Configure Cross-Tenant Access (B2B Direct Connect) for Teams Shared Channels
A practical guide for Microsoft Entra admins
Shared channels in Microsoft Teams let two organizations work together without tenant switching or guest accounts. The backbone is Microsoft Entra B2B direct connect. This post walks you through setup, policy choices, security guardrails, testing, and fixes.
What you’ll set up
- A cross-tenant relationship between your org and a partner org
- Inbound rules (their users → your resources)
- Outbound rules (your users → their resources)
- App scoping so Microsoft Teams is explicitly allowed
- Trust settings for MFA and device claims
- A clean pilot and troubleshooting plan
Prerequisites
- Role: Global Administrator or Security Administrator (both tenants)
- Details from partner: Primary domain (e.g.,
contoso.com) or Tenant ID (GUID) - Licensing: Microsoft Entra ID + Teams licensing for users involved
- Decision points: Will you trust the partner’s MFA and device compliance?
Step 1 — Add the partner organization
- Go to https://entra.microsoft.com.
- External Identities → Cross-tenant access settings.
- Organizational settings → Add organization.
- Enter the partner domain or tenant ID, then Add.
- Confirm the org appears in the list.
Why this matters: This creates a relationship object you’ll customize for users, apps, and trust.
Step 2 — Configure Inbound (their users → your resources)
- Cross-tenant access settings → Organizational settings.
- Select the partner org → Inbound access.
- B2B direct connect → Customize settings.
Users and groups
- Choose Allow access.
- Start with Select [external] users and groups for a small pilot, or All [external] users and groups after validation.
Applications
- Choose Allow access → Select applications → Add Microsoft applications.
- Add Microsoft Teams (required).
- Optionally add Office 365 if your governance uses the suite app container.
- Save.
Trust settings (strongly recommended to decide now)
- Decide whether to trust partner MFA and device claims (compliant / hybrid-joined).
- If you trust them, your Conditional Access (CA) policies can treat those claims as satisfied.
- If you don’t, your CA will prompt your controls, which can hurt UX.
Conditional Access (your tenant)
- Ensure CA policies include B2B direct connect flows and don’t block Teams.
- Typical: require MFA (trust partner MFA), and optionally require compliant device (trust device claims).
- Exclude break-glass accounts.
Save your inbound configuration.
Step 3 — Configure Outbound (your users → partner’s resources)
- Cross-tenant access settings → Organizational settings.
- Partner org → Outbound access.
- B2B direct connect → Customize settings.
Users and groups
- Allow access → limit to a pilot group first, then expand.
Applications
- Allow access → Select applications → Add Microsoft applications → Microsoft Teams (and, if needed, Office 365).
- Save.
Trust settings
- Align with what the partner expects (they may choose to trust your MFA/device claims).
- Mismatched trust causes prompts and denials.
Save your outbound configuration.
Step 4 — Teams admin checks (both tenants)
- In Teams admin center:
- Make sure Shared channels are enabled for the users who need them.
- Verify external collaboration isn’t blocked for the partner domain.
- Confirm domain health in M365 (verified domains, no DNS issues).
Step 5 — Pilot the experience
- Have a channel owner in your tenant create a Shared channel in an existing Team.
- Share it with:
- A partner user (UPN/email), or
- A partner Team (if allowed and coordinated).
- Ask the partner user to open the channel in Teams (desktop/web).
- Validate:
- Channel opens without repeated sign-ins.
- Posts, mentions, notifications work.
- Files open; SharePoint permissions reflect access.
- Labels and DLP (if used) allow external collaboration.
Security & governance tips
- Least privilege: Pilot with a small external group.
- Trust with intent: Only trust partner MFA/device claims if you’ve reviewed their controls.
- Data stays home: Shared channel files live in the host tenant’s SharePoint site.
- Compliance: Use sensitivity labels that permit external collaboration. Keep DLP and retention in place.
- Audit: Check Entra sign-in logs and M365 audit for activity and anomalies.
Troubleshooting (quick hits)
| Symptom | Likely cause | Fix |
|---|---|---|
| Endless MFA prompts / “Access denied” | CA mismatch; trust not aligned | Align CA on both sides; enable Trust settings for MFA/device claims or adjust CA conditions to include B2B direct connect traffic. |
| User can’t find or open the shared channel | User scope or app scope too narrow | Ensure the specific external user/group is allowed; verify Microsoft Teams is in Applications for Inbound/Outbound. |
| Files won’t open | Label or SharePoint restrictions | Use a label that allows external collaboration; verify shared channel site permissions. |
| Works for some users, not others | Inbound/Outbound scopes differ between tenants | Mirror user/app scopes on both sides for the same people. |
Change control and rollback
- Document: tenant name, inbound/outbound scopes, trust flags, apps added, CA changes.
- Rollback options:
- Switch B2B direct connect from Customize back to Inherited from default, or
- Temporarily set Deny access for users/apps to halt collaboration.
Optional automation (Graph pointers)
Use a dev/test tenant first. Payloads vary; validate before production.
- Directory relationships:
beta/tenantRelationships - Cross-tenant access policy root:
beta/policies/crossTenantAccessPolicy - Per-partner config:
beta/policies/crossTenantAccessPolicy/partners/{tenantId} - Manage:
b2bDirectConnectInbound/b2bDirectConnectOutboundusersAndGroups(allow lists)applications(allowed app IDs; include Teams)inboundTrust(mfa, compliantDevice, hybridAzureADJoinedDevice)
FAQ
Do users need to switch tenants?
No. That’s the benefit of shared channels with B2B direct connect.
Do I still need guest accounts?
Not for shared channels using B2B direct connect.
Which applications must be allowed?
Microsoft Teams is required. Some orgs also add Office 365 to match their suite-level app controls.
Can I pilot with only a few partner users?
Yes. Use Select [external] users and groups in both Inbound and Outbound.
Quick checklist
- Partner org added under Organizational settings
- Inbound: Allowed users/groups; Microsoft Teams added; trust settings decided; CA aligned
- Outbound: Allowed users/groups; Microsoft Teams added; trust settings decided; CA aligned
- Teams shared channels enabled in both tenants
- Pilot user from partner can access channel and files
- Entra sign-in logs show successful B2B direct connect
Wrap-up
Set the relationship, scope the users and the Microsoft Teams app, decide trust, align Conditional Access, then pilot. With these steps, you enable secure, low-friction collaboration across tenants using Teams shared channels—without guest sprawl or tenant switching.
