Forum Discussion

Phillip Kenyon's avatar
Phillip Kenyon
Brass Contributor
Oct 31, 2018

app protection for guest users

so we're trying to go all mam, and recently created some changes that allow domain users to install apps, i.e. teams & outlook and the app protection configurations apply. However, when I invite a g...
Conditional Access
Mobile Application Management (MAM)
Zooze's avatar
Zooze
Former Employee
Jul 02, 2020

Phillip Kenyon 

 

As mentioned above this doesn't work with guest users.  There are a number of reasons and it doesn't purely apply because of licensing today.  The main core reason is the fact that an external or guest user could be another user from another organisations azure tenant, where there own MAM policies may apply.

 

So what I do is this. For guest users block the rich client teams app.  This can be done using conditional based access, so when they access the team they have to go via the web.  Then using MCAS use session controls to block downloads inside teams.

 

Hope this helps.

RobertHeep's avatar
RobertHeep
Copper Contributor
Jul 02, 2020
Alright, I will try with CAS. If I can block the download for files, I am happy 🙂
  • Higherho's avatar
    Higherho
    Copper Contributor
    Jan 19, 2021
    Use this to have a secure Microsoft Teams Guest experience. Web only, GUEST MFA, Label policies, quarterly review setup to remove stale accounts, etc. Only alteration I did was set the web only policy to block instead of grant as I did not want BYOD devices into the MDM.

    https://docs.microsoft.com/en-us/microsoft-365/solutions/create-secure-guest-sharing-environment?view=o365-worldwide