Better Together: Making Nonprofit Collaboration Safe with Conditional Access

 

Collaboration the Cornerstone of Growth 

It’s a big world out there, teeming with potential evangelists to your cause. As a leader, your goal is to find and empower champions for the cause to support the community. Help can be comprised of volunteers, partners, donors, etc. The modern age demands collaboration, communication, and transparency. Whether you're partnering with local governments, donors, or other NGOs, secure and efficient access to shared resources is critical. But how do you protect sensitive data while allowing trusted partners and volunteers to collaborate? The answer lies in the Microsoft Entra Admin Center.

  

Conditional Access within Microsoft Entra Admin Center 

In the Microsoft Entra Admin Center, you can create Conditional Access Policies that employees, interns, partners, and guests must follow to ensure secure collaboration. Conditional Access (CA) is Microsoft’s policy engine that brings signals together—such as user identity, location, device health, and risk level—to make real-time access decisions. This is especially powerful for nonprofits, where data sensitivity is high, and IT resources are often limited. For example, you can require multi-factor authentication for accessing sensitive data, restrict access based on geographic location, or mandate device compliance to minimize risks.  

Conditional Access evaluates signals from: 

 

Based on these, it enforces controls like: 

 

Understanding Guest and Partner Access in Microsoft Entra 

 

 

Before diving into policies, it's important to understand how guest and partner access works: 

• Guests are external users invited to collaborate with your tenant. Think of volunteers, board members, or researchers needing access to Microsoft Teams or SharePoint. 

• Partners (B2B collaboration) typically come from other organizations and can be managed through Microsoft Entra B2B. 

Both types of users have external identities, and without proper controls, they can pose a risk to your organization's data and compliance. 

 

Key Conditional Access Scenarios for Guest and Partner Users 

 

Policies are a critical security tool for nonprofits striving to protect sensitive data while enabling collaboration. These policies ensure that access to organizational resources is granted only under trusted conditions, thereby maintaining both security and privacy. By requiring Multi-Factor Authentication (MFA), nonprofits can significantly reduce the risk of unauthorized access. Restricting access to specific applications, such as limiting guest users to Microsoft Teams or SharePoint, helps safeguard internal systems from unnecessary exposure. Additionally, enforcing conditional rules—such as blocking access unless a user is on a compliant device or within a trusted network—creates a layered security approach that adapts to evolving threats. These are foundational examples, and in the sections that follow, we’ll explore more tailored recommendations to help nonprofits implement strong, yet flexible Conditional Access strategies.

1.  Require MFA for Guest Access

Guest accounts are often less secure by default. Require MFA for all external users to reduce risk from phishing or account compromise. 

Policy Configuration: 

• Assign to: Directory roles > Guest or External users
• Cloud apps: All cloud apps
• Grant: Require multi-factor authentication 

Tip: Encourage partners to use their own organization’s identity provider (via Entra External Identities). 

2. Restrict Guest Access to Specific Applications

Not every guest needs full tenant access. Limit external users to only necessary apps (e.g., SharePoint sites or Microsoft Teams channels). 

 

Policy Configuration: 

• Assign to: Guests and external users
• Cloud apps: Select apps (e.g., SharePoint Online, Teams)
• Grant: Block access or Allow access with conditions 

3. Block Guest Access from Non-Compliant Devices

Enforce policies that only allow access from managed or compliant devices, particularly when sharing sensitive donor data or medical records. IT Admins can block unmanaged devices as resources are connected via conditional policies and SharePoint: IT Admins - SharePoint and OneDrive unmanaged device access controls - SharePoint in Microsoft 365 | Microsoft Learn.

Policy Configuration: 

• Assign to: Guests
• Conditions: Device state = Require compliant device
• Grant: Require device to be marked as compliant 

For smaller nonprofits, consider web-only access policies to reduce risk without needing full device management. 

4. Limit Sessions for Guest Users

Control how guests interact with your data by restricting download/upload capabilities or forcing browser-only access via Microsoft Defender for Cloud Apps (formerly MCAS).

Policy Configuration:

• Assign to: Guest users
• Session: Use Conditional Access App Control to monitor or limit sessions

5. Use Terms of Use (ToU) for Guest Invitations

 

Ensure guests acknowledge your data handling policies or acceptable use guidelines before gaining access. Terms of use in Microsoft Entra - Microsoft Entra ID | Microsoft Learn

Policy Configuration:

• Assign to: Guests or External users
• Grant controls: Require terms of use

Customize ToU documents for your nonprofit’s values—include PII/PHI handling, donor confidentiality, and social media policies.

 

Best Practices for Policy Management

1. Start in Report-Only Mode: Before enforcing, simulate policy impact using report-only to avoid accidental lockouts.
2. Use Named Locations: Define “trusted” IP ranges (e.g., partner offices) to allow less restrictive access.
3. Enable Policy for High-Risk Sign-ins: Leverage Microsoft Defender for Identity to identify risky users and enforce stricter access.
4. Avoid Over-Blocking: Make sure legitimate partners aren't hindered—review sign-in logs regularly.
5. Educate Your Guests: Use Microsoft’s invitation redemption experiences and provide clear onboarding instructions.

 

Conclusion

By thoughtfully implementing Conditional Access policies, nonprofits can strike a balance between enabling external collaboration and protecting sensitive organizational data. From enforcing Multi-Factor Authentication to restricting app access and requiring compliant devices, each policy adds a layer of defense against cyber threats. These strategies are not only aligned with security best practices but are also scalable, enabling organizations to grow confidently without compromising their mission or stakeholders' trust.

 

What’s Next?

In our next blog, we’ll guide you through the process of setting guest permissions in Microsoft Entra. You’ll learn how to configure collaboration settings, define user roles, control invitations, and align guest access with your security posture. This step-by-step guide will empower your nonprofit to manage external users effectively and securely within your Microsoft 365 environment.

 

Hyperlinks

• What is Conditional Access in Microsoft Entra ID? - Microsoft Entra ID | Microsoft Learn
• Microsoft Entra External ID documentation - Microsoft Entra External ID | Microsoft Learn
• Terms of use in Microsoft Entra - Microsoft Entra ID | Microsoft Learn
• Restrict guest user access permissions - Microsoft Entra ID | Microsoft Learn
• Configure external collaboration - Microsoft Entra External ID | Microsoft Learn