Cross-Business Collaboration Simplified: Azure, Microsoft 365 & SharePoint
Sousouni Bajis
Senior M365 Solutions Architect, Lead Developer/SME for SharePoint/Power Platform
Welcome back to Mastering Microsoft 365 and Beyond, where we explore the latest advancements and best practices in the Microsoft 365 cloud platform. Lately, we've been covering key topics like new capabilities in SharePoint Framework, exploring integrations of Microsoft Teams' updates for collaboration, and the emerging role of AI in content management. Today, we're focusing on how cross-tenant collaboration can empower modern workplaces to collaborate across departments, geographies, and even with external companies, all while ensuring compliance with strict regulations.
The business world in the era of AI is changing fast. Companies more often than before have to make sure that employees can work together and collaborate on content, even if they are in different departments across geographic regions, or even different companies. With so many organizations working hybrid or remote, and partnering with other businesses with similar models, Microsoft 365 and SharePoint have become go-to solutions for companies that need secure, compliant ways to collaborate across tenants. The Microsoft cloud platform is flexible enough to create a modern workplace that collaborates externally, while helping employees be more productive and following strict rules like HIPAA and GDPR.
In this article, we'll explore how to use Microsoft 365 and SharePoint, combined with Azure cloud services and solutions, to create a basic modern workplace template that facilitates secure and compliant collaboration across organizational boundaries. We'll dive into the technologies behind cross-tenant collaboration, compliance, and a real-world scenario where these solutions can make all the difference.
?#NeedHelp?: Whether you’re looking for expert advice, need help with Microsoft 365 consultancy, or have specific helpdesk requests, I am here to guide you through the ever-changing landscape of the Microsoft cloud. Stay tuned as I bring you more in-depth analysis, practical insights, and the latest updates to help you master Microsoft 365 and beyond!?
Modern Workplace Collaboration: The Need for Cross-Tenant Solutions
As businesses grow alongside advancements made in AI, and work with more business partners, divisions, and subsidiaries, the old "single-tenant" collaboration model doesn't cut it anymore. For example, a healthcare group might need to share patient data with multiple clinics but only allow access to authorized business users in specific regions. Or a financial services company might need to work with external auditors, which requires secure data exchange across different organizational tenants.
In these cases, cross-tenant collaboration is essential. Azure and Microsoft 365 cloud platforms provide the mechanisms you need to meet such modern workplace requirements. With features like Multi-Tenant Organization (MTO) architecture, cross-tenant access settings, Teams shared channels, and compliance-driven security features such as Data Loss Prevention (DLP) and Azure Information Protection (AIP), organizations can collaborate efficiently without compromising data security or regulatory adherence. These platforms also integrate ?with Power Automate and Azure Logic Apps to provide automated, secure workflows across tenants.?
Key Technologies Supporting Cross-Tenant Collaboration
1. SharePoint in Microsoft 365
SharePoint lets you create shared content hubs where users from different tenants can access the same documents, work on projects together, and take part in cross-functional process workflows. These workflows could involve sequences of work actions spanning multiple departments and organizations to complete a project. For example, a multinational pharmaceutical company might use SharePoint to share clinical trial data between research teams in different countries while ensuring compliance with local data protection regulations..
SharePoint Framework (SPFx) enables organizations to customize their SharePoint sites with custom web parts and dashboards that integrate with Azure Functions. This allows you to add features like real-time compliance dashboards and automated data approval workflows, integrated with SharePoint, Teams, Viva and the Microsoft 365 Office productivity suite.
2. Microsoft Teams Shared Channels
Teams shared channels enable collaboration across tenants without the need to switch between tenants. Business users from different companies can join Teams meetings, chat, and share files in shared channels while remaining within their respective tenant. This simplifies cross-tenant collaboration and improves productivity for multi-tenant organization (MTO) configurations, where multiple businesses may need to collaborate.
3. MTO Architecture
For organizations with complex structures, such as those managing multiple subsidiaries or divisions, MTO (Multi-Tenant Organization) architecture allows different tenants to operate independently while enabling secure collaboration. MTO provides an architecture for managing isolated tenants while supporting shared resources, compliance and security controls across different business units.
