A customer asked me for guidance to federate identities between two Microsoft 365 organizations for the purpose of document collaboration. My approach was to start off with the Claude4 AI LLM then I incorporated input from OpenAI o3, Grok 3, and Gemini 2.5 Pro. At each step, I had Claude accept or reject input from the other models to create a superset documentation. The result is a comprehensive step-by-step approach that will be useful for any organization. this end-to-end checklist establishes a cross-tenant trust limited exclusively to your partner organization, enabling secure document co-authoring and sharing in sharepoint online and onedrive while keeping external sharing blocked for all other organizations.
planning phase: define collaboration scope
before beginning technical configuration, clearly define:
- users/groups: which specific users or security groups in each organization need collaboration access
- resources: specific sharepoint sites, document libraries, or onedrive content to be shared
- trust level: agreement on mfa trust, device compliance requirements, and automatic invitation redemption
- permissions: minimum required access levels (view, edit, contribute) for each resource
- timeline: expected duration of collaboration and review cycles
example: organization a will share project alpha sharepoint site with organization b’s Marketing team, while Organization B will provide read access to their Brand Guidelines library for Organization A’s design group.
prerequisites (verify in both tenants)
| requirement | why it matters |
|---|---|
| global administrator or security administrator role | required to edit external identity settings and cross-tenant access policies |
| microsoft entra id p1/p2 & sharepoint online licenses | essential for b2b collaboration features and spo external sharing capabilities |
| partner organization’s primary domain or Tenant ID | you’ll need this exact identifier when adding the organization |
| sharepoint online management shell access | required to enable b2b integration via powershell if not already configured |
| organizational approval for trust relationship | ensure legal and compliance teams have approved the collaboration |
| cross-cloud compatibility verification | confirm both organizations are in compatible microsoft clouds (commercial, gcc, etc.) |
| coordination between administrators | critical: both organizations’ administrators must perform synchronized configuration steps |
| object ids for granular user control | if restricting to specific users, you’ll need their Microsoft Entra Object IDs from the partner organization |
administrator coordination checklist
critical: success requires synchronized configuration by administrators in both organizations. use this checklist to coordinate:
| phase | organization a tasks | organization b tasks | coordination point |
|---|---|---|---|
| planning | define collaboration scope and required users | define collaboration scope and required users | share tenant ids, domain names, and object ids of users |
| configuration | configure inbound access for org b | configure outbound access for org a | verify trust settings match on both sides |
| application setup | configure applications org b users can access | configure which applications org b users can use | share specific application ids if using granular control |
| testing | test guest invitation process | test guest acceptance and access | coordinate test scenarios and validate end-to-end flow |
| go-live | monitor guest activity and access patterns | train users on new collaboration process | establish ongoing communication channels |
phase 0: prepare sharepoint for b2b collaboration (critical foundation)
step 1: verify external sharing is disabled
objective: confirm external sharing is completely disabled to ensure all collaboration uses secure b2b trust mechanisms.
- access sharepoint admin center
- microsoft 365 admin center → admin centers → sharepoint
- verify current settings
- navigate to policies → sharing
- under external sharing, confirm both sharepoint and onedrive are set to only people in your organization
- if not already set, change to this most restrictive setting and click save
important: this ensures no “Anyone” links or untrusted guest sharing can bypass your b2b trust configuration.
step 2: enable microsoft entra b2b integration for sharepoint
objective: ensure sharepoint uses microsoft entra b2b for all external authentication.
- verify b2b integration status
- in sharepoint admin center, check if b2b integration is already enabled
- look for b2b-related settings under policies → sharing
- check and enable b2b integration
- connect to sharepoint online using powershell:
connect-sposervice -url https://[yourtenant]-admin.sharepoint.com
# first, check if b2b integration is already enabled
get-spotenant | select enableazureadb2bintegration
# if the result shows false, enable b2b integration
set-spotenant -enableazureadb2bintegration $true
# verify the setting was applied
get-spotenant | select enableazureadb2bintegrationchange management: understanding user experience changes
important: enabling b2b integration changes how external sharing works for end users. communicate these changes to your user community:
- before: users could create “Anyone” links that worked without authentication
- after: all external sharing requires the recipient to have a guest account and authenticate
- impact: external recipients will need to sign in with their work/personal microsoft account or create one
- benefit: all external access is now tracked, auditable, and governed by your security policies
- user action required: users should inform external recipients that they’ll need to authenticate when accessing shared content
plan for increased helpdesk tickets initially as users and external recipients adapt to the new authentication requirements.
result: sharepoint will now create proper b2b guest accounts in microsoft entra id for all sharing invitations.
step 3: review and update conditional access policies
objective: ensure existing conditional access policies don’t inadvertently block guest users or partner organization access.
- audit current policies
- navigate to identity → protection → conditional access
- review all enabled policies for potential guest user conflicts
- look for policies that might block:
- users from specific locations (if partner organization is in different geography)
- unmanaged devices (if you haven’t enabled device trust)
- users without organization-issued mfa
- create guest-specific policies (recommended)
- create dedicated conditional access policy for directory roles = guest
- grant access with conditions such as:
- require multi-factor authentication (if not trusting partner mfa)
- require approved client apps for accessing sharepoint/onedrive
- exclude from policies that require organization-owned devices
- configure partner tenant-specific mfa requirements
- if you want to enforce additional mfa for specific partner tenant:
policy name: "Partner Org - Require MFA"
users and groups: external users from [partner tenant id]
cloud apps: office 365 sharepoint online, office 365 exchange online
grant: require multi-factor authentication- this enforces your mfa requirements even if trusting their mfa for sso
- test policy impact
- use what if tool in conditional access to simulate guest user scenarios
- verify policies don’t create unintended access blocks
- document any policy exclusions created for guest users
phase 1: configure cross-tenant trust (repeat in both tenants)
complete this entire section in organization a first, then repeat in organization b using the same steps but swapping the domain/tenant id.
step 1: add partner organization and configure trust
- navigate to cross-tenant settings
- entra admin center → external identities → cross-tenant access settings → organizational settings
- add partner organization
- click + add organization
- enter partner’s verified domain or tenant ID
- click add
- configure inbound access (detailed)
- click inbound access for the newly added organization
- on the b2b collaboration tab:
- choose customize settings
- external users and groups:
- access status: select allow access
- applies to: choose your security model:
- all external users and groups from partner organization (broad trust)
- select external users and groups (granular control – requires object ids)
if selecting specific users, obtain their object ids from partner organization:
# partner organization runs this to get object ids:
connect-azuread
get-azureaduser -searchstring "[email protected]" | select objectid, displayname, userprincipalname- external applications:
- access status: select allow access
- applies to: choose your application scope:
- all applications (broad access)
- select applications (granular control):
- add microsoft applications: select from common apps
- key application ids for document collaboration:
- office 365 sharepoint online:
00000003-0000-0ff1-ce00-000000000000 - microsoft teams:
1fec8e78-bce4-4aaf-ab1b-5451cc387264 - office 365 exchange online:
00000002-0000-0ff1-ce00-000000000000
- office 365 sharepoint online:
- add other applications: for custom or third-party apps
- configure outbound access (detailed)
- click outbound access for the partner organization
- on the b2b collaboration tab:
- choose customize settings
- users and groups:
- access status: select allow access
- applies to:
- all users (allows all your users to be invited to partner organization)
- select users and groups (restrict which of your users can be invited externally)
- external applications:
- access status: select allow access
- applies to:
- all external applications (your users can access any app they’re invited to)
- select external applications (restrict which partner applications your users can access)
- enable trust settings
- click the trust settings tab
- enable trust multifactor authentication from microsoft entra tenants (reduces sign-in friction)
- if using device-based conditional access, also enable:
- trust compliant devices
- trust hybrid azure ad joined devices
- optional: enable automatically redeem invitations to skip consent prompts (requires partner to enable matching setting)
- click save
result: each tenant now explicitly allows only the partner tenant’s identities; all other external tenants remain blocked.
important: understanding default vs. organizational settings
key concept: when general external sharing is disabled, your default settings in cross-tenant access settings likely block b2b collaboration for inbound and/or outbound access. by adding a specific organization and configuring allow access, you create an exception to your default block policy.
- default settings apply to all external organizations
- organizational settings override defaults for specific partner organizations
- this design allows you to maintain strict security (default deny) while enabling targeted collaboration (organizational allow)
phase 2: configure directory-level guest invitation settings
step 2: enable guest invitations at directory level
- access external collaboration settings
- external identities → external collaboration settings
- configure guest user access (critical settings)
- under guest invite settings, select based on your governance model:
- recommended: member users and users assigned to specific admin roles can invite guest users including guests with member permissions
- alternative: anyone in the organization can invite guest users including guests and non-admins (less restrictive)
- restrictive: only users assigned to specific admin roles can invite guest users (admin-only invitations)
- ensure guest invite restrictions is not set to “No one can invite guest users”
- under guest invite settings, select based on your governance model:
- set collaboration restrictions (domain-level control)
- under collaboration restrictions:
- recommended for targeted trust: allow invitations only to the specified domains → add partner organization domain (e.g.,
contoso.com) - alternative for flexibility: allow invitations to any domain (cross-tenant access settings still control organizational access)
- recommended for targeted trust: allow invitations only to the specified domains → add partner organization domain (e.g.,
- important: even if you select “any domain” here, the cross-tenant access organizational settings provide more granular control over users and applications for trusted organizations
- under collaboration restrictions:
- settings hierarchy and precedence
- most restrictive: external collaboration settings (tenant-wide)
- more granular: cross-tenant access default settings
- most specific: cross-tenant access organizational settings (takes precedence)
- result: your organizational cross-tenant settings will override restrictions here for your trusted partner
note: these settings control who can send invitations and which domains can be invited, working in conjunction with the cross-tenant trust from step 1.
phase 3: restrict sharepoint and onedrive sharing
step 3: configure sharepoint/onedrive domain restrictions and site settings
organizational-level sharepoint configuration
- access sharepoint admin center
- sharepoint admin center → policies → sharing
- set organizational sharing level (critical for b2b guest access)
- current requirement: if currently set to “Only people in your organization,” you must change this to enable b2b guests
- recommended options:
- existing guests (forces accounts to be pre-created via b2b invitation – more secure)
- new and existing guests (allows ad-hoc sharing – more convenient)
- important: the entra cross-tenant settings control which organizations can collaborate; sharepoint settings enable the capability for guest access
- configure domain restrictions (additional layer)
- under domain restrictions for sharing, you can optionally:
- select only allow sharing with specific domains → add partner domain
- however: cross-tenant access settings provide more granular control over users and applications, making this secondary
- recommendation: rely primarily on entra cross-tenant settings for domain control
- under domain restrictions for sharing, you can optionally:
site-level sharepoint configuration (per collaboration site)
for each sharepoint site that will host shared documents:
- access site sharing settings
- navigate to the sharepoint site
- settings (gear icon) → site permissions → site sharing
- alternative path: site settings → site collection administration → site collection features → sharing
- configure site-level permissions
- ensure site sharing settings are not more restrictive than organizational settings
- recommended: set to new and existing guests or existing guests
- verify: site-level restrictions cannot be more permissive than organizational settings
- site permission groups for external users
- create dedicated permission groups for external collaborators
- example groups:
- “Partner Org – Editors” (edit permissions)
- “Partner Org – Viewers” (read permissions)
- benefit: easier management of external user permissions
onedrive configuration
- onedrive sharing settings
- in sharepoint admin center, configure onedrive sharing separately or inherit from sharepoint
- recommendation: set to match sharepoint organizational settings
- important: individual onedrive sharing must respect organizational limits
result: even if someone attempts to share with gmail.com or other domains, it will be blocked. only users from the trusted partner tenant can be invited.
phase 4: invite guest users and share resources
step 4: invite partner organization users as b2b guests
objective: add specific users from partner organization as b2b guests to enable document access.
individual user invitations (recommended for testing)
- add guest users via entra admin center
- microsoft entra admin center → users → new user → invite external user
- enter partner user’s email address (e.g.,
[email protected]) - optional: assign to specific groups or applications during invitation
- add personal message explaining the collaboration purpose
- click invite
- guest acceptance process
- partner user receives invitation email with redemption link
- user clicks accept invitation and signs in with home organization credentials
- due to trust settings, mfa from home organization is honored (no re-authentication required)
bulk user invitations (for larger collaborations)
for inviting multiple users simultaneously:
- powershell bulk invitation
# install required modules
install-module azuread
connect-azuread
# import csv with partner user emails
$users = import-csv "C:\path\to\partner-users.csv"
foreach ($user in $users) {
new-azureadmsinvitation -inviteduseremailaddress $user.email -inviteredirecturl "https://portal.azure.com" -sendinvitationmessage $true
}- csv format example
email,displayname
[email protected],john smith
[email protected],jane doe- azure ad b2b invitation manager tool
- use microsoft’s bulk invitation templates
- upload csv file through azure portal under external identities → guest users → bulk invite
cross-tenant synchronization (m&a scenarios)
for mergers, acquisitions, or deep partnerships requiring ongoing user synchronization:
- cross-tenant synchronization setup
- identity → external identities → cross-tenant synchronization
- configure automatic user provisioning between tenants
- map user attributes and group memberships
- set up deprovisioning rules for when users leave
- benefits of cross-tenant sync
- automatic user lifecycle management
- real-time updates when users are added/removed
- maintains group memberships across tenants
- suitable for long-term organizational relationships
- license requirements
- microsoft entra id p1 licenses required for both tenants
- additional licensing may be required based on synchronized user count
self-service access via entitlement management
license requirements: microsoft entra id p2 or enterprise mobility + security e5 licenses required for entitlement management features.
- configure access packages
- identity governance → entitlement management → access packages
- create package containing required sharepoint sites, groups, or applications
- set up approval workflows if required
- configure access review schedules
- external user self-service
- allow partner users to request access directly via myaccess portal
- automatic approval based on partner organization domain
- time-limited access with automatic expiration
- benefits
- reduces administrative overhead
- provides audit trail of access requests
- automatic access reviews and cleanup
step 5: share documents and sites
objective: grant specific access to sharepoint resources for guest users.
- share sharepoint sites
- navigate to target sharepoint site
- click share → site access → invite people
- add guest user (appears as
user_partnerorg.com#ext#@yourtenant.com) - assign appropriate permissions:
- edit: for active collaboration and co-authoring
- view: for read-only access to documents
- contribute: for adding content but not changing site structure
- click add
- share individual documents/folders
- in sharepoint or onedrive, select document/folder
- click share → people you specify
- add guest user email or select from directory
- set permission level and expiration date if needed
- add message and click send
- verify guest access
- guest users can access shared resources directly via sharepoint urls
- no additional “Anyone” links needed since external sharing is disabled
- all access is tracked and auditable through b2b guest accounts
phase 5: create dedicated collaboration workspace (optional but recommended)
step 4: set up dedicated collaboration space
- create team or sharepoint site
- in the tenant that will host primary content, create:
- microsoft teams team for ongoing collaboration, or
- sharepoint site collection for document-focused work
- in the tenant that will host primary content, create:
- add partner tenant users
- for teams: teams → manage team → add member → enter guest upn (e.g.,
[email protected]) - for sharepoint: site → share → enter guest email → set appropriate permissions
- for teams: teams → manage team → add member → enter guest upn (e.g.,
- guest acceptance process
- partner users receive invitation email
- they sign in using their home organization credentials
- mfa is honored through the established trust (no additional prompts)
phase 6: validation and testing
step 5: comprehensive end-to-end testing
technical validation tests
| test scenario | performer | expected result | validation points |
|---|---|---|---|
| cross-tenant authentication | partner user | seamless sign-in with trusted mfa | no additional mfa prompts, smooth sso |
| document co-authoring | both organizations | real-time editing in word/excel/powerpoint | simultaneous editing, version tracking |
