Network-25378: External collaboration is governed by explicit Cross-Tenant Access Policies #777
+172
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
praneeth-0000
added
enhancement
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request adds a new assessment test (25378) to validate that external collaboration is governed by explicit Cross-Tenant Access Policies in Microsoft Entra ID. The test ensures that default outbound B2B collaboration settings block all users and all applications, requiring organizations to explicitly define cross-tenant access policies for external collaboration.
Changes:
- Adds Test-Assessment.25378.ps1 implementing the assessment logic for Cross-Tenant Access Policy validation
- Adds Test-Assessment.25378.md providing risk context and remediation guidance
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.25378.ps1 | New PowerShell assessment test that validates Cross-Tenant Access Policy default outbound settings block all users and applications |
| src/powershell/tests/Test-Assessment.25378.md | Documentation explaining security risks of unrestricted B2B collaboration and remediation steps |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+134
to
+142
| # Summary Section | ||
| $mdInfo += "`n## [Default Cross-Tenant Access Settings - Outbound B2B Collaboration]($portalLink)`n`n" | ||
| $mdInfo += "| Setting | Configured Value | Expected Value | Status |`n" | ||
| $mdInfo += "| :--- | :--- | :--- | :---: |`n" | ||
| $mdInfo += "| Is Service Default | $isServiceDefaultStr | false | $isServiceDefaultStatus |`n" | ||
| $mdInfo += "| Users and Groups Access Type | $usersAndGroupsAccessType | blocked | $usersAccessStatus |`n" | ||
| $mdInfo += "| Users and Groups Target | $($usersAndGroupsTargets[0]) | AllUsers | $usersTargetStatus |`n" | ||
| $mdInfo += "| Applications Access Type | $applicationsAccessType | blocked | $appsAccessStatus |`n" | ||
| $mdInfo += "| Applications Target | $($applicationsTargets[0]) | AllApplications | $appsTargetStatus |`n" |
There was a problem hiding this comment.
Accessing array index [0] directly could fail if the array is empty. While $usersAndGroupsTargets is initialized with @('N/A'), if it's reassigned on line 76 with an empty array from $b2bOutbound.usersAndGroups.targets.target, this would cause an index out of bounds error. Add a check or use a safer accessor pattern.
Suggested change
| # Summary Section | |
| $mdInfo += "`n## [Default Cross-Tenant Access Settings - Outbound B2B Collaboration]($portalLink)`n`n" | |
| $mdInfo += "| Setting | Configured Value | Expected Value | Status |`n" | |
| $mdInfo += "| :--- | :--- | :--- | :---: |`n" | |
| $mdInfo += "| Is Service Default | $isServiceDefaultStr | false | $isServiceDefaultStatus |`n" | |
| $mdInfo += "| Users and Groups Access Type | $usersAndGroupsAccessType | blocked | $usersAccessStatus |`n" | |
| $mdInfo += "| Users and Groups Target | $($usersAndGroupsTargets[0]) | AllUsers | $usersTargetStatus |`n" | |
| $mdInfo += "| Applications Access Type | $applicationsAccessType | blocked | $appsAccessStatus |`n" | |
| $mdInfo += "| Applications Target | $($applicationsTargets[0]) | AllApplications | $appsTargetStatus |`n" | |
| $usersAndGroupsTargetDisplay = if ($null -ne $usersAndGroupsTargets -and $usersAndGroupsTargets.Count -gt 0) { $usersAndGroupsTargets[0] } else { 'N/A' } | |
| $applicationsTargetDisplay = if ($null -ne $applicationsTargets -and $applicationsTargets.Count -gt 0) { $applicationsTargets[0] } else { 'N/A' } | |
| # Summary Section | |
| $mdInfo += "`n## [Default Cross-Tenant Access Settings - Outbound B2B Collaboration]($portalLink)`n`n" | |
| $mdInfo += "| Setting | Configured Value | Expected Value | Status |`n" | |
| $mdInfo += "| :--- | :--- | :--- | :---: |`n" | |
| $mdInfo += "| Is Service Default | $isServiceDefaultStr | false | $isServiceDefaultStatus |`n" | |
| $mdInfo += "| Users and Groups Access Type | $usersAndGroupsAccessType | blocked | $usersAccessStatus |`n" | |
| $mdInfo += "| Users and Groups Target | $usersAndGroupsTargetDisplay | AllUsers | $usersTargetStatus |`n" | |
| $mdInfo += "| Applications Access Type | $applicationsAccessType | blocked | $appsAccessStatus |`n" | |
| $mdInfo += "| Applications Target | $applicationsTargetDisplay | AllApplications | $appsTargetStatus |`n" |
| $mdInfo += "| Users and Groups Access Type | $usersAndGroupsAccessType | blocked | $usersAccessStatus |`n" | ||
| $mdInfo += "| Users and Groups Target | $($usersAndGroupsTargets[0]) | AllUsers | $usersTargetStatus |`n" | ||
| $mdInfo += "| Applications Access Type | $applicationsAccessType | blocked | $appsAccessStatus |`n" | ||
| $mdInfo += "| Applications Target | $($applicationsTargets[0]) | AllApplications | $appsTargetStatus |`n" |
There was a problem hiding this comment.
Similar to line 140, accessing array index [0] directly could fail if the array becomes empty after reassignment on line 86. Add a check or use a safer accessor pattern to prevent potential index out of bounds errors.
Comment on lines
+6
to
+9
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:]( https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | ||
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | ||
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | ||
| - [Update default cross-tenant access policy via Microsoft Graph API:]( https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) |
There was a problem hiding this comment.
There is an extra space between the closing bracket and opening parenthesis in the markdown link syntax. It should be ](https:// not ]( https:// to ensure the link renders correctly.
Suggested change
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:]( https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | |
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | |
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | |
| - [Update default cross-tenant access policy via Microsoft Graph API:]( https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) | |
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | |
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:](https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | |
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:](https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | |
| - [Update default cross-tenant access policy via Microsoft Graph API:](https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) |
Comment on lines
+6
to
+9
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:]( https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | ||
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | ||
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | ||
| - [Update default cross-tenant access policy via Microsoft Graph API:]( https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) |
There was a problem hiding this comment.
There is an extra space between the closing bracket and opening parenthesis in the markdown link syntax. It should be ](https:// not ]( https:// to ensure the link renders correctly.
Suggested change
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:]( https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | |
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | |
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | |
| - [Update default cross-tenant access policy via Microsoft Graph API:]( https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) | |
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | |
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:](https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | |
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:](https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | |
| - [Update default cross-tenant access policy via Microsoft Graph API:](https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) |
Comment on lines
+6
to
+9
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:]( https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | ||
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | ||
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | ||
| - [Update default cross-tenant access policy via Microsoft Graph API:]( https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) |
There was a problem hiding this comment.
There is an extra space between the closing bracket and opening parenthesis in the markdown link syntax. It should be ](https:// not ]( https:// to ensure the link renders correctly.
Suggested change
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:]( https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | |
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | |
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | |
| - [Update default cross-tenant access policy via Microsoft Graph API:]( https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) | |
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | |
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:](https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | |
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:](https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | |
| - [Update default cross-tenant access policy via Microsoft Graph API:](https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) |
Comment on lines
+6
to
+9
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:]( https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | ||
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | ||
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | ||
| - [Update default cross-tenant access policy via Microsoft Graph API:]( https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) |
There was a problem hiding this comment.
There is an extra space between the closing bracket and opening parenthesis in the markdown link syntax. It should be ](https:// not ]( https:// to ensure the link renders correctly.
Suggested change
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:]( https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | |
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | |
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:]( https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | |
| - [Update default cross-tenant access policy via Microsoft Graph API:]( https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) | |
| - [Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access:](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-cross-tenant-access-activity) | |
| - [Configure default outbound B2B collaboration settings to block access in the Microsoft Entra admin center:](https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#modify-outbound-access-settings) | |
| - [Add organization-specific settings for approved partner tenants that require B2B collaboration:](https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#add-an-organization) | |
| - [Update default cross-tenant access policy via Microsoft Graph API:](https://learn.microsoft.com/en-us/graph/api/crosstenantaccesspolicyconfigurationdefault-update) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
External collaboration is governed by explicit Cross-Tenant Access Policies