4. Microsoft Entra External ID
Microsoft Entra External ID is the foundation for managing who can access what in cross-tenant collaboration situations. With Microsoft Entra External ID B2B (formerly known as Azure AD B2B), you can provide outside business users with access to necessary resources without adding them to the host tenant as full members.?
For example, a financial consultancy can collaborate with client teams from different businesses while keeping sensitive financial reports accessible only to authorized personnel using Microsoft Entra conditional access policies.
To further improve security and efficiency, configure inbound and outbound cross-tenant access settings, which allow you to control which external business users, groups, or applications have access to your tenant's resources, and which external tenants your users can access. This level of control provides external collaboration capabilities that are tightly managed while enabling data sharing across tenants.
5. Trust Settings for MFA and Device Compliance
When collaborating across tenants, it's essential to manage how MFA and device compliance claims are handled. With trust settings, you can choose to trust the MFA or device compliance claims, from external business users who have already authenticated in their home company and tenant. This approach reduces friction for external business users without compromising security, as they won’t need to re-authenticate each time they access resources in another tenant.
6. Tenant Restrictions
To maintain strict control over who can access company resources, especially in regulated industries like healthcare, consider implementing tenant restrictions. Tenant restrictions blocks external accounts from unknown tenants, limiting access to only verified external accounts. This level of control is critical in business scenarios where sensitive data, such as patient or financial records, must be protected.
7. Compliance/Security with DLP & AIP
Microsoft 365 and SharePoint are designed to meet strict compliance standards of regulated industries like healthcare and finance. Data Loss Prevention (DLP) policies can be applied across tenants to prevent sensitive information from being shared or overshared inappropriately. DLP works with Azure Information Protection (AIP), which classifies and labels sensitive content and documents in SharePoint, while maintaining compliance for the data handling position in line with industry regulation requirements.?
Recommended: You can use Azure DevTest Labs to create sandbox environments to test solutions for compliance and security, before rolling them out in production and going live with your solutions.
Real-Life Business Scenario: A Multi-Organization Healthcare Consortium
The healthcare industry is a prime example of where cross-tenant collaboration can be crucial. Imagine several hospitals and clinics in different regions forming a healthcare consortium. Each entity operates independently with its own Microsoft 365 tenant, but they need to securely share patient records, treatment plans, and medical research while ensuring compliance with strict regulations like HIPAA and GDPR.?
领英推荐
Challenges:
Healthcare data is highly sensitive and must meet stringent compliance requirements, varying by region. Each hospital and clinic operates under a separate Microsoft 365 tenant, but they need to collaborate on joint research projects, securely share protected health information (PHI), and provide real-time auditing to ensure unauthorized users don’t access critical data.?
Solution:
Using SharePoint in Microsoft 365 and Microsoft Teams, the consortium creates a shared content repository where each clinic can store and access patient information securely. MTO architecture allows each clinic to operate independently within its own tenant, while enabling secure collaboration across tenants. This setup is particularly useful to collaborate on cross-functional workflows such as joint research projects.?
Access across tenants is managed through Entra External ID B2B, to ensure that only authorized personnel from each clinic can view or edit shared records. Teams shared channels further improve the collaborate effort by allowing clinics to communicate, hold meetings, and share files securely across tenants.?
To maintain compliance, the consortium utilizes AIP to classify and label all patient data. DLP policies are applied to ensure no unauthorized data leakage occurs across tenants.?
Power Automate automates ?workflows such as document approvals for sensitive medical documents, flagging any file that contains personal health information (PHI) for review by compliance officers before it is shared across tenants.?
To further improve data security, encryption can play a vital role in protecting sensitive healthcare information. Both data at rest and data in transit are encrypted using AIP and BitLocker encryption, to provide the required protection for patient records and medical research even when shared across tenants. This encryption provides compliance with HIPAA and GDPR, as it prevents unauthorized access to sensitive information, even if intercepted.?
Moreover, Microsoft 365 Message Encryption provides an additional layer of protection for emails containing PHI. This encryption service protects any and all communications, whether internal or external, by encrypting and locking it down only to be accessed by authorized personal. Finally, Azure DevTest Labs is leveraged to create sandbox environments to simulate cross-tenant data-sharing scenarios and satisfy full compliance and security requirements before deployment.?
Best Practices for Cross-Tenant Collaboration
When setting up cross-tenant collaboration solutions, here are some best practices to follow to make sure you do it right:
1. Security First:
Always implement strict access controls using conditional access and MFA to secure business-user identities across tenants. In addition to enforcing MFA, consider configuring trust settings to accept MFA and device compliance claims from external organizations. This allows external users who have already authenticated in their home tenant to access your resources without having to re-authenticate. Along with conditional access and MFA, you can integrate Privileged Identity Management (PIM) to manage and monitor elevated access in cross-tenant scenarios, which is critical for controlling admin-level access across organizations.?
Recommendation: Be sure to audit conditional access policies regularly and integrate identity protection to detect suspicious behavior, like compromised identities, during cross-tenant access
2. Data Classification: ?
Here are some best practices for data classification in cross-tenant collaboration. First, follow the Security First approach as mentioned, always use strict access controls with conditional access and MFA to protect user identities across tenants. Second, use AIP to classify and label sensitive data, and apply protection policies that comply with industry regulations. Along with AIP for data classification, make sure that encryption is applied to both data at rest and data in transit; use BitLocker and Azure Key Vault to make sure that all data, including documents and communications, remains encrypted across tenants.?
Recommendation: Make sure that Microsoft 365 Message Encryption is enabled for any emails that contains sensitive data, especially in industries like healthcare or finance where cross-tenant email sharing happens a lot.?
3. Tenant Restrictions:?
Tenant restrictions are a key security measure for cross-tenant collaboration. They keep out external accounts that aren't managed or verified, which blocks unauthorized users from accessing company resources. This is particularly important in regulated industries where access must be tightly controlled. To further improve security, tenant restrictions can be combined with monitoring sign-in logs and using Azure Monitor to track any unusual activity from external users.?
4. Inbound and Outbound Access Settings:?
Control who can access your resources, and what your users can access in other tenants. Inbound and outbound cross-tenant access settings are important for controlling both internal and external access. Make sure these settings match your organizational trust policies, especially when it comes to MFA and device compliance. This way, you can simplify access for external business partners while keeping your security tight.?
5. Test for Compliance:?
Before you put cross-tenant collaboration solutions into production, test them in sandbox environments that you create in Azure DevTest Labs. This will make sure you are in compliance with regulations like HIPAA and GDPR. You will also require access to Microsoft Purview Compliance Manager to assess and monitor compliance against industry regulations in your sandbox environments.?
6. Custom BPM Workflows:?
Microsoft Defender for Cloud Apps scans files and workflows to make sure they don't leak data or violate compliance rules before they are shared across tenants. This, combined with the use of Power Automate and Azure Logic Apps to automate processes, such as document approval workflows and compliance checks, helps provide the peace of mind that data is "handled appropriately and in compliance at all times."
7. Automatic Redemption:?
If you have business users who are not in the same company but work together a lot across different companies, you can get rid of the annoying consent prompts by enabling automatic redemption. That way, your business users won't have to deal with those prompts every time they log in!
8. Periodic Audits and Monitoring:
When you set up cross-tenant collaboration solutions, you need to audit your access settings and user activity to make sure they are secure, compliant, and efficient; there are services to help you do this. Microsoft Entra ID Protection, Azure Security Center, and Azure Monitor. Also, keep logs of cross-tenant activity in case you need them for an audit or compliance check.?
Summary
As businesses continue to adopt modern workplace strategies and improve end-user experiences to expand and collaborate across organizational boundaries, the ability to securely manage cross-tenant collaboration has become a critical component. Azure, Microsoft 365 and SharePoint provide the foundational framework needed to architect secure, compliant collaboration across multiple tenants while supporting complex workflows of industries like healthcare, and finance, amongst others.
By leveraging Microsoft Entra effectively, with SharePoint, and Microsoft 365 apps and services, such as Teams, Outlook and Microsoft Viva, organizations can foster a collaborative setting that elevates productivity and also meets the stringent security and compliance standards of today’s regulatory landscape.
About the author: Sousouni Bajis is a SharePoint Subject Matter Expert and Microsoft Cloud Solutions Architect, with a focus on enterprise application development. Sousouni has helped countless organizations leverage Microsoft 365 to achieve their business goals. Connect with him on LinkedIn to gain deeper insights into mastering Microsoft’s cloud technologies and for professional guidance on navigating the complexities of enterprise content management.?