Custom policy for guest account

%3CLINGO-SUB%20id%3D%22lingo-sub-1302949%22%20slang%3D%22fr-FR%22%3ECustom%20policy%20for%20guest%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1302949%22%20slang%3D%22fr-FR%22%3EHi%3CBR%20%2F%3EI%20would%20like%20to%20configure%20a%20custom%20experience%20for%20guest%20user%20in%20my%20tenant.%20%3CBR%20%2F%3EThe%20main%20reason%3A%20on%20many%20application%2C%20guests%20can%20list%2Fread%20my%20Azure%20AD%20and%20eventually%2C%20browse%20all%20existing%20customers.%20%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20a%20suggestion%3F%20%3CBR%20%2F%3EI%20know%20an%20existing%20parameter%20who%20can%20blocked%20this%20experience%20in%20the%20tenant%20(but%20his%20affect%20all%20users...)%20%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20your%20help!%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1302949%22%20slang%3D%22fr-FR%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20B2B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1304203%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20policy%20for%20guest%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1304203%22%20slang%3D%22en-US%22%3EHi%20Romain%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20kind%20of%20policies%20you%20like%20to%20force%20on%20the%20guest%20users%3F%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20apply%20some%20policies%20to%20Guest%20users%20using%20Conditional%20Access%20like%20MFA%2C%20device%20platform%20etc%2C%20check%20url%20below%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fb2b-tutorial-require-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fb2b-tutorial-require-mfa%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EMoe%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1304489%22%20slang%3D%22fr-FR%22%3ERe%3A%20Custom%20policy%20for%20guest%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1304489%22%20slang%3D%22fr-FR%22%3EHi%20Moe%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20like%20to%20restrict%20guests%20right%20on%20the%20session%20and%20in%20the%20top%20idea%2C%20blocked%20list%2Fread%20user%20in%20my%20Directory%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1304583%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20policy%20for%20guest%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1304583%22%20slang%3D%22en-US%22%3E%3CP%3ETry%20using%20Azure%20AD%20conditional%20access%20technology%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1305179%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20policy%20for%20guest%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1305179%22%20slang%3D%22en-US%22%3EGuest%20will%20be%20able%20to%20access%20and%20read%20what%20invited%20for.%3CBR%20%2F%3EIn%20your%20case%2C%20Conditional%20Access%20should%20do%20the%20trick%20by%20blocking%20the%20guest%20from%20accessing%20other%20apps.%20I%20would%20also%20recommend%20using%20Access%20reviews%20to%20review%20the%20Guest%20Permissions%2C%20so%20you%20have%20an%20idea%20of%20permissions%20have%20given%20to%20guests%20in%20your%20directory.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fentitlement-management-external-users%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fentitlement-management-external-users%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1343715%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20policy%20for%20guest%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1343715%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EGreat%20recommendation%20and%20I%20am%20big%20fan%20of%20Azure%20B2B.%3C%2FP%3E%3CP%3EWe%20normally%20restrict%20our%20external%20partner%20by%20white%20list%20their%20ip%20addresses%20with%20our%20Azure%20B2B%20Solution.%20What%20would%20you%20suggest%20with%20partners%20which%20uses%20Public%20%2F%20Dynamic%20ip%20addresses%20as%20we%20dont%20want%20to%20open%20up%20this%20up.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20other%20way%20we%20can%20restrict%20or%20would%20you%20suggest%20VDI%20solution%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EHitesh%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor
Hi
I would like to configure a custom expérience for guest user in my tenant.
The principal reason : on many application, guests can list/read my Azure AD and eventually, browse all existing clients.

Have you a suggestion ?
I know an existing parameter who can blocked this experience in the tenant (but his affect all users...)

Thank you for your help !
5 Replies
Highlighted
Hi Romain,

What kind of policies you like to force on the guest users?

You can apply some policies to Guest users using Conditional Access like MFA, device platform etc, check url below:

https://docs.microsoft.com/en-us/azure/active-directory/b2b/b2b-tutorial-require-mfa

Moe
Highlighted
Hi Moe

I would like to restrict guests right on the session and in the top idea, blocked list/read user in my Directory
Highlighted
Highlighted
Guest will be able to access and read what invited for.
In your case, Conditional Access should do the trick by blocking the guest from accessing other apps. I would also recommend using Access reviews to review the Guest Permissions, so you have an idea of permissions have given to guests in your directory.

https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-external-u...
Highlighted

@Moe_Kinani 


Great recommendation and I am big fan of Azure B2B.

We normally restrict our external partner by white list their ip addresses with our Azure B2B Solution. What would you suggest with partners which uses Public / Dynamic ip addresses as we dont want to open up this up. 

 

Any other way we can restrict or would you suggest VDI solution?


Hitesh