MFA Required Conditional Access and External Guest

%3CLINGO-SUB%20id%3D%22lingo-sub-2262896%22%20slang%3D%22en-US%22%3EMFA%20Required%20Conditional%20Access%20and%20External%20Guest%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2262896%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20just%20venturing%20into%20Conditional%20Access%20Policies.%20Other%20than%20Legacy%20Auth%20(there%20is%20a%20separate%20discussion%20on%20that)%20the%20other%20policy%20is%20MFA%20enforcement.%26nbsp%3B%20Up%20to%20this%20point%20I%20have%20all%20our%20employees%20set%20to%20enforce%20from%20the%20MFA%20page%20under%20O365.%20I%20want%20to%20make%20this%20across%20the%20page%2C%20so%20I%20do%20not%20have%20to%20keep%20enabling%20this%20for%20new%20employees.%20However%2C%20I%20do%20not%20at%20this%20point%20want%20external%20users%20impacted%20that%20share%20content%20between%20OneDrive%20and%20SPO.%26nbsp%3B%20So%2C%20on%20the%20CA%20policy%2C%20I%20selected%20include%20%22select%20users%20and%20groups%22%20then%20selected%20a%20group%20that%20contains%20ALL%20of%20our%20employees.%26nbsp%3B%20Is%20there%20anything%20else%20I%20need%20to%20do%20and%20will%20this%20enough%3F%26nbsp%3B%20Eventually%2C%20I%20will%20add%20external%20guest%20accounts%2C%20but%20I%20will%20have%20to%20run%20that%20through%20change%20control%20so%20that%20all%20our%20employees%20are%20aware%20of%20that%20change.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2262896%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2263179%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Required%20Conditional%20Access%20and%20External%20Guest%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2263179%22%20slang%3D%22en-US%22%3EThat%20should%20do%20it%2C%20or%20alternatively%20you%20can%20go%20the%20opposite%20direction%20-%20add%20an%20Exception%20to%20your%20rule%20to%20exclude%20%22All%20guest%20and%20external%20users%22.%3C%2FLINGO-BODY%3E
Super Contributor

I am just venturing into Conditional Access Policies. Other than Legacy Auth (there is a separate discussion on that) the other policy is MFA enforcement.  Up to this point I have all our employees set to enforce from the MFA page under O365. I want to make this across the page, so I do not have to keep enabling this for new employees. However, I do not at this point want external users impacted that share content between OneDrive and SPO.  So, on the CA policy, I selected include "select users and groups" then selected a group that contains ALL of our employees.  Is there anything else I need to do and will this enough?  Eventually, I will add external guest accounts, but I will have to run that through change control so that all our employees are aware of that change. 

1 Reply
That should do it, or alternatively you can go the opposite direction - add an Exception to your rule to exclude "All guest and external users".