Home

Conditional Access - Require MFA for Guest Users

%3CLINGO-SUB%20id%3D%22lingo-sub-762861%22%20slang%3D%22en-US%22%3EConditional%20Access%20-%20Require%20MFA%20for%20Guest%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-762861%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20-%20we%20have%20set%20up%20guest%20access%20on%20Azure%20AD%20and%20require%20all%20guest%20users%20to%20use%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20set%20up%20a%20conditional%20access%20policy%20that%20uses%26nbsp%3Bthe%20built-in%20%22All%20guests%20and%20external%20users%20(preview)%22%20option%20for%20the%20users%20to%20be%20included.%20This%20part%20works%20perfectly.%20However%2C%20it%20appears%20that%20in%20order%20to%20achieve%20this%2C%20there%20is%20a%20dynamic%20group%20created%20called%20%22All%20External%20Users%22.%20As%20you'd%20guess%2C%20this%20has%20all%20of%20the%20guest%20users%20listed%20in%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20comes%20when%20the%20guest%20user%20logs%20into%20the%20Access%20Panel%20(the%20portal%20they%20get%20to%20from%20the%20invitation%20email)%20and%20it%20shows%20them%20the%20Groups%20that%20they%20are%20members%20of.%20The%20first%20group%20is%20%22All%20External%20Users%22%20and%20it%20show%20all%20of%20our%20external%20users%20-%20some%20of%20which%20are%20competitors%20-%20to%20the%20logged%20in%20guest%20user.%26nbsp%3B%20Can%20this%20specific%20group%20be%20hidden%20from%20guest%20users%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-763181%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20MFA%20for%20Guest%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-763181%22%20slang%3D%22en-US%22%3EHi%20Pete%2C%20I%20believe%20guest%20users%20can%20see%20your%20directory%20members.%20Try%20this%3A%20-%20Go%20to%20Azure%20Active%20Directory%20-%26gt%3B%20User%20Settings%20-%26gt%3B%20Manage%20external%20collaboration%20settings%20Check%20if%20the%20%22Guest%20users%20permissions%20are%20limited%22%20is%20configured%20to%20%22yes%22%2C%20if%20not%2C%20please%20change%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-764444%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20MFA%20for%20Guest%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-764444%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F267638%22%20target%3D%22_blank%22%3E%40Corsino%3C%2FA%3E%2C%20thanks%20for%20your%20response.%20I've%20checked%20the%20%22Guest%20users%20permissions%20are%20limited%22%26nbsp%3B%20setting%2C%20and%20it%20is%20already%20set%20to%20%22Yes%22.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Pete Bostrom
Contributor

Hi - we have set up guest access on Azure AD and require all guest users to use MFA.

 

We have set up a conditional access policy that uses the built-in "All guests and external users (preview)" option for the users to be included. This part works perfectly. However, it appears that in order to achieve this, there is a dynamic group created called "All External Users". As you'd guess, this has all of the guest users listed in it.

 

The problem comes when the guest user logs into the Access Panel (the portal they get to from the invitation email) and it shows them the Groups that they are members of. The first group is "All External Users" and it show all of our external users - some of which are competitors - to the logged in guest user.  Can this specific group be hidden from guest users? 

 

 

2 Replies
Highlighted
Hi Pete, I believe guest users can see your directory members. Try this: - Go to Azure Active Directory -> User Settings -> Manage external collaboration settings Check if the "Guest users permissions are limited" is configured to "yes", if not, please change it.
Highlighted

Hi @Corsino, thanks for your response. I've checked the "Guest users permissions are limited"  setting, and it is already set to "Yes".  

Related Conversations
Migrating Access back end to the cloud
GrahamCresswell in Access on
6 Replies
access updates
tina12--__ in Access on
1 Replies
help needed on simple maths in Access
KellieJean-in-Newie in Access on
1 Replies