Skip to content

Entra ID

Azure AD: Cross-tenant Access Settings Clarity

With the release of Azure AD cross-tenant access settings, I’ve noted some confusion among folks as to what it is, and as importantly, what it isn’t.

I’ll also be covering B2B Direct Connect, because even though it’s a separate feature, with release coinciding at the same time as cross-tenant access settings, I see it all being lumped “into the same” set of preview features.

The Microsoft Docs article on this is an excellent source of information, which can be found here, Cross-tenant access overview – Azure AD | Microsoft Docs. Along with that, we’ll dive into the background and use cases for this new suite of knobs and dials for our external identities.

Azure AD: The Arrival of Dynamic Administrative Units

Administrative units. The Azure AD sort-of equivalent of organizational units (OU’s). For those less familiar, administrative units (AU’s) allow for granular assignment of RBAC roles in Azure AD.

Organizations initially struggled with the limited ability to delegate granular RBAC roles in Azure AD, with the directories flat structure; especially for all of us coming from an Active Directory background. When administrative units were introduced, they started to open up the door for organizations that needed to delegate access to a subset of users in an Azure AD tenant.

The one catch with AU’s that was a non-starter for many organizations – they weren’t dynamic. And while OU’s are not dynamic in Active Directory, it’s a different take when the tenant is usually secondary to AD being authoritative. Move a user in AD, one would hope that the location in Azure AD would follow. While there are some PowerShell scripts out there that feel very akin to those used for AD shadow groups, overall maintenance of AU’s could prove cumbersome in dynamic organizations.

The struggle, however, is no more – administrative units now support dynamic user and device membership!