As a Managing Architect with Summit 7, I have helped hundreds of customers navigate their transition to Microsoft 365 GCC High — supporting content migrations, information architecture design, and implementing governance/security controls to accommodate unique compliance requirements. During this time, one of the biggest issues I have heard client’s express frustration about is limitations relating to business-to-business (B2B) collaboration in GCC High.
As customers get acclimated to the GCC High platform, B2B external collaboration (inviting guest users to collaborate in SharePoint Online or Teams) has been a recurring source of frustration given platform limitations historically:
- Until ~Q4 2021, B2B guest support in the GCC High platform simply wasn’t supported, leading to complex workarounds and unnecessary administrator overhead to accommodate guest collaboration.
- Once support for B2B guest access in GCC High became available in ~Q4 2021, it was considerably limited as invitations could only be extended to guest users residing in the “same cloud” (e.g., GCC High to GCC High).
In recent months, significant advancements in B2B collaboration capabilities have been made, allowing customers to take far greater advantage of cross-tenant collaboration, even in Government M365 platforms. However, this leads to a critical question: how can I collaborate with external parties without jeopardizing my organization’s compliance posture?
On one side, there’s pressure to meet regulatory compliance requirements to safeguard sensitive data, while on the other, advancements in efficiency are essential for your business to stay competitive in today’s modern workplace.
In this article, we will:
- Explore new capabilities within the Microsoft 365 GCC High platform as it relates to cross-tenant collaboration and business-to-business (B2B) guest access.
- Walk through common industry use cases for cross-tenant collaboration.
- Discuss how to strike an appropriate balance between security and efficiency – focusing on the key compliance and governance considerations that must be addressed to ensure success.
What’s New in Cross-Tenant Collaboration / B2B Guest Access?
Within Microsoft Entra (the artist formally known as Azure AD), B2B collaboration provides a mechanism to invite guest users to collaborate within your organization. Using a simple invitation and redemption process, partners (suppliers, subcontractors, etc.) can access your company's resources using their own credentials.
With the recent release of Cross-Cloud B2B (~Q1 2023 GA release), both inbound and outbound support for guest users is now possible from GCC High regardless of where users are invited from – even with cross-cloud scenarios! Today, a guest user can be invited from several different invitation sources:
GCC High to GCC High
GCC High to Commercial / GCC
GCC High to Google Workspace
In tandem with cross-cloud B2B, Microsoft has also released new governance controls for Entra External Identities in a new feature called Cross-Tenant Access Settings (~Q4 2022 GA release). Cross-Tenant Access Settings (CTAS) is especially valuable when securing sensitive data as it provides administrators with granular controls to allow, deny, or restrict inbound and outbound B2B access on an organization-by-organization basis (by Tenant ID).
Most recently, Microsoft has launched support for Teams Cross-Cloud Guest Access (TCCGA) – bringing guest users into the collaboration context most used by organizations today. Until this release, guests who were “bridging clouds” (e.g., a guest user residing in a Commercial tenant being invited to collaborate within a GCC High tenant) were limited to site, folder, or file based collaboration experience in SharePoint Online or OneDrive for Business.
Now, guests can simply be invited as a member of a Teams/Microsoft 365 Group and participate in threaded chat in addition to document-based collaboration.
Cross-Tenant Collaboration – More Than Just B2B
Before moving on to discuss compliance considerations, it’s important to clarify that cross-tenant collaboration amongst partner organizations (sister companies, subcontractors, suppliers, etc.) is not limited to just B2B guest access. It’s possible to collaborate across tenant boundaries in other ways. For example:
- External (federated) access – a way for Microsoft Teams users to call, chat (1:1), and set up meetings with users who reside within other organizations via Microsoft Teams.
- In the below example, Dwight is chatting from his GCC High tenant with Ellen who resides within a Commercial tenant. Neither are guests in each other’s tenants but can still collaborate via Teams chat.
- Free/busy calendar sharing – allowing Exchange Online calendar information to be shared bi-directionally between partner organizations (e.g., subcontractors, suppliers, etc.). This helps meeting organizers find availability for attendees, even for users who reside across different tenants.
These feature-sets in tandem with recent B2B innovations begin to really round-out a comprehensive story for facilitating seamless partner relationships and reducing friction internally for multi-tenant organizations.
Industry Uses Cases
So how are other businesses utilizing these capacities within the defense industrial base (DIB)? Here are some scenarios we’re seeing most often today:
- Parent or sister company collaboration
- Merger & acquisition support
- External collaboration with vendors, subcontractors, customers, etc.
Scenario #1 – Parent or Sister Company Collaboration
Due to compliance requirements concerning controlled unclassified information (CUI), export-controlled data, etc., it’s common for a division or subset of an organization to reside and work within a secure enclave utilizing Azure Government & GCC High Microsoft 365.
However, independent of that secure enclave and federal/DoD practice, your organization also may operate within a Commercial, GCC, or Multi-Geo Microsoft 365 and need to collaborate effectively across multiple clouds as a multi-tenant organization.
For example, through the use of cross-cloud B2B, a subject-matter-expert from your parent company can gain access to GCC High to support an upcoming business development or proposal effort.
Similarly, users within your organization who might be “homed” in GCC High can reach back into your organization’s Commercial tenant to access content published out to all employees (e.g., HR benefits, open-enrollment information, etc.).
Scenario #2 – Merger & Acquisition Support
Similar to the first scenario, this organization has compliance requirements concerning CUI and export-controlled data which necessitate their use of Azure Government & GCC High Microsoft 365.
However, in this case, internal collaboration has become complex – spanning multiple Commercial, GCC High, or Non-MS clouds due to rapid organization growth and recent business acquisitions or mergers which haven’t been fully consolidated yet.
Here, users homed within a newly acquired company tenant can be provided greater collaboration opportunities by:
- Being invited as Guests (B2B) to collaborate within existing Sites & Teams
- Use of 1:1 Chat between tenant(s)
- Seamless meeting coordination via free/busy calendar sharing between tenant(s)
Again, the value here is that new team members can begin collaborating immediately upon acquisition while you prepare to consolidate IT infrastructure, execute migrations, etc.
Scenario #3 – External Collaboration
In this final scenario, our organization operates within GCC High but has partners it needs to collaborate with who resides both in Commercial M365 (Cross-Cloud) and outside the Microsoft ecosystem (e.g., Google Workspace).
Through cross-cloud B2B, collaboration with partner organizations (supplier, subcontractor, etc.) can take place within the GCC High tenant via SharePoint Online or Microsoft Teams.
Similarly, users who are homed in GCC High can gain access to partner organizations for collaboration as guests themselves within other tenants/cloud systems.
Note: When bridging cloud boundaries (e.g., GCC High à Commercial), tenant configurations are required within both tenants like a “handshake” between partners.
Going Slow to Go Fast
As can be seen from the updates we’ve shared, external collaboration continues to mature in respect to both collaboration capabilities and platform governance.
As seen from above examples – the efficiencies gained from B2B and cross-tenant collaboration methods can really revolutionize day-to-day workflows for your workforce. However, in order for these efficiencies to be effective, a prerequisite must first exist: nothing goes wrong.
In order to safeguard against setbacks (e.g., audit failure, loss of sensitive data, impacts to your business’ reputation, etc.), it’s critical that your implementation goes slow to go fast.
Slowness here implies deliberation. When acting deliberately you position your organization to succeed by finding an effective balance between security and efficiency, while still ensuring all compliance requirements are met.
Slowness here could involve:
- Taking time to understand the technology, its limitations, and where mistakes could be made prior to adoption and rollout across your organization.
- Understanding your compliance requirements and how collaboration within your compliance boundary with guests could impact that posture.
- Recognizing where you might have gaps in knowledge or subject-matter-expertise and involving a trusted partner to minimize mistakes.
With that being said, what are some more practical examples of what “going slow to go fast” might look like in this context for organizations in the DoD supply chain focused on protecting CUI and export controlled/ITAR data? Let’s take a look.
Compliance Considerations & Defense-in-Depth
Today, most incidents of data spillage or security breaches are caused by insider threats, social engineering, or human error. Notice a trend here? Your employees are your organization’s greatest security risk.
With that in mind, the tenant configurations and governance controls implemented in support of external collaboration need to not only meet minimal compliance requirements but utilize additional best-practice defense-in-depth layers to protect sensitive data.
Here are some questions to consider as you look ahead at your own implementation:
- Is multi-factor authentication (MFA) being enforced upon guest users in your tenant? NIST’s identification and authentication control family defines MFA as a combination of two or more of the following:
- Something you know (e.g., password)
- Something you have (e.g., physical token, mobile device, etc.)
- Something you are (e.g., biometric like a fingerprint)
- Pro Tip: Beware of security theater with Microsoft’s one-time passcode (OTP) authentication, it’s not true two-factor authentication.
- How are you governing what data guest users can access?
- Are you limiting which users can share content with guests?
- Are you utilizing feature-sets like Microsoft Purview Information Protection (MPIP) to control whether guests are allowed or disallowed within each unique site or workspace?
- Do you have data-level protections in place for labeled content?
- Are you controlling a guest user’s ability to download content?
- Do you have systems in place to augment/automate your guest user lifecycle? E.g., access renewal, expiration, automated removal, etc.
- Are you actively monitoring guest user behavior? For example:
- Guest user invitations sent vs. redemptions.
- Content shared with Guests.
- Guest user download and collaboration activities
- How are partner organizations/users being vetted prior to access within your tenant? E.g., NDAs, citizenship verification, background checks, etc.
Regardless of the security and compliance controls implemented in support of cross-tenant collaboration, it’s important to note that these configurations will not absolve your organization from its responsibilities to protect data from non-compliant parties. Remember, guests are accessing your tenant from an endpoint which you don’t control.
As you work to build out your collaborative architecture, it is recommended that you consult legal counsel and consider the use of signed agreements between external parties prior to permitting cross-tenant collaboration.
Summit 7’s B2B Collaboration Solution
Following this slow-to-fast methodology, our team at Summit 7 has been hard at work refining a new product offering to meet our customer’s external collaboration needs while ensuring the use of these new feature-sets don’t place an organization’s compliance posture at risk.
I am excited to share that Summit 7’s Cross-Tenant Collaboration / B2B product Is now generally available and built in alignment with CMMC 2.0 Level 2 requirements. Our team is eager to see the business transformation this solution can foster and have already heard great feedback from our early adopters! If you would like to partner with Summit 7 on your implementation of cross-tenant collaboration / B2B, please fill out the form below and our team will reach out to you shortly.