I am just venturing into Conditional Access Policies. Other than Legacy Auth (there is a separate discussion on that) the other policy is MFA enforcement. Up to this point I have all our employees set to enforce from the MFA page under O365. I want to make this across the page, so I do not have to keep enabling this for new employees. However, I do not at this point want external users impacted that share content between OneDrive and SPO. So, on the CA policy, I selected include "select users and groups" then selected a group that contains ALL of our employees. Is there anything else I need to do and will this enough? Eventually, I will add external guest accounts, but I will have to run that through change control so that all our employees are aware of that change.