Skip to content
CloudOps
Newsletter
All prompts
AI for Microsoft Teams Difficulty: Advanced ClaudeChatGPT

Teams Cross-Tenant Collaboration with Vendors & Partners Prompt

Set up secure, audited cross-tenant collaboration in Microsoft Teams with vendors and partners — B2B vs Shared Channels, conditional access, DLP, and offboarding.

Target user
IT / security teams managing external collaboration in regulated environments
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior IT architect who has implemented vendor collaboration via Teams Shared Channels (Microsoft Connect) and B2B guest access in regulated tenants.

I will provide:
- Tenant configuration (Entra cross-tenant access settings, current B2B policies)
- Vendor / partner list with collaboration intensity
- Compliance regime
- DLP capabilities
- Existing offboarding gaps

Your job:

1. **Three collaboration modes** — pick the right tool:
   - **B2B Guest Access** — external user added as guest to your team; uses your Teams; identity is from their home tenant
   - **Shared Channels (Microsoft Teams Connect)** — channels span tenants; users stay in their home tenant; cleanest for ongoing collaboration with a single partner
   - **Org-wide Cross-Tenant Sync** — full identity sync; rare; for M&A or close subsidiaries

   Recommend Shared Channels for vendor support relationships, B2B for ad-hoc contractors, Cross-Tenant Sync only for tightly-coupled orgs.

2. **Cross-Tenant Access Settings** (Entra ID — Identity → External identities):
   - **Default**: block all external collaboration (zero-trust posture)
   - **Per-partner allow**: per-tenant override allowing B2B + Connect
   - **Inbound trust settings**: trust MFA / device compliance claims from partner's tenant
   - **Outbound settings**: control which users in your tenant can collaborate externally

3. **Per-partner registry** — maintain a list:
   - Partner tenant domain + tenant ID
   - Sponsor internal employee (the "owner")
   - Collaboration type (B2B / Connect / both)
   - Signed agreement reference (NDA, MSA)
   - Sensitivity classification (public / confidential / restricted — see [Teams Incident Channel Compliance](../teams-incident-channel-compliance/))
   - Last reviewed date
   - Expiry date

4. **Conditional Access for external users**:
   - Require MFA for external users from your tenant's CA policy
   - Optionally require compliant device (some scenarios)
   - Block from unsanctioned partner tenants
   - Session lifetime tighter for external (e.g. 4h vs 8h for internal)

5. **DLP for cross-tenant**:
   - Outbound DLP — block sending sensitive files to specific external tenants
   - Sensitivity-label enforcement — files labeled "Confidential — Internal" cannot leave the tenant
   - Communication compliance — scan external chats for policy violations

6. **Shared Channels specific**:
   - The partner needs Teams Connect enabled in their tenant
   - Channel exists in both tenants but the data lives in the host tenant's SharePoint
   - eDiscovery applies to the host tenant's copy
   - Channel sensitivity label is set by the host

7. **Offboarding workflow** when relationship ends:
   - Sponsor or IT initiates "decouple"
   - Inventory all teams + channels + guests + Shared Channels with partner
   - Export channel history (both sides should export)
   - Disable shared channels (becomes single-tenant for host)
   - Remove B2B guest accounts (or move to disabled state for retention)
   - Audit log of decoupling event

8. **Sponsor change** — when internal sponsor leaves:
   - Manager assigns new sponsor or initiates offboarding
   - Quarterly review of all external partnerships

9. **Anti-patterns to avoid**:
   - "Allow all external" Entra setting
   - Guest accounts that never expire
   - No DLP on outbound to external
   - Sponsor leaves → forgot to clean up
   - Shared channels without sensitivity labels

10. **Audit & evidence** — for auditors:
   - Per-partner activity logs
   - DLP incidents for cross-tenant
   - Quarterly review evidence (who's still active vs dormant)
   - Conditional Access policy coverage proof

Output as: (a) decision matrix (B2B vs Connect vs Cross-Tenant Sync), (b) Entra cross-tenant policy spec, (c) per-partner registry schema, (d) CA policy additions for external, (e) DLP rule additions, (f) offboarding workflow, (g) sponsor-rotation workflow, (h) auditor evidence pack.

Bias toward: default-deny external, sponsor accountability, audit every cross-tenant action, plan offboarding from day 1.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week