Entra external tenant - federation with other Entra ID tenants

Question

Entra external tenant - federation with other Entra ID tenants

Martin Kallukalam 540

I am exploring entra-id external tenant and comparing with workforce tenant.
WF tenant have builtin federation with other Azure Entra ID tenants. No extra configuration needed.
This is not supported in Entra ID. So I was hoping I can do a manual OIDC federation with other Entra ID tenants . This is when I read the statement that it is not supported.
https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-custom-oidc-federation-customers
User's image

Is it really not supported?
So how does a customer using Entra ID external tenant expect to federate with other Entra ID workforce or external tenant customers ?

Martin Kallukalam 540 Reputation points

2025-08-18T11:17:00.5133333+00:00

@Sreetheja Adusumilli on #2 It is documented clearly that cross tenant sync is not supported in Entra External tenant. See attached link

https://learn.microsoft.com/en-us/entra/external-id/customers/concept-supported-features-customers

#4 Are you saying that OIDC based federation is not supported with other MS Entra ID tenant. But SAML federation is supported with other MS Entra ID tenant?
Sreetheja Adusumilli 880 Reputation points Microsoft External Staff Moderator

2025-08-18T15:34:39.8633333+00:00
Hello Martin Kallukalam,
#2 Cross-tenant Sync in Entra External ID tenants

You are correct — in Entra External ID (Customer) tenants, cross-tenant sync and cross-tenant access (B2B direct connect) are not supported. These features are only available in workforce Entra tenants used for employee collaboration.

For customer tenants, the options are limited to:

Inviting guest users (adding users manually or in bulk, but not through automated sync).

Federation with an identity provider (OIDC or SAML/WS-Fed, depending on the provider).

So yes, your understanding is correct — customer tenants do not support cross-tenant sync features.

#4 OIDC vs. SAML federation with another Entra tenant

To answer your question:

OIDC federation → Not supported with another Microsoft Entra tenant. You can only use OIDC federation with external providers like Google, Facebook, Azure AD B2C, or any other standards-based OIDC provider.

SAML / WS-Fed federation → Supported with another Entra tenant, but only in certain cases:

The other tenant must be set up to use SAML/WS-Fed on a custom/verified domain.

This usually happens if the partner tenant uses services like AD FS or a third-party identity provider, or if they explicitly publish SAML metadata.

In practice, this means you add the partner’s domain in your tenant, upload their SAML/WS-Fed details, and establish trust that way.

Please Note:

Cross-tenant sync (B2B direct connect) → Not supported in customer tenants.

Federation options:

OIDC federation works with third-party/social IdPs, not with another Entra tenant.

SAML/WS-Fed federation can work with another Entra tenant, as long as it is set up for SAML/WS-Fed.

Micrsoft Documentation reference:

Cross-tenant Sync Support in Entra External ID tenants

https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration

https://learn.microsoft.com/en-us/entra/identity/multi-tenant-organizations/cross-tenant-synchronization-overview

OIDC federation is only supported for non-Entra providers

https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-custom-oidc-federation-customers

SAML/WS-Fed Federation Support

https://learn.microsoft.com/en-us/entra/external-id/direct-federation-overview

https://learn.microsoft.com/en-us/entra/external-id/direct-federation

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Answer accepted by question author

0 additional answers

Your answer

Martin Kallukalam 540 Reputation points

2025-08-18T11:17:00.5133333+00:00

@Sreetheja Adusumilli on #2 It is documented clearly that cross tenant sync is not supported in Entra External tenant. See attached link

https://learn.microsoft.com/en-us/entra/external-id/customers/concept-supported-features-customers

#4 Are you saying that OIDC based federation is not supported with other MS Entra ID tenant. But SAML federation is supported with other MS Entra ID tenant?

Answer 1

Sreetheja Adusumilli 880 Microsoft External Staff Moderator

Hello Martin Kallukalam,

Thanks for reaching out to Microsoft Q&A Portal,

Right now, you cannot set up direct OpenID Connect (OIDC) federation between one Microsoft Entra External ID tenant (your customer account) and another Entra ID tenant. Instead, there are other ways to enable collaboration or federation:

Custom OIDC Federation Microsoft’s custom OIDC federation feature only supports identity providers that are not Entra tenants — like social logins (Google, Facebook), Azure AD B2C, Microsoft personal accounts, or any OIDC-compliant service. Using another Entra ID tenant as an OIDC provider is not supported at this time.
B2B Guest User Invitations
- You can invite users from another Entra ID tenant to your External ID tenant as guests.
- To do this, go to your External ID tenant’s “External Identities” section, choose “Invite users,” and enter the users’ email addresses from the partner Entra tenant.
- The invited users get an email invitation, which they accept, and then appear as Guest users in your tenant.
Cross-Tenant Access Settings (B2B Direct Connect)
- This method lets you set up direct trust between Entra tenants without needing individual user invitations.
- In your External ID tenant, under “Cross-tenant access settings,” you can configure policies for how users from the partner tenant authenticate, handle multi-factor authentication (MFA), device compliance, and what claims are shared.
SAML/WS-Fed Direct Federation
- If the partner tenant wants to federate using SAML or WS-Fed (older federation protocols), you can set this up for verified partner domains (like ******@partner.com).
- To do this, verify the partner’s domain in your tenant and add their SAML/WS-Fed identity provider metadata and certificate.
- When users sign in, they get redirected to their own tenant to authenticate and then return to your tenant after successful login.

