What Cross-Tenant Access Settings Are and Why Licensing Matters
Microsoft Entra Cross-Tenant Access Settings (CTAS) are the control plane that governs how your Entra ID tenant interacts with other organisations' Entra tenants. They determine who from external organisations can be invited as B2B guests, what trust you extend to external users' MFA and device compliance claims, whether B2B Direct Connect is permitted, and — through Cross-Tenant Synchronisation — whether user accounts are automatically provisioned across tenant boundaries.
The licensing complexity arises because the basic configuration of Cross-Tenant Access Settings is free, but every meaningful advanced use case has premium licence requirements. The Entra licence tier determines whether you can enforce Conditional Access policies for external users, whether you can trust external MFA claims to avoid double-prompt friction, whether Access Reviews can assess the external user population, and whether Cross-Tenant Synchronisation is available for multi-tenant organisations.
Organisations that deploy Cross-Tenant Access Settings without understanding these licence dependencies often reach a feature wall — configuring settings that appear functional, discovering they do not work as expected, and learning mid-implementation that a licence uplift is required. Understanding the licence requirements upfront prevents this and positions the cross-tenant access capability correctly in your EA negotiation.
The hosting tenant rule: In most B2B collaboration scenarios, it is the hosting tenant (the organisation whose resources the external user accesses) that requires the premium licence — not necessarily the guest user's home tenant. If you are inviting partners to access your SharePoint, Teams, or Power Apps environments, your Entra ID licence determines what governance and security controls you can apply to those guests. The guest's home tenant licence is irrelevant to what you can enforce on access to your resources.
Cross-Tenant Access Features by Licence Tier
| Feature | Entra ID Free / M365 | Entra ID P1 | Entra ID P2 |
|---|---|---|---|
| Basic B2B guest invitation and redemption | Yes | Yes | Yes |
| B2B inbound/outbound default settings | Yes | Yes | Yes |
| Organisation-specific trust settings | Yes | Yes | Yes |
| Trust external MFA claims (avoid double MFA prompt) | Yes — configuration available | Yes | Yes |
| Trust external compliant device / Hybrid Azure AD Join claims | Yes — configuration available | Yes | Yes |
| Conditional Access policies applied to B2B guests | No — free CA only (limited) | Yes — full CA for external users | Yes |
| B2B Direct Connect (shared channels / Teams Connect) | Yes — configuration available | Yes — but CA for B2B Direct Connect users requires P1 | Yes |
| Access Reviews for external (guest) users | No | Yes | Yes — with ML-assisted recommendations |
| Cross-Tenant Synchronisation | No | Yes | Yes |
| Identity Protection signals for B2B users | No | No | Yes |
| Entitlement Management (automated access packages for externals) | No | No | Yes (Governance add-on) |
The Conditional Access Requirement for External Users
The most commercially significant licence dependency in cross-tenant access is Conditional Access policy application to external users. The scenarios where this matters are ubiquitous: requiring external collaborators to use MFA before accessing SharePoint sites containing sensitive data; requiring compliant devices for accessing Teams channels with confidential project information; blocking external access from specific geographic regions or risky sign-in conditions.
None of these controls are available without Entra ID P1 in the hosting tenant. The Entra Free / M365 licences include only basic Conditional Access (security defaults — all-or-nothing MFA) and the legacy per-user MFA capability. Neither allows the policy-based, conditional controls that security-conscious enterprises require for external collaboration. The implication is direct: if your organisation invites external collaborators to access resources protected by Conditional Access policies, every internal user who configures, manages, or is governed by those policies requires Entra ID P1 — and the cost of that licence requirement should be accounted for in the total cost of the cross-tenant collaboration programme.
B2B Direct Connect: Teams Shared Channels and Licensing
B2B Direct Connect is the technical mechanism that enables Microsoft Teams shared channels to operate across tenant boundaries — what Microsoft markets as "Teams Connect." Unlike standard B2B guest access (where an external user gets a guest account in the hosting tenant's directory), B2B Direct Connect authenticates external users directly from their home tenant without creating a guest account. This removes the administrative overhead of managing guest account lifecycles and enables a more seamless collaboration experience in Teams shared channels.
