Policy.ReadWrite.CrossTenantAccess

Allows the app to read and write your organization's cross tenant access policies on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Policy.ReadWrite.CrossTenantAccess permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	338163d7-f101-4c92-94ba-ca46fe52447c	014b43d0-6ed4-4fc6-84dc-4b6f7bae7d85
DisplayText	Read and write your organization's cross tenant access policies	Read and write your organization's cross tenant access policies
Description	Allows the app to read and write your organization's cross tenant access policies without a signed-in user.	Allows the app to read and write your organization's cross tenant access policies on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /policies/crossTenantAccessPolicy/partners/{id}
	DELETE /policies/crossTenantAccessPolicy/partners/{id}/identitySynchronization
	GET /policies/crossTenantAccessPolicy
	GET /policies/crossTenantAccessPolicy/default
	GET /policies/crossTenantAccessPolicy/partners
	GET /policies/crossTenantAccessPolicy/partners/{id}
	GET /policies/crossTenantAccessPolicy/partners/{id}/identitySynchronization
	GET /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationIdentitySynchronization
	GET /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationPartnerConfiguration
	PATCH /policies/crossTenantAccessPolicy
	PATCH /policies/crossTenantAccessPolicy/default
	PATCH /policies/crossTenantAccessPolicy/partners/{id}
	PATCH /policies/crossTenantAccessPolicy/partners/{id}/identitySynchronization
	PATCH /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationIdentitySynchronization
	PATCH /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationPartnerConfiguration
	POST /policies/crossTenantAccessPolicy/default/resetToSystemDefault
	POST /policies/crossTenantAccessPolicy/partners
	POST /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationIdentitySynchronization/resetToDefaultSettings
	POST /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationPartnerConfiguration/resetToDefaultSettings
	PUT /policies/crossTenantAccessPolicy/partners/{id}/identitySynchronization

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /policies/crossTenantAccessPolicy/partners/{id}
	DELETE /policies/crossTenantAccessPolicy/partners/{id}/identitySynchronization
	GET /policies/crossTenantAccessPolicy
	GET /policies/crossTenantAccessPolicy/default
	GET /policies/crossTenantAccessPolicy/partners
	GET /policies/crossTenantAccessPolicy/partners/{id}
	GET /policies/crossTenantAccessPolicy/partners/{id}/identitySynchronization
	GET /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationIdentitySynchronization
	GET /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationPartnerConfiguration
	PATCH /policies/crossTenantAccessPolicy
	PATCH /policies/crossTenantAccessPolicy/default
	PATCH /policies/crossTenantAccessPolicy/partners/{id}
	PATCH /policies/crossTenantAccessPolicy/partners/{id}/identitySynchronization
	PATCH /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationIdentitySynchronization
	PATCH /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationPartnerConfiguration
	POST /policies/crossTenantAccessPolicy/default/resetToSystemDefault
	POST /policies/crossTenantAccessPolicy/partners
	POST /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationIdentitySynchronization/resetToDefaultSettings
	POST /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationPartnerConfiguration/resetToDefaultSettings
	PUT /policies/crossTenantAccessPolicy/partners/{id}/identitySynchronization

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgPolicyCrossTenantAccessPolicy
	Get-MgPolicyCrossTenantAccessPolicyDefault
	Get-MgPolicyCrossTenantAccessPolicyPartner
	Get-MgPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization
	Get-MgPolicyCrossTenantAccessPolicyTemplateMultiTenantOrganizationIdentitySynchronization
	Get-MgPolicyCrossTenantAccessPolicyTemplateMultiTenantOrganizationPartnerConfiguration
	New-MgPolicyCrossTenantAccessPolicyPartner
	Remove-MgPolicyCrossTenantAccessPolicyPartner
	Remove-MgPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization
	Reset-MgPolicyCrossTenantAccessPolicyDefaultToSystemDefault
	Set-MgPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization
	Update-MgBetaPolicyCrossTenantAccessPolicyPartner
	Update-MgPolicyCrossTenantAccessPolicy
	Update-MgPolicyCrossTenantAccessPolicyDefault
	Update-MgPolicyCrossTenantAccessPolicyTemplateMultiTenantOrganizationIdentitySynchronization
	Update-MgPolicyCrossTenantAccessPolicyTemplateMultiTenantOrganizationPartnerConfiguration

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaPolicyCrossTenantAccessPolicy
	Get-MgBetaPolicyCrossTenantAccessPolicyDefault
	Get-MgBetaPolicyCrossTenantAccessPolicyPartner
	Get-MgBetaPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization
	Get-MgBetaPolicyCrossTenantAccessPolicyTemplateMultiTenantOrganizationIdentitySynchronization
	Get-MgBetaPolicyCrossTenantAccessPolicyTemplateMultiTenantOrganizationPartnerConfiguration
	New-MgBetaPolicyCrossTenantAccessPolicyPartner
	Remove-MgBetaPolicyCrossTenantAccessPolicyPartner
	Remove-MgBetaPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization
	Reset-MgBetaPolicyCrossTenantAccessPolicyDefaultToSystemDefault
	Reset-MgBetaPolicyCrossTenantAccessPolicyTemplateMultiTenantOrganizationIdentitySynchronizationToDefaultSetting
	Reset-MgBetaPolicyCrossTenantAccessPolicyTemplateMultiTenantOrganizationPartnerConfigurationToDefaultSetting
	Set-MgBetaPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization
	Update-MgBetaPolicyCrossTenantAccessPolicy
	Update-MgBetaPolicyCrossTenantAccessPolicyDefault
	Update-MgBetaPolicyCrossTenantAccessPolicyPartner
	Update-MgBetaPolicyCrossTenantAccessPolicyTemplateMultiTenantOrganizationIdentitySynchronization
	Update-MgBetaPolicyCrossTenantAccessPolicyTemplateMultiTenantOrganizationPartnerConfiguration

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: crossTenantAccessPolicy

Property	Type	Description
displayName	String	The display name of the cross-tenant access policy. Inherited from policyBase.
allowedCloudEndpoints	String collection	Used to specify which Microsoft clouds an organization would like to collaborate with. By default, this value is empty. Supported values for this field are: `microsoftonline.com`, `microsoftonline.us`, and `partner.microsoftonline.cn`.

Graph reference: crossTenantAccessPolicyB2BSetting

Property	Type	Description
applications	crossTenantAccessPolicyTargetConfiguration	The list of applications targeted with your cross-tenant access policy.
usersAndGroups	crossTenantAccessPolicyTargetConfiguration	The list of users and groups targeted with your cross-tenant access policy.

Graph reference: crossTenantAccessPolicyConfigurationDefault

Property	Type	Description
automaticUserConsentSettings	inboundOutboundPolicyConfiguration	Determines the default configuration for automatic user consent settings. The inboundAllowed and outboundAllowed properties are always `false` and can't be updated in the default configuration. Read-only.
b2bCollaborationInbound	crossTenantAccessPolicyB2BSetting	Defines your default configuration for users from other organizations accessing your resources via Microsoft Entra B2B collaboration.
b2bCollaborationOutbound	crossTenantAccessPolicyB2BSetting	Defines your default configuration for users in your organization going outbound to access resources in another organization via Microsoft Entra B2B collaboration.
b2bDirectConnectInbound	crossTenantAccessPolicyB2BSetting	Defines your default configuration for users from other organizations accessing your resources via Microsoft Entra B2B direct connect.
b2bDirectConnectOutbound	crossTenantAccessPolicyB2BSetting	Defines your default configuration for users in your organization going outbound to access resources in another organization via Microsoft Entra B2B direct connect.
inboundTrust	crossTenantAccessPolicyInboundTrust	Determines the default configuration for trusting other Conditional Access claims from external Microsoft Entra organizations.
invitationRedemptionIdentityProviderConfiguration	defaultInvitationRedemptionIdentityProviderConfiguration	Defines the priority order based on which an identity provider is selected during invitation redemption for a guest user.
isServiceDefault	Boolean	If `true`, the default configuration is set to the system default configuration. If `false`, the default settings are customized.
tenantRestrictions	crossTenantAccessPolicyTenantRestrictions	Defines the default tenant restrictions configuration for users in your organization who access an external organization on your network or devices.

Graph reference: crossTenantAccessPolicyConfigurationPartner

Property	Type	Description
automaticUserConsentSettings	inboundOutboundPolicyConfiguration	Determines the partner-specific configuration for automatic user consent settings. Unless specifically configured, the inboundAllowed and outboundAllowed properties are `null` and inherit from the default settings, which is always `false`.
b2bCollaborationInbound	crossTenantAccessPolicyB2BSetting	Defines your partner-specific configuration for users from other organizations accessing your resources via Microsoft Entra B2B collaboration.
b2bCollaborationOutbound	crossTenantAccessPolicyB2BSetting	Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Microsoft Entra B2B collaboration.
b2bDirectConnectInbound	crossTenantAccessPolicyB2BSetting	Defines your partner-specific configuration for users from other organizations accessing your resources via Azure B2B direct connect.
b2bDirectConnectOutbound	crossTenantAccessPolicyB2BSetting	Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Microsoft Entra B2B direct connect.
inboundTrust	crossTenantAccessPolicyInboundTrust	Determines the partner-specific configuration for trusting other Conditional Access claims from external Microsoft Entra organizations.
isInMultiTenantOrganization	Boolean	Identifies whether a tenant is a member of a multitenant organization.
isServiceProvider	Boolean	Identifies whether the partner-specific configuration is a Cloud Service Provider for your organization.
tenantId	String	The tenant identifier for the partner Microsoft Entra organization. Read-only. Key.
tenantRestrictions	crossTenantAccessPolicyTenantRestrictions	Defines the partner-specific tenant restrictions configuration for users in your organization who access a partner organization using partner supplied identities on your network or devices.

