The alternatives without moving data are:

1) EXECUTE AS + TRUSTWORTHY. OK, *if* ExternalGroupDb is owned by an SQL login that has no permissions granted, except one: AUTHENTICATE in the other database *and* only trusted people are db_owner (or can create user in ExternalGroupDb.)

2) Enable DB-chaining. This can also be a security risk, if there are unrelated databases that also are enabled for chaining, and people with permissions to create objects in the other databases also has access to these two database.

3) Certificate signing. No security risks at all, and what I would use in this case, as it appears to be a one-off.

Then you can of course set up some form of replication of the data to be exposed elsewhere to avoid the permission problems.