| untrusted domain blocking | any user | “Your organization doesn’t allow sharing with this domain” error | confirms domain restrictions working |
| guest directory lookup | host organization | partner users appear in search when sharing | directory integration functioning |
| application access scope | partner user | access only to configured applications | proper application-level restrictions |
detailed user experience walkthrough
phase 1: invitation process (host organization)
- initiating invitation
- user navigates to sharepoint document/site
- clicks share → people you specify
- enters partner user email (e.g.,
[email protected]) - sets permission level and adds message
- clicks send
- system processing
- microsoft entra validates partner organization against cross-tenant access settings
- b2b invitation email is generated and sent
- guest account is created in host tenant directory
phase 2: invitation acceptance (partner organization)
- email reception
- partner user receives email titled “You’re invited to access applications at [Host Organization]”
- email contains accept invitation button and access instructions
- invitation redemption
- user clicks accept invitation
- redirected to microsoft sign-in page
- critical: user signs in with their home organization credentials (not a new account)
- trust settings ensure home organization mfa is honored
- first access experience
- user may see brief “Setting up your account” message
- redirected to originally shared resource
- future access uses seamless sso
phase 3: ongoing collaboration
- document access
- partner user can bookmark sharepoint sites for easy access
- appears in user’s “Recent” and “Shared with me” views
- real-time co-authoring works immediately
- permissions and limitations
- user can only access resources explicitly shared with them
- cannot browse tenant directory or access other sites
- governed by assigned permission levels (view, edit, contribute)
step 6: monitor initial usage
- review sign-in logs
- entra admin center → monitoring & health → sign-in logs
- filter by cross-tenant access type to monitor external user activities
- look for authentication failures or unusual patterns
- verify trust settings working
- confirm partner users aren’t prompted for additional MFA
- validate device trust is functioning (if enabled)
- check that sessions are seamless between applications
- monitor guest activity
- audit logs to track guest user invitations and redemptions
- sharepoint audit logs for document access and sharing activities
- set up alerts for suspicious cross-tenant activities
phase 7: security hardening and ongoing management
step 7: implement additional security controls
- conditional access for guests
- create conditional access policy scoped to directory roles = guest
- enforce additional controls if trust settings aren’t sufficient
- consider location-based restrictions if needed
- regular access reviews
- identity governance → access reviews
- set up quarterly reviews of guest user access
- automate removal of inactive guest accounts (recommend 90-day threshold)
- monitoring and alerting
- set up alerts for unusual external user activity
- monitor for failed cross-tenant authentication attempts
- track document sharing patterns for anomalies
step 8: establish governance framework
- user training and guidelines
- train users on proper external sharing procedures
- provide clear guidelines for document classification before sharing
- establish escalation procedures for access issues
- regular policy reviews
- quarterly review of cross-tenant access settings
- annual assessment of trust relationship necessity
- update policies based on security landscape changes
- documentation and compliance
- document the business justification for the trust relationship
- maintain audit trail of configuration changes
- ensure compliance with data governance policies
step 9: collaboration lifecycle management
- regular maintenance
- quarterly review of cross-tenant access settings
- monitor guest account usage and remove inactive accounts
- update trust relationships based on changing business needs
- end collaboration process
- when collaboration ends, remove partner organization from cross-tenant access settings
- revoke all guest account access immediately
- remove shared content or transfer ownership as appropriate
- document the closure for audit purposes
- emergency procedures
- have procedures ready for immediate trust relationship suspension
- know how to quickly revoke all external access if security incident occurs
- maintain incident response contact information for partner organization
advanced collaboration options and special considerations
microsoft teams shared channels alternative
for teams-focused collaboration, consider b2b direct connect instead of traditional b2b collaboration:
- configure b2b direct connect
- in cross-tenant access settings, configure b2b direct connect instead of b2b collaboration
- this allows shared channels without creating guest accounts
- users collaborate using their home organization identities
- benefits of direct connect
- no guest account lifecycle management required
- users maintain full home organization identity and compliance
- seamless teams experience with shared channels
cross-cloud scenarios
if organizations are in different microsoft clouds (e.g., commercial vs. gcc vs. gcc high):
- enable cross-cloud settings
- navigate to cross-tenant access settings → microsoft cloud settings
- configure appropriate cloud-to-cloud trust relationships
- verify compliance requirements for cross-cloud data sharing
- verify compatibility
- confirm both clouds support the required b2b features
- check any regulatory restrictions on cross-cloud collaboration
enhanced security measures
- implement sensitivity labels
- apply microsoft purview sensitivity labels to documents before sharing
- configure label policies to automatically protect sensitive content
- restrict external sharing based on sensitivity classification
- data loss prevention (dlp)
- create dlp policies specifically for cross-tenant sharing
- monitor and block inappropriate external sharing of sensitive data
- set up alerts for policy violations
- guest account lifecycle management
- implement automatic guest account expiration (30-90 days recommended)
- use identity governance → access reviews for periodic review
- set up automated removal of inactive guest accounts
- conditional access for guests
- create dedicated conditional access policies for directory roles = guest
- enforce additional security controls for external users
- consider location-based restrictions or specific device requirements
troubleshooting common issues
| issue | likely cause | solution |
|---|---|---|
| guest invitations not received | email security filtering | check spam folders; whitelist partner domain in email security |
| “Access denied” errors | mismatched trust configurations | verify both organizations have identical trust settings configured |
| mfa re-prompting for guests | trust settings not enabled | confirm “Trust multifactor authentication” is enabled in both tenants |
| cannot find users when sharing | directory sync issues | verify guest users have been properly provisioned in target tenant |
| document co-authoring failures | application permissions missing | ensure office 365 apps are included in cross-tenant access settings |
security considerations summary
- principle of least privilege: only enable trust for applications and user groups that require collaboration
- data classification: implement sensitivity labels before enabling cross-tenant sharing
- legal and compliance: ensure trust relationship complies with data residency and privacy regulations
- regular auditing: implement continuous monitoring of cross-tenant activities
- incident response: have procedures ready for potential security incidents involving external users
technical reference: application ids and object ids
common microsoft application ids for cross-tenant access
when configuring granular application access, use these microsoft application ids:
| application | application id | purpose |
|---|---|---|
| office 365 sharepoint online | 00000003-0000-0ff1-ce00-000000000000 |
document collaboration, sites, lists |
| microsoft teams | 1fec8e78-bce4-4aaf-ab1b-5451cc387264 |
teams chat, meetings, shared channels |
| office 365 exchange online | 00000002-0000-0ff1-ce00-000000000000 |
email, calendar, contacts |
| microsoft graph | 00000003-0000-0000-c000-000000000000 |
api access for integrated applications |
| office 365 management apis | c5393580-f805-4401-95e8-94b7a6ef2fc2 |
administrative and compliance apis |
finding additional application ids
# connect to microsoft graph powershell
connect-mggraph -scopes "Application.Read.All"
# list all service principals (applications) in your tenant
get-mgserviceprincipal | select displayname, appid | sort-object displayname
# find specific application by name
get-mgserviceprincipal -filter "displayName eq 'SharePoint'" | select displayname, appidobtaining user object ids for granular control
in partner organization (to share with host organization):
# connect to azure ad
connect-azuread
# get object id for specific user
get-azureaduser -searchstring "[email protected]" | select objectid, displayname, userprincipalname
# get object ids for group members
get-azureadgroupmember -objectid "group-object-id" | select objectid, displayname, userprincipalname
# export to csv for sharing with partner
get-azureaduser -filter "department eq 'Marketing'" | select objectid, displayname, userprincipalname | export-csv -path "partner-users.csv"conclusion
this configuration creates a secure, well-governed collaboration tunnel between two microsoft entra organizations while maintaining complete lockdown of external sharing for all other domains. the trust relationship enables seamless document collaboration without compromising your organization’s security posture.
you’re done! These steps keep external sharing completely off for the rest of the world while creating a well-governed trust tunnel between the two Microsoft Entra organizations, letting staff collaborate on documents without compromising your existing lockdown posture.
The Cloud Technologist 