Skip to content

Cross Tenant

Colby Farley edited this page Apr 7, 2026 · 6 revisions

cross-tenant

cross-tenant is the identity triage command for outside-tenant trust and management paths visible from the current Azure tenant and subscription context.

Use it when you need to know whether another tenant may already control, enter, or extend trust into the environment.

What This Command Answers

  • What visible trust or management paths extend beyond this tenant?
  • Which outside-tenant paths matter first?
  • Which external relationships most change who may be able to operate in this environment?

Run It

azurefox cross-tenant --output table

For saved structured output:

azurefox cross-tenant --output json

Example Table Output

signal type tenant scope posture attack path why it matters
Contoso baseline ops lighthouse Contoso Corp. subscription::<id> priority=high; strongest=Owner; eligible=1 control via lighthouse Managed by another tenant with strong delegated access.
external-ci-bridge external-sp <external-id> tenant priority=high; roles=Owner; assignments=2 pivot via external-sp Externally owned service principal with high-impact Azure roles.
Authorization Policy policy <home-tenant> tenant priority=high; guest-invites=everyone; ... entry via policy Broad guest and app-registration posture may widen entry.

When To Use It

  • when the environment may not be governed only by its home tenant
  • when Azure Lighthouse, external service principals, or tenant policy make outside access part of the real control picture
  • when local-only identity review feels incomplete or misleading

What To Look For

  • subscription- or resource-group-scope Azure Lighthouse delegation
  • externally owned service principals with stronger Azure adjacency
  • policy signals that make guest entry, app registration, or self-service consent broader than expected
  • summaries that explain why one outside-tenant path deserves attention before quieter local identity detail

Why It Matters

An environment can look local at first glance while important control or trust paths actually live in another tenant.

Azure Lighthouse can mean another tenant already has real access to the subscription. An externally owned service principal can mean an app touching this tenant is really governed somewhere else. Permissive tenant controls can make outside access easier to land or extend than expected. cross-tenant brings those clues together so you can see the trust boundary clearly.

What Should Stand Out First

  • subscription-scope Lighthouse delegations before narrower scope
  • stronger delegated roles such as Owner or User Access Administrator
  • standing access before eligible-only access
  • externally owned service principals that also appear central to Azure control
  • policy posture that amplifies a visible outside-tenant path

If You See..., Go Next To...

  • If you see a signal_type=lighthouse row at subscription scope, go next to Lighthouse because it shows the exact delegation evidence, role strength, and scope behind that outside-tenant management path.
  • If you see a signal_type=external-sp row with high-impact Azure roles, go next to Permissions and Role-Trusts because one confirms the privilege and the other explains who can control that identity.
  • If you see a signal_type=policy row with broad guest invites or app registration, go next to Auth-Policies because it shows the exact tenant-level finding behind that cross-tenant posture signal.

What To Do Next

  • Start with the broadest delegated management paths before narrower local RBAC questions.
  • Treat externally owned identities as real control-boundary clues, not just interesting metadata.
  • Use this command to decide whether your next step belongs in delegation review, identity-trust review, or tenant-policy review.

Boundary

cross-tenant is an outside-tenant trust and management command.

It should show the visible external paths most worth reviewing first. It is not a full Entra cross-tenant explorer, exhaustive guest inventory, or write-capable tenant relationship surface.

Clone this wiki locally