As a Managing Architect with Summit 7, I have helped hundreds of customers navigate their transition to Microsoft 365 GCC High — supporting content migrations, information architecture design, and implementing governance/security controls to accommodate unique compliance requirements. During this time, one of the biggest issues I have heard client’s express frustration about is limitations relating to business-to-business (B2B) collaboration in GCC High.
As customers get acclimated to the GCC High platform, B2B external collaboration (inviting guest users to collaborate in SharePoint Online or Teams) has been a recurring source of frustration given platform limitations historically:
In recent months, significant advancements in B2B collaboration capabilities have been made, allowing customers to take far greater advantage of cross-tenant collaboration, even in Government M365 platforms. However, this leads to a critical question: how can I collaborate with external parties without jeopardizing my organization’s compliance posture?
On one side, there’s pressure to meet regulatory compliance requirements to safeguard sensitive data, while on the other, advancements in efficiency are essential for your business to stay competitive in today’s modern workplace.
In this article, we will:
Within Microsoft Entra (the artist formally known as Azure AD), B2B collaboration provides a mechanism to invite guest users to collaborate within your organization. Using a simple invitation and redemption process, partners (suppliers, subcontractors, etc.) can access your company's resources using their own credentials.
With the recent release of Cross-Cloud B2B (~Q1 2023 GA release), both inbound and outbound support for guest users is now possible from GCC High regardless of where users are invited from – even with cross-cloud scenarios! Today, a guest user can be invited from several different invitation sources:
Scenario |
Example |
Inbound? |
Outbound? |
Same Cloud |
GCC High to GCC High |
✅ |
✅ |
Cross-Cloud |
GCC High to Commercial / GCC |
✅ |
✅ |
Non-Microsoft Cloud |
GCC High to Google Workspace |
✅ |
✅ |
In tandem with cross-cloud B2B, Microsoft has also released new governance controls for Entra External Identities in a new feature called Cross-Tenant Access Settings (~Q4 2022 GA release). Cross-Tenant Access Settings (CTAS) is especially valuable when securing sensitive data as it provides administrators with granular controls to allow, deny, or restrict inbound and outbound B2B access on an organization-by-organization basis (by Tenant ID).
Most recently, Microsoft has launched support for Teams Cross-Cloud Guest Access (TCCGA) – bringing guest users into the collaboration context most used by organizations today. Until this release, guests who were “bridging clouds” (e.g., a guest user residing in a Commercial tenant being invited to collaborate within a GCC High tenant) were limited to site, folder, or file based collaboration experience in SharePoint Online or OneDrive for Business.
Now, guests can simply be invited as a member of a Teams/Microsoft 365 Group and participate in threaded chat in addition to document-based collaboration.
Before moving on to discuss compliance considerations, it’s important to clarify that cross-tenant collaboration amongst partner organizations (sister companies, subcontractors, suppliers, etc.) is not limited to just B2B guest access. It’s possible to collaborate across tenant boundaries in other ways. For example:
These feature-sets in tandem with recent B2B innovations begin to really round-out a comprehensive story for facilitating seamless partner relationships and reducing friction internally for multi-tenant organizations.
So how are other businesses utilizing these capacities within the defense industrial base (DIB)? Here are some scenarios we’re seeing most often today:
Due to compliance requirements concerning controlled unclassified information (CUI), export-controlled data, etc., it’s common for a division or subset of an organization to reside and work within a secure enclave utilizing Azure Government & GCC High Microsoft 365.
However, independent of that secure enclave and federal/DoD practice, your organization also may operate within a Commercial, GCC, or Multi-Geo Microsoft 365 and need to collaborate effectively across multiple clouds as a multi-tenant organization.
For example, through the use of cross-cloud B2B, a subject-matter-expert from your parent company can gain access to GCC High to support an upcoming business development or proposal effort.
Similarly, users within your organization who might be “homed” in GCC High can reach back into your organization’s Commercial tenant to access content published out to all employees (e.g., HR benefits, open-enrollment information, etc.).
Similar to the first scenario, this organization has compliance requirements concerning CUI and export-controlled data which necessitate their use of Azure Government & GCC High Microsoft 365.
However, in this case, internal collaboration has become complex – spanning multiple Commercial, GCC High, or Non-MS clouds due to rapid organization growth and recent business acquisitions or mergers which haven’t been fully consolidated yet.
Here, users homed within a newly acquired company tenant can be provided greater collaboration opportunities by:
Again, the value here is that new team members can begin collaborating immediately upon acquisition while you prepare to consolidate IT infrastructure, execute migrations, etc.
In this final scenario, our organization operates within GCC High but has partners it needs to collaborate with who resides both in Commercial M365 (Cross-Cloud) and outside the Microsoft ecosystem (e.g., Google Workspace).
Through cross-cloud B2B, collaboration with partner organizations (supplier, subcontractor, etc.) can take place within the GCC High tenant via SharePoint Online or Microsoft Teams.
Similarly, users who are homed in GCC High can gain access to partner organizations for collaboration as guests themselves within other tenants/cloud systems.
Note: When bridging cloud boundaries (e.g., GCC High à Commercial), tenant configurations are required within both tenants like a “handshake” between partners.
As can be seen from the updates we’ve shared, external collaboration continues to mature in respect to both collaboration capabilities and platform governance.
As seen from above examples – the efficiencies gained from B2B and cross-tenant collaboration methods can really revolutionize day-to-day workflows for your workforce. However, in order for these efficiencies to be effective, a prerequisite must first exist: nothing goes wrong.
In order to safeguard against setbacks (e.g., audit failure, loss of sensitive data, impacts to your business’ reputation, etc.), it’s critical that your implementation goes slow to go fast.
Slowness here implies deliberation. When acting deliberately you position your organization to succeed by finding an effective balance between security and efficiency, while still ensuring all compliance requirements are met.
Slowness here could involve:
With that being said, what are some more practical examples of what “going slow to go fast” might look like in this context for organizations in the DoD supply chain focused on protecting CUI and export controlled/ITAR data? Let’s take a look.
Today, most incidents of data spillage or security breaches are caused by insider threats, social engineering, or human error. Notice a trend here? Your employees are your organization’s greatest security risk.
With that in mind, the tenant configurations and governance controls implemented in support of external collaboration need to not only meet minimal compliance requirements but utilize additional best-practice defense-in-depth layers to protect sensitive data.
Here are some questions to consider as you look ahead at your own implementation:
Regardless of the security and compliance controls implemented in support of cross-tenant collaboration, it’s important to note that these configurations will not absolve your organization from its responsibilities to protect data from non-compliant parties. Remember, guests are accessing your tenant from an endpoint which you don’t control.
As you work to build out your collaborative architecture, it is recommended that you consult legal counsel and consider the use of signed agreements between external parties prior to permitting cross-tenant collaboration.
Following this slow-to-fast methodology, our team at Summit 7 has been hard at work refining a new product offering to meet our customer’s external collaboration needs while ensuring the use of these new feature-sets don’t place an organization’s compliance posture at risk.
I am excited to share that Summit 7’s Cross-Tenant Collaboration / B2B product Is now generally available and built in alignment with CMMC 2.0 Level 2 requirements. Our team is eager to see the business transformation this solution can foster and have already heard great feedback from our early adopters! If you would like to partner with Summit 7 on your implementation of cross-tenant collaboration / B2B, please fill out the form below and our team will reach out to you shortly.