Limitations of Azure AD B2B collaboration

Azure Active Directory (Azure AD) B2B collaboration is currently subject to the limitations described in this article.

Possible double multi-factor authentication

With Azure AD B2B, you can enforce multi-factor authentication at the resource organization (the inviting organization). The reasons for this approach are detailed in Conditional Access for B2B collaboration users. If a partner already has multi-factor authentication set up and enforced, their users might have to perform the authentication once in their home organization and then again in yours.


In the B2B collaboration flows, we add users to the directory and dynamically update them during invitation redemption, app assignment, and so on. The updates and writes ordinarily happen in one directory instance and must be replicated across all instances. Replication is completed once all instances are updated. Sometimes when the object is written or updated in one instance and the call to retrieve this object is to another instance, replication latencies can occur. If that happens, refresh or retry to help. If you are writing an app using our API, then retries with some back-off is a good, defensive practice to alleviate this issue.

Azure AD directories

Azure AD B2B is subject to Azure AD service directory limits. For details about the number of directories a user can create and the number of directories to which a user or guest user can belong, see Azure AD service limits and restrictions.

National clouds

National clouds are physically isolated instances of Azure. B2B collaboration is not supported across national cloud boundaries. For example, if your Azure tenant is in the public, global cloud, you can't invite a user whose account is in a national cloud. To collaborate with the user, ask them for another email address or create a member user account for them in your directory.

Azure US Government clouds

Within the Azure US Government cloud, B2B collaboration is supported between tenants that are both within Azure US Government cloud and that both support B2B collaboration. Azure US Government tenants that support B2B collaboration can also collaborate with social users using Microsoft, Google accounts, or email one-time passcode accounts. If you invite a user outside of these groups (for example, if the user is in a tenant that isn't part of the Azure US Government cloud or doesn't yet support B2B collaboration), the invitation will fail or the user won't be able to redeem the invitation. For Microsoft accounts (MSAs), there are known limitations with accessing the Azure portal: newly invited MSA guests are unable to redeem direct link invitations to the Azure portal, and existing MSA guests are unable to sign in to the Azure portal. For details about other limitations, see Azure Active Directory Premium P1 and P2 Variations.

How can I tell if B2B collaboration is available in my Azure US Government tenant?

To find out if your Azure US Government cloud tenant supports B2B collaboration, do the following:

  1. In a browser, go to the following URL, substituting your tenant name for <tenantname>:<tenantname>/v2.0/.well-known/openid-configuration

  2. Find "tenant_region_scope" in the JSON response:

    • If "tenant_region_scope":"USGOV” appears, B2B is supported.
    • If "tenant_region_scope":"USG" appears, B2B is not supported.

Next steps

See the following articles on Azure AD B2B collaboration: