Mindline

September 7: Simple, Reliable Cross-Cloud Teams Collab in GCC High

by

Arvind Suthar
in ,

“Less but better”

Dieter Rams

Two years out of Microsoft, I’m more convinced than ever of the power of simple, coherent design. Cross-cloud collaboration between Commercial and GCC High offers many paths, but, in my experience, only one is worth your time — and even that path is strewn with small but critical quirks. I’ve shared some of these in presales conversations, and, more than once, these tips alone solved a client’s problem without the need for an engagement. If this post helps you avoid unnecessary pain, it has served its purpose.

This post focuses on cross-cloud Teams collaboration via B2B, building on last year’s post about securing organizations that span Microsoft’s Commercial and GCC High clouds. Here’s what works smoothly once everything’s set up correctly:

  • Global Address List (GAL) allows people to find each other for emailing
  • People Picker in Teams allows people to find each other for chatting
  • Share Dialog in SharePoint allows people to find each other for document sharing

To B2B or not to B2B?

This post covers cross-cloud Teams collaboration with Entra B2B and organizational accounts as the most reliable, manageable, and broadly supported method of external collaboration. However, the cross-tenant collaboration methods listed below do offer the benefits of either not creating broad guest access in your tenant or not relying on external users having organizational accounts. Future posts may delve into when to use these approaches and the nuances of using them for cross-cloud collaboration.

  • Entra B2B with Microsoft Account (MSA) or One-Time Passcode (OTP)
  • Anonymous (Anyone) Links
  • Specific People (Secure Links)
  • Teams Federation
  • Teams Cross Cloud Authenticated Meeting Join
  • Teams Shared Channels (not supported in GCC High)

Required Configuration

These settings enable cross-cloud guests in both tenants. Some clients prefer to allow only GCC High guests in their Commercial tenant and not vice versa.

Supported Apps: Teams (chats, meetings, calling, file sharing), SharePoint, OneDrive, Power BI (with limitations), 3rd party Entra-integrated apps

Not Supported: Planner, Stream, Yammer, Viva Engage, some Exchange/Outlook features

License Requirements: Entra ID P1/P2 (or Microsoft 365 E3/E5)

Entra ID Cross-Tenant Access Settings

In both tenants (Commercial and GCC High):

  • Go to Microsoft Entra Admin Center → External Identities → Cross-tenant access settings.
    • Under Organizational Settings -> Add organization
      • Under Inbound access:
        • Allow B2B collaboration.
      • Under Outbound access:
        • Allow B2B collaboration.
    • Under Microsoft cloud settings
      • In Commercial: check Microsoft Azure Government
      • In GCC High: check Microsoft Azure Commercial

Teams-Specific Settings

In Teams Admin Center → External Access:

  • Add the other tenant’s domain (e.g., contoso.com) to the allowed domains list.
  • Ensure Teams and Skype for Business users in external organizations are allowed to communicate.

In Teams Admin Center → Guest Access:

  • Turn on Guest access and allow required features (chat, calls, file sharing).

Recommended Configuration

These additional settings simplify your end-user experience and strengthen your security posture.

Entra ID Cross-Tenant Access Settings

In both tenants (Commercial and GCC High):

  • Go to Microsoft Entra Admin Center → External Identities → Cross-tenant access settings.
    • Under Organizational Settings -> [your tenant in the other cloud]
      • Under Inbound access | Trust Settings:
        • Trust multifactor authentication from Microsoft Entra tenants (this prevents users from needing to re-register MFA in your tenant)
        • Trust compliant devices (if you manage device compliance in the other cloud tenant)
        • Trust Microsoft Entra hybrid joined devices (if you manage Microsoft Entra hybrid joined devices in the other cloud tenant)
        • Automatically redeem invitations with the tenant [your tenant in the other cloud]
      • Under Outbound access | Trust settings
        • Automatically redeem invitations with the tenant [your tenant in the other cloud]

Guest Creation

Invitation and Invitation Acceptance

You must invite the guest from the other tenant, and the guest must accept the invitation. The need for guest acceptance can be bypassed with the Automatically redeem invitations setting mentioned in the previous section.

Usage location

Be sure to set the Usage location attribute when creating the user. Some Microsoft 365 features won’t work without a valid usage location.

Guest vs. Member

The external user must be a Guest user type, not a Member user type, for external access in Teams to work.

Add the Guest to a Team

The external Guest user must be added to a Team to complete the required Teams initialization.

Tenant Switching

You should be able to switch back and forth between your Commercial Teams web app and GCC High Teams web app.

In GCC High Teams, you can tenant-switch to your Commercial tenant, which will open a new tab and navigate to https://teams.microsoft.com/v2/.

In Commercial Teams, you can tenant switch to the GCC High tenant, which will open a new tab and navigate to the GCC High version of Teams. However, I have seen it take several hours for that option to appear in the web app. If there is no tenant switch option, you must navigate to https://gov.teams.microsoft.us/v2. However, if you go there directly, you may encounter a “[your domain] isn’t in our system. Make sure you typed it correctly.” error message. You can work around this error by using the link that was sent to you when your account was added to the GCC High Team.

Clean Testing: User Removal, Signing Out of Existing Browser Tab Sessions

If you are like me, you have lingering external users or browser tabs from previous cross-cloud Teams chat testing. These browser tabs may receive messages, but not allow sending messages with “Failed to send” errors. Do yourself a favor: sign out of these browser tabs, remove previous external users from Teams, Entra, and deleted users before testing. Even after doing all this, you may see multiple identical entries in your Teams picker when adding the external user to a Team. One of them (usually the one further down the list) should work.

Automating Guest Creation

Now that you have users able to find and communicate with each other across your Commercial and GCC High tenants, you may want to automate the process. There are three approaches you can take.

Approach 1: Guest By Request

Some organizations are content to allow users to request access via My Access and use Entitlement Management to implement a governed “access-on-demand” model where users can search for content, request access, and have their guest access lifecycle governed by Entitlement Management and Access Reviews. This doesn’t provide a unified GAL or Teams Picker, but does provide users with governed access to content published from the other tenant.

Approach 2: Cross-Tenant Sync

For companies that want to keep B2B users in sync, Microsoft offers cross-cloud synchronization in preview. In GCCH, this will be part of the Microsoft Entra ID Governance for Government SKU priced at $84/user/year. In Commercial, this will be part of the Microsoft Entra Suite, also priced at $84/user/year. For a 20,000-user company syncing half of their users to the other tenant, this would be 10,000 users x $84/user/year = $840,000/year.

Approach 3: Mindline Identity Bridge

For companies that don’t need the additional capabilities in Entra ID Governance or Entra ID Suite, they can use Mindline Identity Bridge priced at .10/user/month. For a 20,000-user company syncing half of their users to the other tenant, this would be 10,000 users x $1.20/user/year = $12,000/year – a 98.6% savings.

This post is the first in a series on common challenges organizations face when adopting Microsoft 365 GCC High. Future topics include:

  1. Device Management: Understand Intune’s gaps in GCC High and how to configure a virtual enclave for secure access without needing to issue new laptops.
  2. Data Protection: What’s missing today in Microsoft Purview when it comes to protecting sensitive Defense Industrial Base data.
  3. App Development: Lessons learned building applications spanning Commercial, GCC High, and 21v China.

If these topics resonate, stay tuned — each post will dig into practical solutions and lessons learned from real-world projects.