Forum Discussion

Marco Scheel's avatar
Marco Scheel
Iron Contributor
Feb 17, 2017

External User with conditional access for SharePoint Online not working

I'm excited about the new introduced features and I immediately tried it out. What my customer are looking for is to enhance the external collaboration on their SharePoint Online. I want to enforce MFA for all or selected external users. The users are already added to the AAD the SPO belongs to (owner tenant). I've enabled a conditional policy in the new Azure Portal for the enterprise application named "Office 365 SharePoint Online" but even after an our for potential sync between AAD and SharePoint the policy is not working. I tested the MFA enforcement with a basic ASP.NET app hosted and registered as an enterprise app in the same tenant. The policy is working if enabled for this app. The external user had to enroll using MFA and the access is granted as expected. I then changed the policy to not select specific apps but the apply to all apps in the tenant. But also without any noticeable results even after some time passed.

 

Is it a bug? A feature? Or a topic on the roadmap? Any ETA? It is a really important app in the AAD ecosystem and respecting the AAD policies would be beneficial if not mandatory!

  • Sarat Subramaniam's avatar
    Sarat Subramaniam
    Feb 27, 2017
    Following up on this, The SPO team informed me that inorder for this to work, you need to be enrolled for First Release, andfor Guest MFA you need a fix that SPO made.

    THis should be available globally by end of March, but if you direct message me your tenant details, we can get it enabled for your tenant only.
  • Marco - can you try the instructions I have included here to enable MFA for SPO and let us know if it works for you?

     

    Let’s say the goal is: MFA for guest users only, accessing SPO

     

    1. Set up a group in your tenant that includes all guest users – I would highly recommend you use dynamic groups for this.
      • Sign in to portal.azure.com as the global admin b. Click on “Users & Groups” c. Click on “All groups”
      • Click on “Add” at the top e. Enter a name for the group – for instance, “All guest users”
      • Optionally, enter a description g. Under “Membership type”, select “Dynamic user”
      • Don’t select anything for “Enable Office Features”
      • Click on “Add dynamic query” j. Click on the tab called “Advanced rule”
      • Type in (user.userType -contains "Guest")
      • Click on “Add Query” button at the bottom
      • Click on “Create” button at the bottom
      • At this point, a dynamic group has been created that will house any guest user you invite – note that there is a latency between a B2B user is added and the dynamic group membership being updated
    2. Set up conditional access to SharePoint such that all external users would need to MFA
      • Click on “Conditional access” at the root level of your tenant within the Azure admin portal
      • Click on “Add” to add a conditional access policy
      • Give a name to the policy, for example “CA to SPO for guest users”
      • Under “Users and Groups”, add the group you created above, i.e., “All guest users”
      • Under “Cloud apps”, add SPO – the app would be called “Office 365 SharePoint Online”
      • Skip the “Conditions” option – basically, you want all users from that group to always be MFA’d whenever they access SharePoint Online
      • Under “Controls”, select “Allow access” and check the box that says “require multi-factor authentication” – leave the other two boxes unchecked and under the “for multiple controls” options below, select the one that says “require one of the selected controls” (though this is really moot since you are only selecting one control)
      • Make sure the “Enable Policy” is set to “On” and save the policy
      • At this point, you have created a conditional access policy that stipulates that all external users will be required to do MFA when accessing your tenant’s SharePoint online resources
    • Sarat Subramaniam's avatar
      Sarat Subramaniam
      Icon for Microsoft rankMicrosoft
      Following up on this, The SPO team informed me that inorder for this to work, you need to be enrolled for First Release, andfor Guest MFA you need a fix that SPO made.

      THis should be available globally by end of March, but if you direct message me your tenant details, we can get it enabled for your tenant only.
      • Marco Scheel's avatar
        Marco Scheel
        Iron Contributor

        My (LAB) tenant is configured as first release and the DM is send already with my tenant name and ID. So glad a solution is already available and also scheduled for a nearby release :) Once I have the fix enabled in my tenant I will write back and mark your reply as the answer.

         

        Ciao Marco