Home

app protection for guest users

%3CLINGO-SUB%20id%3D%22lingo-sub-280777%22%20slang%3D%22en-US%22%3Eapp%20protection%20for%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280777%22%20slang%3D%22en-US%22%3E%3CP%3Eso%20we're%20trying%20to%20go%20all%20mam%2C%20and%20recently%20created%20some%20changes%20that%20allow%20domain%20users%20to%20install%20apps%2C%20i.e.%20teams%20%26amp%3B%20outlook%20and%20the%20app%20protection%20configurations%20apply.%3C%2FP%3E%3CP%3EHowever%2C%20when%20I%20invite%20a%20guest%20user%2C%20that%20user%20is%20able%20to%20copy%20%26amp%3B%20paste%20data.%26nbsp%3B%3CBR%20%2F%3ETo%20work%20around%20that%2C%20in%20azure%20ad%2C%20I%20added%20the%20guest%20ID%20to%20the%20group%20that%20should%20still%20provide%20the%20protections.%3C%2FP%3E%3CP%3E%26nbsp%3BBut%20it%20is%20stil%20not%26nbsp%3B%20protecting%20the%20data.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EShould%20app%20protection%20policies%20apply%20globally%3F%20if%20not%2C%20what%20do%20I%20have%20to%20do%3F%3C%2FP%3E%3CP%3Ethe%20only%20documentation%20I%20have%2C%20says%20apply%20the%20app%20protection%20policies%20to%20a%20group%20called%20'all%20users'%20which%20I%20thought%20guest%20users%20fall%20into...%20but%20seeing%20as%20it%20didn't%2C%20I%20made%20the%20change%20above..%20Anyone%20have%20input%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-280777%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390014%22%20slang%3D%22en-US%22%3ERe%3A%20app%20protection%20for%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390014%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160381%22%20target%3D%22_blank%22%3E%40Jeen%20Pallickaparampil%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGuest%20users%20do%20not%20adhere%20to%20InTune%20MAM%20controls%20on%20a%20mobile%20device.%3C%2FP%3E%3CP%3EWhat%20i%20had%20to%20do%20was%20block%20all%20the%20native%20apps%20with%20Conditional%20Access%20and%20rely%20on%20Security%20and%20Compliance%20center%20reporting%20for%20file%20activity.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389827%22%20slang%3D%22en-US%22%3ERe%3A%20app%20protection%20for%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389827%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20in%20the%20same%20boat%20now.%20Has%20anyone%20made%20any%20Progress%20here%3F%20We're%20about%20to%20put%20a%20call%20into%20Premier%20too%20but%20as%20some%20of%20you%20already%20have%20-%20could%20you%20kindly%20share%20your%20finidngs%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329592%22%20slang%3D%22en-US%22%3ERe%3A%20app%20protection%20for%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329592%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Folks%2C%20just%20wondering%20what%20the%20end%20result%20was%20for%20this%20thread%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281833%22%20slang%3D%22en-US%22%3ERe%3A%20app%20protection%20for%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281833%22%20slang%3D%22en-US%22%3E%3CP%3EMY%20guest%20user%20can%20get%20into%20TEams%2C%20fine.%26nbsp%3B%20We're%20able%20to%20force%20MFA%20with%20CA%20rules.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20we%20can't%20prevent%20is%20%22copy%20and%20paste%22%20or%20Enforce%20Pin%20with%20app%20protection%20policies%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281781%22%20slang%3D%22en-US%22%3ERe%3A%20app%20protection%20for%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281781%22%20slang%3D%22en-US%22%3Eare%20you%20saying%20the%20guest%20cant%20even%20get%20into%20teams%3F%20or%20are%20you%20saying%20they%20get%20in%2C%20and%20can%20copy%20data%2C%20but%20you%20don't%20see%20anything%20in%20intune%3F%20I%20have%20tested%20on%202%20os'%20with%20guest%20users%2C%20and%20they%20can%20get%20in%2C%20they%20can%20copy%20data%2C%20but%20I%20do%20not%20see%20the%20registration%20in%20intune%20or%20enrollment..%20so%20it%20is%20pretty%20'bad'.%20let%20us%20know%20if%20oyu%20hear%20anything%2C%20as%20I%20have%20been%20reaching%20out%20to%20my%20fasttrack.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281665%22%20slang%3D%22en-US%22%3ERe%3A%20app%20protection%20for%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281665%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20having%20the%20same%20issue.%26nbsp%3B%20I%20have%20a%20call%20in%20to%20Premier%20regarding%20this.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20invite%20a%20guest%20user.%26nbsp%3B%20I.e.%20(Guestuser%40gmail.com)%3C%2FP%3E%3CP%3EWe%20see%20that%20account%20show%20up%20as%20a%20guest%20in%20the%20tenant.%3C%2FP%3E%3CP%3EWe%20are%20then%20able%20to%20assign%20a%20EMS%20E3%20license%20-%20(after%20specifying%20a%20'location%20(US)%20for%20the%20guest%20user)%3C%2FP%3E%3CP%3EWe%20put%20the%20user%20in%20a%20Group%20and%20apply%20the%20app%20protection%20policies%20to%20that%20group.%3C%2FP%3E%3CP%3EWe%20see%20nothing%20happen..%26nbsp%3B%20It%20basically%20says%20the%20user%20never%20checks%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMS%20is%20escalating%20it%20internally%2C%20so%20we're%20waiting%20to%20hear%20back.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Phillip Kenyon
Contributor

so we're trying to go all mam, and recently created some changes that allow domain users to install apps, i.e. teams & outlook and the app protection configurations apply.

However, when I invite a guest user, that user is able to copy & paste data. 
To work around that, in azure ad, I added the guest ID to the group that should still provide the protections.

 But it is stil not  protecting the data. 


Should app protection policies apply globally? if not, what do I have to do?

the only documentation I have, says apply the app protection policies to a group called 'all users' which I thought guest users fall into... but seeing as it didn't, I made the change above.. Anyone have input?

6 Replies

We're having the same issue.  I have a call in to Premier regarding this.  

 

We invite a guest user.  I.e. (Guestuser@gmail.com)

We see that account show up as a guest in the tenant.

We are then able to assign a EMS E3 license - (after specifying a 'location (US) for the guest user)

We put the user in a Group and apply the app protection policies to that group.

We see nothing happen..  It basically says the user never checks in.

 

MS is escalating it internally, so we're waiting to hear back.

are you saying the guest cant even get into teams? or are you saying they get in, and can copy data, but you don't see anything in intune? I have tested on 2 os' with guest users, and they can get in, they can copy data, but I do not see the registration in intune or enrollment.. so it is pretty 'bad'. let us know if oyu hear anything, as I have been reaching out to my fasttrack.

MY guest user can get into TEams, fine.  We're able to force MFA with CA rules.  

 

What we can't prevent is "copy and paste" or Enforce Pin with app protection policies

Hi Folks, just wondering what the end result was for this thread?

Hello Everyone,

 

We're in the same boat now. Has anyone made any Progress here? We're about to put a call into Premier too but as some of you already have - could you kindly share your finidngs? 

 

Thank you :)

@Jeen Pallickaparampil 

 

Guest users do not adhere to InTune MAM controls on a mobile device.

What i had to do was block all the native apps with Conditional Access and rely on Security and Compliance center reporting for file activity.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
7 Replies