Forum Discussion

Ollie's avatar
Ollie
Brass Contributor
Apr 18, 2019

Assign Contitional Access Policy to a SharePoint Group

Hi,   I have set up a Conditional Access Policy so that some of our Guest accounts are required to have MFA to access the SharePoint Online subsite that they have been invited to. These Guests are...
admin
Authentication
Microsoft 365 Groups
security
sharepoint
VasilMichev's avatar
VasilMichev
MVP
Apr 18, 2019

It needs to be a group that exists in Azure AD, "pure" SPO groups don't qualify. But a group synced from AD should be OK. Do note that the picker control only lists a limited set of results, so search for the group.

Ollie's avatar
Ollie
Brass Contributor
Apr 19, 2019

VasilMichev 

Thanks for this Vasil.

We usually invite guests to pure SPO groups.

Is it possible to add a guest as a contact in our on-prem AD group which is synced up to Azure, then add the Azure AD group to the CA policy.

 

Otherwise, every time we invite a guest to the SPO group that has access to a subsite with sensitive information, we will have to manually add them to the CA policy.

 

Ollie

  • VasilMichev's avatar
    VasilMichev
    MVP
    Apr 19, 2019

    I don't think so, that would be a different object, not related to the guest user object you will have in your tenant.

Resources