Home

Conditional Access - Require MFA for Guest Users

%3CLINGO-SUB%20id%3D%22lingo-sub-762861%22%20slang%3D%22en-US%22%3EConditional%20Access%20-%20Require%20MFA%20for%20Guest%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-762861%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20-%20we%20have%20set%20up%20guest%20access%20on%20Azure%20AD%20and%20require%20all%20guest%20users%20to%20use%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20set%20up%20a%20conditional%20access%20policy%20that%20uses%26nbsp%3Bthe%20built-in%20%22All%20guests%20and%20external%20users%20(preview)%22%20option%20for%20the%20users%20to%20be%20included.%20This%20part%20works%20perfectly.%20However%2C%20it%20appears%20that%20in%20order%20to%20achieve%20this%2C%20there%20is%20a%20dynamic%20group%20created%20called%20%22All%20External%20Users%22.%20As%20you'd%20guess%2C%20this%20has%20all%20of%20the%20guest%20users%20listed%20in%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20comes%20when%20the%20guest%20user%20logs%20into%20the%20Access%20Panel%20(the%20portal%20they%20get%20to%20from%20the%20invitation%20email)%20and%20it%20shows%20them%20the%20Groups%20that%20they%20are%20members%20of.%20The%20first%20group%20is%20%22All%20External%20Users%22%20and%20it%20show%20all%20of%20our%20external%20users%20-%20some%20of%20which%20are%20competitors%20-%20to%20the%20logged%20in%20guest%20user.%26nbsp%3B%20Can%20this%20specific%20group%20be%20hidden%20from%20guest%20users%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-763181%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20MFA%20for%20Guest%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-763181%22%20slang%3D%22en-US%22%3EHi%20Pete%2C%20I%20believe%20guest%20users%20can%20see%20your%20directory%20members.%20Try%20this%3A%20-%20Go%20to%20Azure%20Active%20Directory%20-%26gt%3B%20User%20Settings%20-%26gt%3B%20Manage%20external%20collaboration%20settings%20Check%20if%20the%20%22Guest%20users%20permissions%20are%20limited%22%20is%20configured%20to%20%22yes%22%2C%20if%20not%2C%20please%20change%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-764444%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20MFA%20for%20Guest%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-764444%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F267638%22%20target%3D%22_blank%22%3E%40Corsino%3C%2FA%3E%2C%20thanks%20for%20your%20response.%20I've%20checked%20the%20%22Guest%20users%20permissions%20are%20limited%22%26nbsp%3B%20setting%2C%20and%20it%20is%20already%20set%20to%20%22Yes%22.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Pete Bostrom
Contributor

Hi - we have set up guest access on Azure AD and require all guest users to use MFA.

 

We have set up a conditional access policy that uses the built-in "All guests and external users (preview)" option for the users to be included. This part works perfectly. However, it appears that in order to achieve this, there is a dynamic group created called "All External Users". As you'd guess, this has all of the guest users listed in it.

 

The problem comes when the guest user logs into the Access Panel (the portal they get to from the invitation email) and it shows them the Groups that they are members of. The first group is "All External Users" and it show all of our external users - some of which are competitors - to the logged in guest user.  Can this specific group be hidden from guest users? 

 

 

2 Replies
Hi Pete, I believe guest users can see your directory members. Try this: - Go to Azure Active Directory -> User Settings -> Manage external collaboration settings Check if the "Guest users permissions are limited" is configured to "yes", if not, please change it.

Hi @Corsino, thanks for your response. I've checked the "Guest users permissions are limited"  setting, and it is already set to "Yes".