Trusting Device Compliance Across B2B Tenants in Intune

Question

Tenant A and Tenant B are B2B connected with device trust enabled, and there are devices registered in Intune for both tenants. The primary login on the devices is from their respective tenants, but users have accounts in both.

Currently, when trying to add their secondary account to Teams and Outlook, the users are blocked due to conditional access policies that do not trust devices from the other tenant.

Is there a way to enable Tenant A to trust devices managed by Tenant B's Intune to allow users from Tenant A to sign into the desktop apps on Tenant B device?

Answer 1

Hi @ASHWORTH Mark

Thank you for posting your query on Microsoft Q&A.

I realize that users are denied access owing to conditional access controls that do not trust devices from the other tenant.

So, you're attempting to trust devices maintained by Tenant B and allow Tenant A users to sign into desktop apps on Tenant B devices.

If you have already enabled cross-tenant settings, make sure to enable the "Trust compliant devices" option in the trust settings. It enables your Conditional Access policies to accept compliant device claims from an external organization when their users use your services. This option needs to be enabled in Tenant A.

Also, if you want to access desktop applications make sure you allow desktop applications in your conditional access policy.

To access external applications, you must first approve access and enable them.

For further reference: https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration#to-change-inbound-trust-settings-for-mfa-and-device-claims

Hope this helps. Do let us know if you have any further queries. 

------------  

If this answers your query, do click Accept Answer and Yes.

Thanks,

B. Siri Chandana.