Merge pull request #204786 from msmimart/mm-tenant-restrict-v2

[EXID] Tenant restrictions V2 documentation - cross-tenant access settings

Author: denrea

articles/active-directory/external-identities/b2b-fundamentals.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 08/30/2022
+ms.date: 05/17/2023
 ms.author: cmulligan
 author: csmulligan
 manager: celestedg
@@ -26,6 +26,7 @@ This article contains recommendations and best practices for business-to-busines
 | --- | --- |
 | Consult Azure AD guidance for securing your collaboration with external partners | Learn how to take a holistic governance approach to your organization's collaboration with external partners by following the recommendations in [Securing external collaboration in Azure Active Directory and Microsoft 365](../fundamentals/secure-external-access-resources.md). |
 | Carefully plan your cross-tenant access and external collaboration settings  | Azure AD gives you a flexible set of controls for managing collaboration with external users and organizations. You can allow or block all collaboration, or configure collaboration only for specific organizations, users, and apps. Before configuring settings for cross-tenant access and external collaboration, take a careful inventory of the organizations you work and partner with. Then determine if you want to enable [B2B direct connect](b2b-direct-connect-overview.md) or [B2B collaboration](what-is-b2b.md) with other Azure AD tenants, and how you want to manage [B2B collaboration invitations](external-collaboration-settings-configure.md).  |
+| Use tenant restrictions to control how external accounts are used on your networks and managed devices. | With tenant restrictions, you can prevent your users from using accounts they've created in unknown tenants or accounts they've received from external organizations. We recommend you disallow these accounts and use B2B collaboration instead.  |
 | For an optimal sign-in experience, federate with identity providers | Whenever possible, federate directly with identity providers to allow invited users to sign in to your shared apps and resources without having to create Microsoft Accounts (MSAs) or Azure AD accounts. You can use the [Google federation feature](google-federation.md) to allow B2B guest users to sign in with their Google accounts. Or, you can use the [SAML/WS-Fed identity provider (preview) feature](direct-federation.md) to set up federation with any organization whose identity provider (IdP) supports the SAML 2.0 or WS-Fed protocol. |
 | Use the Email one-time passcode  feature for B2B guests who can’t authenticate by other means | The [Email one-time passcode](one-time-passcode.md) feature authenticates B2B guest users when they can't be authenticated through other means like Azure AD, a Microsoft account (MSA), or Google federation. When the guest user redeems an invitation or accesses a shared resource, they can request a temporary code, which is sent to their email address. Then they enter this code to continue signing in. |
 | Add company branding to your sign-in page | You can customize your sign-in page so it's more intuitive for your B2B guest users. See how to [add company branding to sign in and Access Panel pages](../fundamentals/customize-branding.md). |

articles/active-directory/external-identities/cross-tenant-access-overview.md

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 05/05/2023
+ms.date: 05/17/2023
 
 ms.author: cmulligan
 author: csmulligan
@@ -77,6 +77,22 @@ For more information, see [Configure cross-tenant synchronization](../multi-tena
 
 To configure this setting using Microsoft Graph, see the [Update crossTenantIdentitySyncPolicyPartner](/graph/api/crosstenantidentitysyncpolicypartner-update) API. For more information, see [Configure cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-configure.md).
 
+## Tenant restrictions
+
+With **Tenant Restrictions** settings, you can control the types of external accounts your users can use on the devices you manage, including:
+
+- Accounts your users have created in unknown tenants.
+- Accounts that external organizations have given to your users so they can access that organization's resources.  
+
+We recommend configuring your tenant restrictions to disallow these types of external accounts and use B2B collaboration instead. B2B collaboration gives you the ability to:
+
+- Use Conditional Access and force multi-factor authentication for B2B collaboration users.
+- Manage inbound and outbound access.
+- Terminate sessions and credentials when a B2B collaboration user's employment status changes or their credentials are breached.
+- Use sign-in logs to view details about the B2B collaboration user.
+
+Tenant restrictions are independent of other cross-tenant access settings, so any inbound, outbound, or trust settings you've configured won't impact tenant restrictions. For details about configuring tenant restrictions, see [Set up tenant restrictions V2](tenant-restrictions-v2.md).
+
 ## Microsoft cloud settings
 
 Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds: