When your organization operates two Microsoft 365 tenants, Copilot cannot search or generate responses using data from the other tenant by default. This limitation forces users to switch tenants manually or miss cross-tenant information entirely. The root cause is that each tenant has its own isolated Microsoft Graph index and permissions boundary. This article explains how to configure cross-tenant federation so Copilot can access and ground its responses on data from both tenants.
Key Takeaways: Cross-Tenant Copilot Federation
- Microsoft Entra ID > Cross-tenant access settings > Inbound access: Configures which users and groups from the external tenant can be discovered by Copilot.
- Microsoft 365 admin center > Org settings > Copilot > Cross-tenant data access: Enables Copilot to search and retrieve data from the federated tenant.
- Graph Explorer with admin consent: Tests and validates that the cross-tenant search query returns expected results before rolling out to users.
What Cross-Tenant Federation Means for Copilot
Cross-tenant federation allows Copilot in one Microsoft 365 tenant to search and ground its responses on data stored in a second tenant. Without federation, Copilot only sees the Microsoft Graph index of the tenant the user is currently signed into. This means a user in Tenant A cannot ask Copilot to summarize a SharePoint document in Tenant B or find a Teams chat from Tenant B.
Federation works by establishing a trust relationship between the two tenants through Microsoft Entra ID cross-tenant access settings. Once trust is configured, the Copilot service can send search queries across the tenant boundary using the Microsoft Graph API. The data never leaves the Microsoft 365 compliance boundary, and all existing sensitivity labels and retention policies apply.
Prerequisites
Before starting, confirm the following requirements are met in both tenants:
- Both tenants must have Microsoft 365 E3 or E5 licenses. Copilot for Microsoft 365 requires E3 or E5.
- You must have Global Administrator or SharePoint Administrator role in both tenants.
- Cross-tenant access policies in Microsoft Entra ID must be configured to allow inbound and outbound access for the target tenant.
- Microsoft Graph search permissions must be granted with admin consent for the cross-tenant search application.
Steps to Configure Copilot Cross-Tenant Federation
Follow these steps in the order listed. Complete all steps in Tenant A first, then repeat in Tenant B. The process is symmetrical.
- Configure cross-tenant access in Microsoft Entra ID
Sign in to the Microsoft Entra admin center with a Global Administrator account. Go to Identity > External Identities > Cross-tenant access settings. Select Inbound access and then Add organization. Enter the tenant ID or domain name of the other tenant. Under B2B direct connect, select Customize settings and enable the checkbox for Allow users to search this tenant’s data from Copilot. Save the policy. - Set outbound access for the partner tenant
In the same Cross-tenant access settings page, select Outbound access. Add the partner tenant again. Under B2B direct connect, select Customize settings and enable Allow users to search partner tenant’s data from Copilot. Save the policy. - Grant admin consent for the Microsoft Graph search permission
Open a browser window and navigate to the following URL, replacingpartner-tenant-idwith the tenant ID of the other tenant:https://login.microsoftonline.com/partner-tenant-id/adminconsent?client_id=00000003-0000-0000-c000-000000000000&state=12345&redirect_uri=https://www.microsoft.com. Sign in with a Global Administrator account from the partner tenant. Review the permissions and select Accept. This grants the Microsoft Graph application the ability to search across tenants. - Enable cross-tenant data access in Copilot settings
Go to the Microsoft 365 admin center. Select Settings > Org settings > Copilot. Scroll to Cross-tenant data access and select Add tenant. Enter the tenant ID of the partner tenant. Choose which users or groups in your tenant can search the partner tenant’s data. Select Save. - Test the federation with Graph Explorer
Open Graph Explorer athttps://developer.microsoft.com/graph/graph-explorer. Sign in with a user account from Tenant A. Run a POST request tohttps://graph.microsoft.com/v1.0/search/querywith the following body:{"requests": [{"entityTypes": ["driveItem"], "query": {"queryString": "project plan"}, "region": "Global"}]}. Add the headerCross-Tenant-Data-Access: true. If the response includes results from the partner tenant, federation is working. - Repeat all steps in the second tenant
Sign in to Tenant B’s admin centers and repeat steps 1 through 5. Both tenants must have the cross-tenant access policies and Copilot settings configured for bidirectional search to work.
If Copilot Still Cannot See Data from the Other Tenant
Copilot returns only local tenant results
If Copilot in Word or Teams returns results only from the current tenant, the cross-tenant access policy in Microsoft Entra ID may not be fully applied. Check that both inbound and outbound B2B direct connect settings are enabled for the partner tenant. Policy changes can take up to 30 minutes to propagate.
Graph Explorer query returns no cross-tenant results
The admin consent step may not have been completed correctly. Run the admin consent URL again and verify that the Microsoft Graph application appears under Enterprise applications in the partner tenant with status Active. Also confirm that the user account running the query has at least read access to the content in the partner tenant.
Users see a permission error when using Copilot
The user account may not be included in the user or group scope configured in the Copilot cross-tenant data access settings. Go to Microsoft 365 admin center > Settings > Org settings > Copilot > Cross-tenant data access and confirm the user is in the selected group. If no group is selected, the setting applies to all users.
Copilot Federation Methods: Cross-Tenant Access vs Multi-Geo
| Item | Cross-Tenant Access Federation | Multi-Geo |
|---|---|---|
| Description | Allows Copilot to search data across two separate Microsoft 365 tenants | Keeps data in one tenant but stores it in different geographic regions |
| Number of tenants | Two or more separate tenants | Single tenant |
| Administration | Requires policies in both tenants | Managed from one admin center |
| Data residency | Data stays in each tenant’s original region | Data stored in the selected satellite region |
| Copilot support | Supported with Microsoft Entra cross-tenant access | Supported natively without extra configuration |
Cross-tenant federation is the correct approach when your organization has two legally separate entities with their own Microsoft 365 tenants. Multi-Geo is better suited for a single global organization that needs data locality within one tenant.
You can now configure Copilot to search across two Microsoft 365 tenants using Microsoft Entra cross-tenant access policies and the Copilot cross-tenant data access setting. Start by configuring inbound and outbound B2B direct connect in both tenants, then grant admin consent for the Microsoft Graph search permission. After testing with Graph Explorer, enable the setting in the Copilot admin center. As an advanced step, consider using sensitivity labels to restrict which documents from the partner tenant appear in Copilot results.