActiveDirectory",
"externalFederation",
"socialIdentityProviders"
],
"fallbackIdentityProvider": "defaultConfiguredIdp"
}
}
```
<a name='samlws-fed-federation-direct-federation-for-azure-ad-verified-domains-preview'></a>
### SAML/WS-Fed federation (Direct federation) for Microsoft Entra ID verified domains
You can now add your enlisted Microsoft Entra ID verified domain to set up the direct federation relationship. First you need to set up the Direct federation configuration in the [admin center](direct-federation.md) or via the [API](/graph/api/resources/samlorwsfedexternaldomainfederation). Make sure that the domain isn't verified in the same tenant.
Once the configuration is set up, you can customize the redemption order. The SAML/WS-Fed IdP is added to the redemption order as the last entry. You can move it up in the redemption order to set it above Microsoft Entra identity provider.
### Prevent your B2B users from redeeming an invite using Microsoft accounts
To prevent your B2B guest users from redeeming their invite using their existing Microsoft accounts or creating a new one to accept the invitation, follow the steps below.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as at least a [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator). Then open the **Identity** service on the left hand side.
2. Select **External Identities** > **Cross-tenant access settings**.
3. Under **Organizational settings** select the link in the **Inbound access** column and the **B2B collaboration** tab.
4. Select the **Redemption order** tab.
5. Under **Fallback identity providers** disable Microsoft service account (MSA).
:::image type="content" source="media/cross-tenant-access-overview/fallback-idp.png" alt-text="Screenshot of the fallback identity providers option." lightbox="media/cross-tenant-access-overview/fallback-idp.png":::
6. Select **Save**.
You need to have at least one fallback identity provider enabled at any given time. If you want to disable Microsoft accounts, you have to enable email one-time passcode. You can't disable both fallback identity providers. Any existing guest users signed in with Microsoft accounts continue using it during subsequent sign-ins. You need to [reset their redemption status](reset-redemption-status.md) for this setting to apply.
### To change inbound trust settings for MFA and device claims
1. Select the **Trust settings** tab.
2. (This step applies to **Organizational settings** only.) If you're configuring settings for an organization, select one of the following:
- **Default settings**: The organization uses the settings configured on the **Default** settings tab. If customized settings were already configured for this organization, select **Yes** to confirm that you want all settings to be replaced by the default settings. Then select **Save**, and skip the rest of the steps in this procedure.
- **Customize settings**: You can customize the settings to enforce for this organization instead of the default settings. Continue with the rest of the steps in this procedure.
3. Select one or more of the following options:
- **Trust multifactor authentication from Microsoft Entra tenants**: Select this checkbox to allow your Conditional Access policies to trust MFA claims from external organizations. During authentication, Microsoft Entra ID checks a user's credentials for a claim that the user completed MFA. If not, an MFA challenge is initiated in the user's home tenant.
- **Trust compliant devices**: Allows your Conditional Access policies to trust [compliant device claims](~/identity/conditional-access/howto-conditional-access-policy-compliant-device.md) from an external organization when their users access your resources.
- **Trust Microsoft Entra hybrid joined devices**: Allows your Conditional Access policies to trust Microsoft Entra hybrid joined device claims from an external organization when their users access your resources.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/inbound-trust-settings.png" alt-text="Screenshot showing trust settings.":::
4. (This step applies to **Organizational settings** only.) Review the **Automatic redemption** option:
- **Automatically redeem invitations with the tenant** <tenant>: Check this setting if you want to automatically redeem invitations. If so, users from the specified tenant won't have to accept the consent prompt the first time they access this tenant using cross-tenant synchronization, B2B collaboration, or B2B direct connect. This setting only suppresses the consent prompt if the specified tenant also checks this setting for outbound access.
:::image type="content" source="~/media/external-identities/inbound-consent-prompt-setting.png" alt-text="Screenshot that shows the inbound Automatic redemption check box.":::
5. Select **Save**.
### Allow users to sync into this tenant
If you select **Inbound access** of the added organization, you see the **Cross-tenant sync** tab and the **Allow users sync into this tenant** check box. Cross-tenant synchronization is a one-way synchronization service in Microsoft Entra ID that automates creating, updating, and deleting B2B collaboration users across tenants in an organization. For more information, see [Configure cross-tenant synchronization](~/identity/multi-tenant-organizations/cross-tenant-synchronization-configure.md) and the [Multitenant organizations documentation](~/identity/multi-tenant-organizations/index.yml).
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-sync-tab.png" alt-text="Screenshot that shows the Cross-tenant sync tab with the Allow users sync into this tenant check box." lightbox="media/cross-tenant-access-settings-b2b-collaboration/cross-tenant-sync-tab.png":::
## Modify outbound access settings
With outbound settings, you select which of your users and groups are able to access the external applications you choose. Whether you're configuring default settings or organization-specific settings, the steps for changing outbound cross-tenant access settings are the same. As described in this section, you navigate to either the **Default** tab or an organization on the **Organizational settings** tab, and then make your changes.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
2. Browse to **Identity** > **External Identities** > **Cross-tenant access settings**.
3. Navigate to the settings you want to modify:
- To modify default outbound settings, select the **Default settings** tab, and then under **Outbound access settings**, select **Edit outbound defaults**.
- To modify settings for a specific organization, select the **Organizational settings** tab, find the organization in the list (or [add one](#add-an-organization)) and then select the link in the **Outbound access** column.
4. Select the **B2B collaboration** tab.
5. (This step applies to **Organizational settings** only.) If you're configuring settings for an organization, select an option:
- **Default settings**: The organization uses the settings configured on the **Default** settings tab. If customized settings were already configured for this organization, you need to select **Yes** to confirm that you want all settings to be replaced by the default settings. Then select **Save**, and skip the rest of the steps in this procedure.
- **Customize settings**: You can customize the settings to enforce for this organization instead of the default settings. Continue with the rest of the steps in this procedure.
6. Select **Users and groups**.
7. Under **Access status**, select one of the following:
- **Allow access**: Allows your users and groups specified under **Applies to** to be invited to external organizations for B2B collaboration.
- **Block access**: Blocks your users and groups specified under **Applies to** from being invited to B2B collaboration. If you block access for all users and groups, this also blocks all external applications from being accessed via B2B collaboration.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-external-users-groups-access.png" alt-text="Screenshot showing users and groups access status for b2b collaboration.":::
8. Under **Applies to**, select one of the following:
- **All \<your organization\> users**: Applies the action you chose under **Access status** to all your users and groups.
- **Select \<your organization\> users and groups** (requires a Microsoft Entra ID P1 or P2 subscription): Lets you apply the action you chose under **Access status** to specific users and groups.
> [!NOTE]
> If you block access for all of your users and groups, you also need to block access to all external applications (on the **External applications** tab).
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-external-users-groups-target.png" alt-text="Screenshot showing selecting the target users for b2b collaboration.":::
9. If you chose **Select \<your organization\> users and groups**, do the following for each user or group you want to add:
- Select **Add \<your organization\> users and groups**.
- In the **Select** pane, type the user name or group name in the search box.
- Select the user or group in the search results.
- When you're done selecting the users and groups you want to add, choose **Select**.
> [!NOTE]
> When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](~/identity/authentication/howto-authentication-sms-signin.md). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](/graph/api/resources/crosstenantaccesspolicy-overview) to add the user's object ID directly or target a group the user belongs to.
10. Select the **External applications** tab.
11. Under **Access status**, select one of the following:
- **Allow access**: Allows the external applications specified under **Applies to** to be accessed by your users via B2B collaboration.
- **Block access**: Blocks the external applications specified under **Applies to** from being accessed by your users via B2B collaboration.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-applications-access.png" alt-text="Screenshot showing applications access status for b2b collaboration.":::
12. Under **Applies to**, select one of the following:
- **All external applications**: Applies the action you chose under **Access status** to all external applications.
- **Select external applications**: Applies the action you chose under **Access status** to all external applications.
> [!NOTE]
> If you block access to all external applications, you also need to block access for all of your users and groups (on the **Users and groups** tab).
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/generic-outbound-applications-target.png" alt-text="Screenshot showing application targets for b2b collaboration.":::
13. If you chose **Select external applications**, do the following for each application you want to add:
- Select **Add Microsoft applications** or **Add other applications**.
- In the search box, type the application name or the application ID (either the *client app ID* or the *resource app ID*). Then select the application in the search results. Repeat for each application you want to add.
- When you're done selecting applications, choose **Select**.
:::image type="content" source="media/cross-tenant-access-settings-b2b-collaboration/outbound-b2b-collaboration-add-apps.png" alt-text="Screenshot showing selecting applications for b2b collaboration.":::
14. Select **Save**.
### To change outbound trust settings
(This section applies to **Organizational settings** only.)
steps:
- |
Select the **Trust settings** tab.
- |
Review the **Automatic redemption** option:
- **Automatically redeem invitations with the tenant** <tenant>: Check this setting if you want to automatically redeem invitations. If so, users from this tenant don't have to accept the consent prompt the first time they access the specified tenant using cross-tenant synchronization, B2B collaboration, or B2B direct connect. This setting only suppresses the consent prompt if the specified tenant also checks this setting for inbound access.
:::image type="content" source="~/media/external-identities/outbound-consent-prompt-setting.png" alt-text="Screenshot that shows the outbound Automatic redemption check box.":::
- |
Select **Save**.
- title: |
Remove an organization
summary: |
When you remove an organization from your Organizational settings, the default cross-tenant access settings go into effect for that organization.
> [!NOTE]
> If the organization is a cloud service provider for your organization (the isServiceProvider property in the Microsoft Graph [partner-specific configuration](/graph/api/resources/crosstenantaccesspolicyconfigurationpartner) is true), you won't be able to remove the organization.
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
- |
Browse to **Identity** > **External Identities** > **Cross-tenant access settings**.
- |
Select the **Organizational settings** tab.
- |
Find the organization in the list, and then select the trash can icon on that row.
relatedContent:
- text: Configure external collaboration settings
url: external-collaboration-settings-configure.md
- text: Configure cross-tenant access settings for B2B direct connect
url: cross-tenant-access-settings-b2b-direct-connect.md