Graph reference: crossTenantAccessPolicyInboundTrust

Property	Type	Description
isCompliantDeviceAccepted	Boolean	Specifies whether compliant devices from external Microsoft Entra organizations are trusted.
isHybridAzureADJoinedDeviceAccepted	Boolean	Specifies whether Microsoft Entra hybrid joined devices from external Microsoft Entra organizations are trusted.
isMfaAccepted	Boolean	Specifies whether MFA from external Microsoft Entra organizations is trusted.

Graph reference: crossTenantAccessPolicyTenantRestrictions

Property	Type	Description
applications	crossTenantAccessPolicyTargetConfiguration	The list of applications targeted with your cross-tenant access policy. Inherited from crossTenantAccessPolicyB2BSetting.
devices	devicesFilter	Defines the rule for filtering devices and whether devices that satisfy the rule should be allowed or blocked. This property isn't supported on the server side yet.
usersAndGroups	crossTenantAccessPolicyTargetConfiguration	The list of users and groups targeted with your cross-tenant access policy. Inherited from crossTenantAccessPolicyB2BSetting.

Graph reference: crossTenantIdentitySyncPolicyPartner

Property	Type	Description
displayName	String	Display name for the cross-tenant user synchronization policy. Use the name of the partner Microsoft Entra tenant to easily identify the policy. Optional.
tenantId	String	Tenant identifier for the partner Microsoft Entra organization. Read-only.
userSyncInbound	crossTenantUserSyncInbound	Defines whether users can be synchronized from the partner tenant. Key.

Graph reference: crossTenantUserSyncInbound

Property	Type	Description
isSyncAllowed	Boolean	Defines whether user objects should be synchronized from the partner tenant. `false` causes any current user synchronization from the source tenant to the target tenant to stop. This property has no impact on existing users who have already been synchronized.

Graph reference: inboundOutboundPolicyConfiguration

Property	Type	Description
inboundAllowed	Boolean	Defines whether external users coming inbound are allowed.
outboundAllowed	Boolean	Defines whether internal users are allowed to go outbound.

Graph reference: multiTenantOrganizationIdentitySyncPolicyTemplate

Property	Type	Description
id	String	ID of the template. Key.
templateApplicationLevel	templateApplicationLevel	Specifies whether the template will be applied to user synchronization settings of certain tenants. The possible values are: `none`, `newPartners`, `existingPartners`, `unknownFutureValue`. You can also specify multiple values like `newPartners,existingPartners` (default). `none` indicates the template isn't applied to any new or existing partner tenants. `newPartners` indicates the template is applied to new partner tenants. `existingPartners` indicates the template is applied to existing partner tenants, those who already had partner-specific user synchronization settings in place.
userSyncInbound	crossTenantUserSyncInbound	Defines whether users can be synchronized from the partner tenant.

Graph reference: multiTenantOrganizationPartnerConfigurationTemplate

Property	Type	Description
id	String	ID of the template. Key.
automaticUserConsentSettings	inboundOutboundPolicyConfiguration	Determines the partner-specific configuration for automatic user consent settings. Unless configured, the inboundAllowed and outboundAllowed properties are `null` and inherit from the default settings, which is always `false`.
b2bCollaborationInbound	crossTenantAccessPolicyB2BSetting	Defines your partner-specific configuration for users from other organizations accessing your resources via Microsoft Entra B2B collaboration.
b2bCollaborationOutbound	crossTenantAccessPolicyB2BSetting	Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Microsoft Entra B2B collaboration.
b2bDirectConnectInbound	crossTenantAccessPolicyB2BSetting	Defines your partner-specific configuration for users from other organizations accessing your resources via Azure B2B direct connect.
b2bDirectConnectOutbound	crossTenantAccessPolicyB2BSetting	Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Microsoft Entra B2B direct connect.
inboundTrust	crossTenantAccessPolicyInboundTrust	Determines the partner-specific configuration for trusting other Conditional Access claims from external Microsoft Entra organizations.
templateApplicationLevel	templateApplicationLevel	Specifies whether the template will be applied to partner configuration settings of certain tenants. The possible values are: `none`, `newPartners`, `existingPartners`, `unknownFutureValue`. You can also specify multiple values like `newPartners,existingPartners` (default). `none` indicates the template isn't applied to any new or existing partner tenants. `newPartners` indicates the template is applied to new partner tenants. `existingPartners` indicates the template is applied to existing partner tenants, those who already had partner-specific partner configurations in place.

Table of Contents

Policy.ReadWrite.CrossTenantAccess

Graph Methods

Resources