Merge pull request #247353 from csmulligan/csmulligan-b2b-xtap2-im2

prmerger-automator[bot] · web-flow · commit 68df14066ee4 · 2023-08-04T10:16:46.000Z
[B2B] XTAP+IM integration update 2 (ADO-96571)
diff --git a/articles/active-directory/external-identities/allow-deny-list.md b/articles/active-directory/external-identities/allow-deny-list.md
@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 04/17/2023
+ms.date: 08/04/2023
 
 ms.author: mimart
 author: msmimart
@@ -32,6 +32,7 @@ This article discusses two ways to configure an allow or blocklist for B2B colla
 - The number of domains you can add to an allowlist or blocklist is limited only by the size of the policy. This limit applies to the number of characters, so you can have a greater number of shorter domains or fewer longer domains. The maximum size of the entire policy is 25 KB (25,000 characters), which includes the allowlist or blocklist and any other parameters configured for other features.
 - This list works independently from OneDrive for Business and SharePoint Online allow/block lists. If you want to restrict individual file sharing in SharePoint Online, you need to set up an allow or blocklist for OneDrive for Business and SharePoint Online. For more information, see [Restricted domains sharing in SharePoint Online and OneDrive for Business](https://support.office.com/article/restricted-domains-sharing-in-sharepoint-online-and-onedrive-for-business-5d7589cd-0997-4a00-a2ba-2320ec49c4e9).
 - The list doesn't apply to external users who have already redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user's attempt to redeem the invitation will fail.
+- Both allow/block list and cross-tenant access settings are checked at the time of invitation.
 
 ## Set the allow or blocklist policy in the portal
 
diff --git a/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md b/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md
@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 05/31/2023
+ms.date: 08/04/2023
 
 ms.author: mimart
 author: msmimart
@@ -29,6 +29,7 @@ Use External Identities cross-tenant access settings to manage how you collabora
 - Identify any Azure AD organizations that will need customized settings so you can configure **Organizational settings** for them.
 - If you want to apply access settings to specific users, groups, or applications in an external organization, you'll need to contact the organization for information before configuring your settings. Obtain their user object IDs, group object IDs, or application IDs (*client app IDs* or *resource app IDs*) so you can target your settings correctly.
 - If you want to set up B2B collaboration with a partner organization in an external Microsoft Azure cloud, follow the steps in [Configure Microsoft cloud settings](cross-cloud-settings.md). An admin in the partner organization will need to do the same for your tenant.
+- Both allow/block list and cross-tenant access settings are checked at the time of invitation. If a user's domain is on the allow list, they can be invited, unless the domain is explicitly blocked in the cross-tenant access settings. If a user's domain is on the deny list, they can't be invited regardless of the cross-tenant access settings. If a user is not on either list, we check the cross-tenant access settings to determine whether they can be invited. 
 
 ## Configure default settings
 
diff --git a/articles/active-directory/external-identities/troubleshoot.md b/articles/active-directory/external-identities/troubleshoot.md
@@ -122,7 +122,7 @@ External users can be added only to “assigned” or “Security” groups and
 
 ## My external user didn't receive an email to redeem
 
-The invitee should check with their ISP or spam filter to ensure that the following address is allowed: Invites@microsoft.com
+The invitee should check with their ISP or spam filter to ensure that the following address is allowed: Invites@microsoft.com.
 
 > [!NOTE]
 >
@@ -198,7 +198,11 @@ Let's say you inadvertently invite a guest user with an email address that match
 
 ## External access blocked by policy error on the login screen
 
-When you try to login to your tenant, you might see this error message: "Your network administrator has restricted what organizations can be accessed. Contact your IT department to unblock access." This error is related to tenant restriction settings. To resolve this issue, ask your IT team to follow the instructions in [this article](/azure/active-directory/manage-apps/tenant-restrictions).  
+When you try to login to your tenant, you might see this error message: "Your network administrator has restricted what organizations can be accessed. Contact your IT department to unblock access." This error is related to tenant restriction settings. To resolve this issue, ask your IT team to follow the instructions in [this article](/azure/active-directory/manage-apps/tenant-restrictions).
+
+## Invitation is blocked due missing cross-tenant access settings 
+
+You might see this message: "This invitation is blocked by cross-tenant access settings in your organization. Your administrator must configure cross-tenant access settings to allow this invitation." In this case, ask your administrator to check the cross-tenant access settings.  
 
 ## Next steps
 