Microsoft Document for reference

Custom OIDC federation (not supported for Entra tenants): https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-custom-oidc-federation-customers
Cross-tenant access overview: https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview
Add SAML/WS-Fed identity provider: https://docs.azure.cn/en-us/entra/external-id/direct-federation

Kindly let us know if the above helps or you need further assistance on this issue.

Martin Kallukalam 540 Reputation points

2025-08-19T01:55:12.7733333+00:00

in #4 how would that work, if I add another Entra ID with SAML federation.
Then I send an email invite to a user in that entra ID tenant.
Now there is manually added SAML federation with entra ID tenant and builtin federation with entra Id tenant .
Say user accept the email invite and kick off the redemption process.
How would that work when there are two different federations against the same entra id tenant
Sreetheja Adusumilli 880 Reputation points Microsoft External Staff Moderator

2025-08-19T10:21:03.52+00:00
Hello Martin Kallukalam,

When a domain is both Entra-verified and configured for direct SAML/WS-Fed federation, only one federation method can be active at a time. If you have set up SAML/WS-Fed direct federation for that domain, it will take priority over the built-in Microsoft Entra ID federation.

This means that when users from that partner domain redeem guest invitations, they will authenticate through the SAML/WS-Fed identity provider you configured (such as AD FS), not directly through Microsoft Entra ID—even though the domain is Entra-verified.

You cannot have both federation methods active simultaneously for the same domain, as Microsoft Entra prevents this to avoid errors during invitation redemption.

Therefore, I suggest you choose only one federation method per partner domain—either use direct SAML/WS-Fed federation or rely on the built-in Microsoft Entra ID authentication.

If you decide to revert to Microsoft Entra ID authentication for guests from a partner domain currently using SAML/WS-Fed federation, simply remove the SAML/WS-Fed federation configuration for that domain.

Reference Documentation:

https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview

https://learn.microsoft.com/en-us/entra/external-id/direct-federation

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-multiple-domains

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Martin Kallukalam 540 Reputation points

2025-08-19T12:35:12.1733333+00:00

Need little bit more clarify on your comment (pls see attached screen scrape)
"

"
You are basically saying I cannot have both buitin federation of External tenant with other Entra ID tenant as well as custom created SAML federation with other Entra ID tenant .
But there is no way to turn off the External tenant's built-in federation with other entra ID tenant. So what do you mean by having to chose between the two.
Sreetheja Adusumilli 880 Reputation points Microsoft External Staff Moderator

2025-08-19T13:13:40.0333333+00:00
Hello Martin Kallukalam,

You’re absolutely right—there is no way to turn off the built-in federation between Microsoft Entra tenants. When I said you have to “choose between the two,” I didn’t mean you can disable the built-in federation completely.

Built-in federation is the default way Microsoft Entra lets you collaborate with another Entra tenant. It uses the other tenant’s Microsoft Entra ID as the sign-in method, working behind the scenes with OIDC protocols.

Custom SAML federation is when you manually set up a special trust connection with the partner’s domain using their SAML or WS-Federation setup. This usually happens if they use systems like AD FS or another identity provider.

Now, the important part is: For each domain (like partner.com) in your tenant, only one federation method can be active at a time.

If you set up a custom SAML federation for that domain, it overrides the built-in Microsoft Entra federation. So, users from that domain will sign in using the SAML system you configured instead of the built-in method.

You might wonder if there’s a way to turn off the built-in federation. There isn’t a direct switch because it’s just how Microsoft Entra works by default. But when you add a custom SAML federation for a domain, it automatically takes over and the built-in federation stops being used for that domain’s sign-ins.

In simple terms:

If you do not add a custom SAML federation, Microsoft Entra’s built-in federation is used.

If you do add a custom SAML federation, that method is used instead, and the built-in one is ignored for that domain.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Martin Kallukalam 540 Reputation points

2025-08-19T13:46:22.7133333+00:00

yes that is helpful.
I wish this has been clearly documented; especially "when we add a custom SAML federation to another Entra ID tenant, then the built in federation is ignored for that domain". I think this is very important aspect that is not clearly written out in the documentation for "external tenant".
If this is already documented, can you point me to that document link ?
Sreetheja Adusumilli 880 Reputation points Microsoft External Staff Moderator

2025-08-20T09:10:34.63+00:00

Hello Martin Kallukalam,

Thank you for your feedback and for highlighting this important point.

You are correct that the specific detail about custom SAML federation taking precedence over the built-in federation for a domain is not always clearly consolidated in a single location within the official documentation. While the existing Microsoft documentation covers this across several related articles (as I shared earlier), it could certainly benefit from a clearer, more explicit explanation to help users understand this behavior better.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Jingwei Ke 0 Reputation points

2025-12-03T21:14:16.7033333+00:00
Hello Sreetheja Adusumilli,

How does "B2B Guest User Invitations" work at login time? Will the user login in original domain instead of External ID tenant?

B2B Guest User Invitations

You can invite users from another Entra ID tenant to your External ID tenant as guests.

To do this, go to your External ID tenant’s “External Identities” section, choose “Invite users,” and enter the users’ email addresses from the partner Entra tenant.

The invited users get an email invitation, which they accept, and then appear as Guest users in your tenant.

Share via

Entra external tenant - federation with other Entra ID tenants

0 additional answers

Your answer