SSO: B2B approach for Customer Entra ID as IdP for Entra External Id with self-sign-up user configuration

Looking at the previous questions and this one. Seems you are trying to have SSO into an app that is in CIAM Tenant such that external users self register to access the aapp and Workforce Entra ID users also have the same.

Since CIAM tenants dont have B2B, the only way to use B2B is to have the resources that need to be accessed sit in the Workforce tenant then give the external users access via B2B https://learn.microsoft.com/en-us/entra/external-id/self-service-sign-up-user-flow. Self service B2B with access packages etc can make it work.

If B2B access for external users with resources on workforce tenant wornt work, only option you have left is to allow OIDC/SAML SSO for the workforce tenant into the external id tenant so that Entra ID users will SSO and external users will self signup and still have SSO.

For the described setup, B2B-based SSO between a customer workforce tenant (TenantA) and an External ID CIAM tenant (TenantB) is supported in principle, but it uses different configuration paths depending on the tenant type and scenario.

Key points from the provided context:

1. Tenant types and configurations
   • A workforce tenant is for employees and internal resources; it supports B2B collaboration and cross-tenant access settings for business partners and guests.
   • An external tenant is for External ID (CIAM) scenarios where apps are published to consumers or business customers.
   • External ID in an external tenant is focused on CIAM (customers) and uses user flows and external IdPs (including Microsoft Entra ID) for sign-in.
   Reference: Workforce vs external tenant configurations and B2B collaboration in workforce tenants.
2. How B2B collaboration works for business guests
   • B2B collaboration is a workforce-tenant feature that lets employees collaborate with external business partners and guests.
   • Guest users are created in the same directory as employees and can be invited or onboarded via:
     • Direct invitations from the Microsoft Entra admin center or PowerShell.
     • Self-service sign-up user flows.
     • Entitlement Management access packages.
   • Cross-tenant access settings are used to manage collaboration with other Microsoft Entra organizations and across clouds.
   Reference: B2B collaboration overview and “Collaborate with business guests”.
3. Using Microsoft Entra accounts as IdP in B2B self-service sign-up
   • Microsoft Entra work/school accounts are available as an identity provider option for B2B collaboration by default.
   • For B2B self-service sign-up user flows:
     • Microsoft Entra account can be selected as an identity provider.
     • Users from another Entra tenant (such as TenantA) can sign up/sign in using their existing Entra accounts.
   • No extra configuration is required beyond enabling self-service sign-up and configuring the user flow.
   Reference: “Use Microsoft Entra work and school accounts for B2B collaboration” and “Microsoft Entra account in self-service sign-up user flows”.
4. Self-service sign-up enablement
   • To use self-service sign-up user flows in a workforce tenant:
     1. Sign in to the Microsoft Entra admin center as at least User Administrator.
     2. Go to Entra ID > External Identities > External collaboration settings.
     3. Set Enable guest self-service sign up via user flows to Yes.
   • Once enabled, user flows can be associated with applications.
   Reference: “Enable self-service sign-up for your tenant”.
5. External ID (CIAM) user flows and Entra ID as IdP
   • In an external tenant (CIAM), user flows define sign-in methods and external identity providers, including:
     • Email/password, one-time passcodes.
     • Social IdPs (Google, Facebook, Apple).
     • Microsoft Entra ID federation.
     • Custom OIDC IdPs.
   • Microsoft Entra ID federation is explicitly listed as a supported IdP type for CIAM user flows.
   Reference: “Design user flows for self-service sign-up” for customers.
6. Isolated access for business partners
   • For business partners, Microsoft Entra External ID supports:
     • Business partners from organizations that have Microsoft Entra or SAML/WS-Fed IdPs.
     • Onboarding via Entitlement Management, self-service sign-up, or invitations.
   • Cross-tenant synchronization and cross-tenant access settings are mentioned for multi-tenant/workforce scenarios.
   Reference: “Isolated access for business partners”.

Putting this together for the question:

• B2B collaboration and cross-tenant access settings are features of workforce tenants. The “Cross-tenant access settings” menu is associated with managing collaboration between workforce tenants.
• An external (CIAM) tenant is configured differently and focuses on user flows and external IdPs (including Microsoft Entra ID federation) rather than the workforce-style cross-tenant access settings UI.
• For the scenario “TenantA (workforce) as IdP, TenantB (External ID CIAM) hosting the app” with SSO:
  • The supported pattern in the provided context is to treat TenantA’s Entra accounts as an external identity provider for TenantB’s External ID user flows (Microsoft Entra ID federation), not via the workforce B2B cross-tenant access settings UI.
  • In CIAM, this is done by configuring a user flow in TenantB and adding Microsoft Entra ID as an external IdP option, then directing users to that user flow for sign-in.

Regarding the missing “Cross-tenant access settings” menu:

• The context indicates cross-tenant access settings are used in workforce tenants for B2B collaboration between Entra organizations.
• An external tenant used purely for External ID (CIAM) will not be managed the same way and may not expose the same cross-tenant access settings UI as a workforce tenant.
• For CIAM, the documented and supported approach is to use user flows and configure Microsoft Entra ID federation as an external IdP, rather than relying on the workforce B2B cross-tenant access settings.

Therefore, for the described tenant setup:

• B2B-style SSO is possible, but not via the workforce “Cross-tenant access settings” menu in the external (CIAM) tenant.
• The supported approach in the provided documentation is:
  1. Ensure TenantB is configured as an external tenant for External ID (CIAM).
  2. In TenantB, create a sign-up/sign-in user flow for the application.
  3. Configure Microsoft Entra ID federation in that user flow so users from TenantA can sign in with their Entra accounts.
  4. Use that user flow endpoint for the application’s sign-in, giving SSO for TenantA users via their home Entra tenant.

If cross-tenant access settings are required (for example, to treat TenantB also as a workforce tenant with classic B2B collaboration), then TenantB would need to be a workforce tenant or have workforce configuration; this is distinct from the external CIAM configuration described in the context.

References:

• Workforce and external tenant configurations in Microsoft Entra External ID
• Introduction to Microsoft Entra External ID
• Overview: B2B collaboration with external guests for your workforce
• Collaborate with business guests
• Use Microsoft Entra work and school accounts for B2B collaboration
• Microsoft Entra External ID deployment architectures with Microsoft Entra
• Overview: Secure your apps using External ID in an external tenant
• Add self-service sign-up user flows for B2B collaboration