The licensing implications of B2B Direct Connect are multilateral — both the hosting organisation and the external organisation must configure their CTAS to permit B2B Direct Connect for the relationship to work. If either tenant's CTAS blocks B2B Direct Connect for the other's domain, the shared channel functionality is unavailable.
The B2B Direct Connect licence dependency for Teams shared channels: Configuring B2B Direct Connect in CTAS is free. However, applying Conditional Access policies to B2B Direct Connect users (those accessing your shared channels from external tenants) requires Entra ID P1. If your security policy requires CA enforcement for all external access — and B2B Direct Connect users access your Teams environment just as guests do — the CA policy requirement applies equally. Organisations that assume B2B Direct Connect bypasses security policy requirements are creating an uncontrolled access channel. See our guide to Microsoft 365 shared channels licensing for the full Teams Connect picture.
Cross-Tenant Synchronisation: The Multi-Tenant Organisation Use Case
Cross-Tenant Synchronisation (CTS) is a specific CTAS capability designed for multi-tenant organisations — enterprises that operate multiple Entra ID tenants as a result of acquisitions, geographic structure, or strategic architecture decisions. CTS automates the provisioning and de-provisioning of user accounts from one tenant to another, so that users in Tenant A can be represented as guest accounts in Tenant B without manual administration.
CTS requires Entra ID P1 licences in the tenant that is doing the outbound synchronisation (the source tenant). Users in the source tenant who are synchronised to the target tenant require P1 in the source. The target tenant's admin users who configure CTS also require P1. Entra Free is insufficient for CTS.
The commercial context for CTS licensing decisions is typically M&A integration or post-merger tenant consolidation. In these scenarios, the cost of CTS licences (P1 in the source tenant for synchronised users) must be compared against the alternative: full tenant merger, which has higher migration cost but eliminates the ongoing per-user P1 cost of maintaining cross-tenant identity. See our guide on Microsoft 365 tenant-to-tenant migration for the full cost comparison framework.
Trusting External MFA and Device Compliance
One of the most commercially useful — and frequently overlooked — features of Cross-Tenant Access Settings is the ability to trust external MFA claims and device compliance claims. Without trust settings, when an external user from Organisation B accesses resources in Organisation A, Organisation A's Conditional Access policies prompt the user for MFA again — even if they completed MFA in their home tenant moments before. This double-MFA friction degrades the external collaboration experience significantly.
By configuring outbound trust settings in CTAS — specifying that you trust MFA completed in a specific partner organisation's tenant — Organisation A accepts the external user's home-tenant MFA claim and does not re-prompt. This is purely a configuration change in CTAS and does not have an incremental licensing cost. However, it does require that your CA policies can distinguish between trusted and untrusted external users — which requires CA policy complexity that itself depends on Entra P1.
The same principle applies to device compliance trust. If your CA policy requires compliant devices for data access, and you want to extend that policy to external collaborators without requiring them to enrol their devices in your Intune — you can configure CTAS to trust the external tenant's device compliance claims. Again, this is a configuration capability available with appropriate CA licences, not an additional licence purchase.
Access Reviews for External Users
Access Reviews — the systematic, periodic review of who has access to which resources — are a governance requirement for most regulated enterprises. For external users (B2B guests and B2B Direct Connect users), Access Reviews are the mechanism to identify and remove stale access from accounts that should have been deprovisioned when the collaboration relationship ended.
Access Reviews for external users require Entra ID P1 at a minimum. With P1, reviewers manually assess whether each guest should retain access. With Entra ID P2, Access Reviews gain machine-learning-assisted recommendations — the system analyses guest activity patterns and recommends removal for guests who have been inactive for 30+ days, significantly reducing reviewer burden at scale. For the governance lifecycle of external identities, Entra P2 (or the Entra ID Governance add-on) is the appropriate investment where the external user population is large and active. See our guide to Entra ID Governance licensing for the full Access Reviews and lifecycle workflows picture.
Licensing Cost Scenarios for Cross-Tenant Access
The following scenarios represent the most common cross-tenant access implementations and their associated licence requirements in the hosting tenant.
| Scenario | Minimum Licence | Recommended Licence | Key Dependency |
|---|---|---|---|
| Basic B2B guest access to SharePoint/Teams (no CA policies) | Entra Free / M365 E3 | Entra P1 (for CA-based guest control) | No CA = no granular access control |
| B2B guest access with MFA enforcement via CA | Entra P1 | Entra P1 | All internal users managed by CA require P1 |
| Teams Connect (shared channels) with B2B Direct Connect | Entra Free (basic config) | Entra P1 (for CA enforcement on B2B DC users) | Both tenants must permit B2B Direct Connect in CTAS |
| External MFA/device trust configuration | Entra P1 (for CA trust policies) | Entra P1 | CA prerequisite for trust enforcement |
| Cross-Tenant Synchronisation (multi-tenant org) | Entra P1 (source tenant for sync'ed users) | Entra P1 | P1 required in source tenant for sync users |
| Access Reviews for guest lifecycle governance | Entra P1 | Entra P2 or Governance add-on | P2/Governance adds ML recommendations |
| Entitlement Management (automated access packages for external) | Entra P2 / Governance | Entra ID Governance | Governance add-on required, not P2 alone |
EA Negotiation Considerations
The most common EA negotiation error related to Entra cross-tenant access is over-purchasing Entra P1 or P2 tenant-wide when the cross-tenant access features require it only for a subset of users. The licence requirement for CA policies applies to users governed by those policies — not all users in the tenant. If you have 5,000 users and 800 of them are in security groups that govern external collaborator access, it is those 800 users (and any admins who configure the policies) who require P1 — not all 5,000.
The scoped deployment principle applies directly: audit your external collaboration programme, identify which internal users' access is governed by CA policies applied to external users, and licence those users at P1. Do not deploy P1 tenant-wide based on a cross-tenant access requirement that affects a fraction of your user population.
For Access Reviews, the same scoping principle applies: licence the access reviewers and the users being reviewed at P2, not the entire tenant. In a 5,000-user organisation with 300 external B2B guests and 50 periodic reviewers, the Access Review requirement is satisfied by P2 licences for those 350 individuals — not a 5,000-seat P2 deployment.
Get Microsoft Licensing Intelligence Weekly
Independent analysis on Entra, security licensing, and EA negotiation — direct to your inbox every week.
No spam. Unsubscribe at any time.
Frequently Asked Questions
Do external (guest) users need Entra P1 licences in the hosting tenant?
Guests do not consume Entra licences from the hosting tenant for basic B2B access — the 5:1 guest ratio for free-tier features applies under Entra Free. However, advanced features applied to external users — CA policies that govern their access, Access Reviews that assess their status, Identity Protection signals that evaluate their risk — are features of the hosting tenant's licence tier, not the guest's. The hosting tenant's Entra P1 or P2 licence enables those features for all users the tenant governs, including guests.
Can we trust external MFA without Entra P1?
The trust configuration in CTAS is technically available at any licence tier. However, the practical effect of trusting external MFA is that your CA policies relax the MFA re-prompt for trusted external users — and that policy-based behaviour requires CA policies, which require Entra P1 in the hosting tenant. Without P1, there are no granular CA policies to configure the trust behaviour. The trust setting exists in the admin console, but it only does anything meaningful when CA policies are present to act on the trust signal.
What is the difference between B2B guest access and B2B Direct Connect?
B2B guest access creates a guest object in the hosting tenant's directory for each external user. The guest has a user record, can be assigned to groups, appears in directory searches, and persists beyond any individual access session. B2B Direct Connect does not create a persistent guest object — the external user authenticates from their home tenant in real time for each session. The distinction matters for Teams shared channels: shared channels use B2B Direct Connect, so external participants do not appear as guests in your directory. For governance purposes, this means Access Reviews designed for guest users do not capture B2B Direct Connect users — a governance gap that requires CTAS-specific monitoring.
Reviewing your Entra licence position before your next EA renewal?
We scope Entra P1 and P2 requirements to the populations that actually need them — avoiding tenant-wide purchases for per-scenario requirements. 500+ engagements. $2.1B managed. 32% average cost reduction.
Book a Free Licensing ReviewMicrosoft Security Licensing Guide
Complete guide to Entra, Defender, Sentinel, and the E5 Security bundle — with right-sizing frameworks for every organisation type.
Download the guide →