Forum Discussion
External User with conditional access for SharePoint Online not working
- Following up on this, The SPO team informed me that inorder for this to work, you need to be enrolled for First Release, andfor Guest MFA you need a fix that SPO made.
THis should be available globally by end of March, but if you direct message me your tenant details, we can get it enabled for your tenant only.
MicrosoftMarco - can you try the instructions I have included here to enable MFA for SPO and let us know if it works for you?
Let’s say the goal is: MFA for guest users only, accessing SPO
- Set up a group in your tenant that includes all guest users – I would highly recommend you use dynamic groups for this.
- Sign in to portal.azure.com as the global admin b. Click on “Users & Groups” c. Click on “All groups”
- Click on “Add” at the top e. Enter a name for the group – for instance, “All guest users”
- Optionally, enter a description g. Under “Membership type”, select “Dynamic user”
- Don’t select anything for “Enable Office Features”
- Click on “Add dynamic query” j. Click on the tab called “Advanced rule”
- Type in (user.userType -contains "Guest")
- Click on “Add Query” button at the bottom
- Click on “Create” button at the bottom
- At this point, a dynamic group has been created that will house any guest user you invite – note that there is a latency between a B2B user is added and the dynamic group membership being updated
- Set up conditional access to SharePoint such that all external users would need to MFA
- Click on “Conditional access” at the root level of your tenant within the Azure admin portal
- Click on “Add” to add a conditional access policy
- Give a name to the policy, for example “CA to SPO for guest users”
- Under “Users and Groups”, add the group you created above, i.e., “All guest users”
- Under “Cloud apps”, add SPO – the app would be called “Office 365 SharePoint Online”
- Skip the “Conditions” option – basically, you want all users from that group to always be MFA’d whenever they access SharePoint Online
- Under “Controls”, select “Allow access” and check the box that says “require multi-factor authentication” – leave the other two boxes unchecked and under the “for multiple controls” options below, select the one that says “require one of the selected controls” (though this is really moot since you are only selecting one control)
- Make sure the “Enable Policy” is set to “On” and save the policy
- At this point, you have created a conditional access policy that stipulates that all external users will be required to do MFA when accessing your tenant’s SharePoint online resources
MicrosoftTHis should be available globally by end of March, but if you direct message me your tenant details, we can get it enabled for your tenant only.
My (LAB) tenant is configured as first release and the DM is send already with my tenant name and ID. So glad a solution is already available and also scheduled for a nearby release :) Once I have the fix enabled in my tenant I will write back and mark your reply as the answer.
Ciao Marco
- Sarat Subramaniam
We have been informed by the SharePoint online team that during their private preview they have discovered an issue with this that has caused them to roll back this change. They hope to be able to deploy the fix by end of April. Please stay tuned.
Hi Sarat - Is the planned update still end of April and how will it be communicated?
