How to Target Specific Tenants with Conditional Access

Conditional Access at its very core is a collection of IF statements and decisions that allow you to control almost every aspect of identity security in your organisation. These controls now can cross the boundary of your organisation’s tenant by applying to both external users and having its claims accepted in external tenants. 

In this tutorial, I am going to show you how to target specific tenant IDs using Conditional Access to provide fine-grained control over different partner organisations.

Multitenant Organisations and Conditional Access

Multitenant organisations are collections of two or more Microsoft 365 tenants governed by cross-tenant synchronisation and access settings, including Conditional Access trust.

While it can be configured for inbound tenants to accept Conditional Access claims from partner tenants for controls such as requiring multi-factor authentication or device compliance, additional stronger requirements may be necessary on some tenants due to compliance, even while both tenants are owned by the same organisation. This problem is what we set out to solve in this blog post.

Further to this, more granular controls to specific resources can be applied to external member users with Conditional Access. One such example is the use of Authentication Contexts with more sensitive SharePoint sites, which I go into more detail on in my blog How To Apply Conditional Access Policies To Individual SharePoint Sites.

For more information on how Multitenant Organisations work and how to set them up, check out my blog post: How to Setup Multi-Tenant Organisation in Microsoft 365.

Target a specific tenant with Conditional Access

Conditional Access allows you to target specific tenants using the Tenant ID of the external tenant, this allows you to enforce enhanced security requirements and controls for synchronised users in Multitenant organisations. 

To target a specific tenant with Conditional Access follow the below steps:

1. Log in to Microsoft Entra, expand Protection and select Conditional Access > Policies > New policy

New Conditional Access policy path
New Conditional Access policy path

2. Select users and groups and select Guest or external users. From the drop-down list, select B2B collaboration member users.

Users synchronised through the Multitenant Organisation feature will appear to the partner organisation as Member users (not guest users). This enables them to have a seamless collaboration experiance through Microsoft Teams.

B2B collaboration assign member users
B2B collaboration assign member users

3. Click on 0 Microsoft Entra organizations selected, then enter the ID of the target tenant and click Select.

Select the specific tenant
Select the specific tenant

The remainder of your Conditional Access policy settings can be completed as normal. I recommend for full coverage that you select All cloud apps from the target resources section of the policy wizard.

Testing tenant specific Conditional Access policies

To see the end user experience of being impacted by a cross-tenant conditional access policy, I have to set the scene. Currently, I have two Microsoft 365 tenants, Tenant1 and Tenant2. The user John Smith has been created in Tenant2, he is also a member of Tenant1 through a multitenant organisation relationship. Conditional Access trust is configured to accept trust claims for both tenants. 

A Conditional Access policy has been created in Tenant1 to target the ID of Tenant2. The policy requires the use of the Microsoft Authenticator app to be granted access to the target resources, which in this case is ‘all cloud apps’. 

CA policy assignments
CA policy assignments
CA policy grant controls
CA policy grant controls

The user John Smith has signed in to Microsoft Teams using only SMS-based multifactor authentication. Once he is signed in, by selecting the display profile icon at the top right, he can switch to the partner tenant.

We can see from the orange warning triangle that a sign-in error has occurred on his synchronised access to the partner tenant.

Switching tenant in Teams
Switching tenant in Teams

Once John switches to the partner tenant, immediately he receives the following warning: “We weren’t able to connect. Sign in and we’ll try again”. He is then able to click the ‘Sign in’ button.

We weren't able to connect. Sign and we'll try again
We weren't able to connect. Sign and we'll try again

After John clicks ‘Sign in’ and complete his first factor authentication, he will be asked to complete the registration wizard for the Microsoft Authenticator app.

Microsoft Authenticator setup wizard
Microsoft Authenticator setup wizard

Identifying which users will be impacted by the conditional access policy

The goal of this policy is to target users who have been automatically provisioned using the Multitenant organisation features in Microsoft 365 and Microsoft Entra. 

In the event that the source tenant or tenants are synchronising users via group memberships, it may be difficult to enumerate an exact list of synchronised users via the web portals.

Synchronised users can identified in the destination tenant using multiple different filters with Microsoft Graph PowerShell. The UserPrincipalName will be the fall-back domain and it is likely that the mail address will not be that of any accepted domain in Exchange Online. However, the best solution is it identify users with a CreationType of ‘Invitation’ and the UserType of ‘Member’. You can do this with the following filter query using Microsoft Graph PowerShell:

Get-MgBetaUser -Filter "CreationType eq 'invitation' AND UserType eq 'member'"

You should then only receive an output of users that have been generated using Cross-tenant synchronisation as part of the multitenant organisation features in Microsoft 365.

Multitenant organisation filter with Get-MgBetaUser
Multitenant organisation filter with Get-MgBetaUser

To install the Microsoft Graph PowerShell module, follow my guide: How To Install the Microsoft Graph PowerShell Module.

To learn how to use the -Filter parameter in detail, follow my guide: How to Use -Filter with Microsoft Graph PowerShell.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply