Conditional Access at its very core is a collection of IF statements and decisions that allow you to control almost every aspect of identity security in your organisation. These controls now can cross the boundary of your organisation’s tenant by applying to both external users and having its claims accepted in external tenants.
In this tutorial, I am going to show you how to target specific tenant IDs using Conditional Access to provide fine-grained control over different partner organisations.
Multitenant Organisations and Conditional Access
Multitenant organisations are collections of two or more Microsoft 365 tenants governed by cross-tenant synchronisation and access settings, including Conditional Access trust.
While it can be configured for inbound tenants to accept Conditional Access claims from partner tenants for controls such as requiring multi-factor authentication or device compliance, additional stronger requirements may be necessary on some tenants due to compliance, even while both tenants are owned by the same organisation. This problem is what we set out to solve in this blog post.
Further to this, more granular controls to specific resources can be applied to external member users with Conditional Access. One such example is the use of Authentication Contexts with more sensitive SharePoint sites, which I go into more detail on in my blog How To Apply Conditional Access Policies To Individual SharePoint Sites.
For more information on how Multitenant Organisations work and how to set them up, check out my blog post: How to Setup Multi-Tenant Organisation in Microsoft 365.
Target a specific tenant with Conditional Access
Conditional Access allows you to target specific tenants using the Tenant ID of the external tenant, this allows you to enforce enhanced security requirements and controls for synchronised users in Multitenant organisations.
To target a specific tenant with Conditional Access follow the below steps:
1. Log in to Microsoft Entra, expand Protection and select Conditional Access > Policies > New policy
2. Select users and groups and select Guest or external users. From the drop-down list, select B2B collaboration member users.
Users synchronised through the Multitenant Organisation feature will appear to the partner organisation as Member users (not guest users). This enables them to have a seamless collaboration experiance through Microsoft Teams.
3. Click on 0 Microsoft Entra organizations selected, then enter the ID of the target tenant and click Select.
The remainder of your Conditional Access policy settings can be completed as normal. I recommend for full coverage that you select All cloud apps from the target resources section of the policy wizard.
Testing tenant specific Conditional Access policies
To see the end user experience of being impacted by a cross-tenant conditional access policy, I have to set the scene. Currently, I have two Microsoft 365 tenants, Tenant1 and Tenant2. The user John Smith has been created in Tenant2, he is also a member of Tenant1 through a multitenant organisation relationship. Conditional Access trust is configured to accept trust claims for both tenants.
A Conditional Access policy has been created in Tenant1 to target the ID of Tenant2. The policy requires the use of the Microsoft Authenticator app to be granted access to the target resources, which in this case is ‘all cloud apps’.
The user John Smith has signed in to Microsoft Teams using only SMS-based multifactor authentication. Once he is signed in, by selecting the display profile icon at the top right, he can switch to the partner tenant.
We can see from the orange warning triangle that a sign-in error has occurred on his synchronised access to the partner tenant.
Once John switches to the partner tenant, immediately he receives the following warning: “We weren’t able to connect. Sign in and we’ll try again”. He is then able to click the ‘Sign in’ button.
After John clicks ‘Sign in’ and complete his first factor authentication, he will be asked to complete the registration wizard for the Microsoft Authenticator app.
Identifying which users will be impacted by the conditional access policy
The goal of this policy is to target users who have been automatically provisioned using the Multitenant organisation features in Microsoft 365 and Microsoft Entra.
In the event that the source tenant or tenants are synchronising users via group memberships, it may be difficult to enumerate an exact list of synchronised users via the web portals.
Synchronised users can identified in the destination tenant using multiple different filters with Microsoft Graph PowerShell. The UserPrincipalName will be the fall-back domain and it is likely that the mail address will not be that of any accepted domain in Exchange Online. However, the best solution is it identify users with a CreationType of ‘Invitation’ and the UserType of ‘Member’. You can do this with the following filter query using Microsoft Graph PowerShell:
Get-MgBetaUser -Filter "CreationType eq 'invitation' AND UserType eq 'member'"
You should then only receive an output of users that have been generated using Cross-tenant synchronisation as part of the multitenant organisation features in Microsoft 365.
To install the Microsoft Graph PowerShell module, follow my guide: How To Install the Microsoft Graph PowerShell Module.
To learn how to use the -Filter parameter in detail, follow my guide: How to Use -Filter with Microsoft Graph PowerShell.