| B2B collaboration | Controls whether selected external users/groups can access selected internal applications and whether your users can access partner resources. | Creates or uses guest representations; invitation, guest permissions, app authorization, and lifecycle remain separate. | Tenant and object IDs, inbound/outbound scope, guest state, app assignment, Conditional Access, sign-in, and removal. |
| B2B direct connect | Provides mutual cross-tenant access for supported experiences such as Teams shared channels without conventional guest creation. | Both organizations must enable access; Microsoft initially blocks inbound and outbound direct connect by default. | Mutual partner confirmation, shared-channel owner, users/groups, app scope, trust claims, sign-in, channel, and offboarding. |
| Inbound trust | Lets the resource tenant accept MFA, compliant-device, or hybrid-joined-device claims from the external user’s home tenant. | Trusting a claim does not copy or validate the partner’s policy design, operational quality, or device-management standard. | Claim type, partner assurance, contract, Conditional Access result, device/authentication detail, exception, and reassessment date. |
| Cross-tenant synchronization | Automates one-way creation, update, and deletion of B2B collaboration users across tenants. | Synchronization is provisioning, not permission or security-policy equivalence; source scope and attributes control downstream identities. | Source/target configuration, scope/filter, attributes, automatic redemption, provisioning logs, ownership, deletion, and rollback. |
| Tenant restrictions v2 | Controls which external tenants and apps identities can access from managed networks/devices, including alternate external identities. | A cloud policy requires an enforcement signal through Universal Tenant Restrictions, proxy header, or supported Windows signaling. | Default/partner policy, policy ID, signaling path, users/apps, blocked/allowed tests, anonymous gaps, client coverage, and rollback. |