Home

Assign Contitional Access Policy to a SharePoint Group

%3CLINGO-SUB%20id%3D%22lingo-sub-470760%22%20slang%3D%22en-US%22%3EAssign%20Contitional%20Access%20Policy%20to%20a%20SharePoint%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-470760%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20set%20up%20a%20Conditional%20Access%20Policy%20so%20that%20some%20of%20our%20Guest%20accounts%20are%20required%20to%20have%20MFA%20to%20access%20the%20SharePoint%20Online%20subsite%20that%20they%20have%20been%20invited%20to.%3C%2FP%3E%3CP%3EThese%20Guests%20are%20added%20to%20a%20SharePoint%20Group%20and%20internal%20staff%20added%20to%20an%20on-prem%20AD%20group%20which%20is%20synced%20up%20to%20Azure%20AD%20and%20this%20domain%20group%20given%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20a%20set%20up%20the%20CA%2C%20see%20screenshot%2C%20I%20can%20add%20individual%20guest%20accounts.%3C%2FP%3E%3CP%3EThis%20means%20that%20when%20I%20invite%20an%20external%20user%20to%20the%20group%2C%20I%20also%20have%20to%20manually%20add%20them%20to%20the%20CA%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20include%20the%20SharePoint%20group%20to%20the%20policy%20rather%20than%20individual%20guest%20accounts%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EOllie%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-470760%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-472561%22%20slang%3D%22en-US%22%3ERe%3A%20Assign%20Contitional%20Access%20Policy%20to%20a%20SharePoint%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-472561%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20needs%20to%20be%20a%20group%20that%20exists%20in%20Azure%20AD%2C%20%22pure%22%20SPO%20groups%20don't%20qualify.%20But%20a%20group%20synced%20from%20AD%20should%20be%20OK.%20Do%20note%20that%20the%20picker%20control%20only%20lists%20a%20limited%20set%20of%20results%2C%20so%20search%20for%20the%20group.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-474515%22%20slang%3D%22en-US%22%3ERe%3A%20Assign%20Contitional%20Access%20Policy%20to%20a%20SharePoint%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-474515%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20this%20Vasil.%3C%2FP%3E%3CP%3EWe%20usually%20invite%20guests%20to%20pure%20SPO%20groups.%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20add%20a%20guest%20as%20a%20contact%20in%20our%20on-prem%20AD%20group%26nbsp%3Bwhich%20is%20synced%20up%20to%20Azure%2C%20then%20add%20the%20Azure%20AD%20group%20to%20the%20CA%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOtherwise%2C%20every%20time%20we%20invite%20a%20guest%20to%20the%20SPO%20group%20that%20has%20access%20to%20a%20subsite%20with%20sensitive%20information%2C%20we%20will%20have%20to%20manually%20add%20them%20to%20the%20CA%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOllie%3C%2FP%3E%3C%2FLINGO-BODY%3E
Oliver McErlane
Contributor

Hi,

 

I have set up a Conditional Access Policy so that some of our Guest accounts are required to have MFA to access the SharePoint Online subsite that they have been invited to.

These Guests are added to a SharePoint Group and internal staff added to an on-prem AD group which is synced up to Azure AD and this domain group given access.

 

When a set up the CA, see screenshot, I can add individual guest accounts.

This means that when I invite an external user to the group, I also have to manually add them to the CA policy.

 

Is it possible to include the SharePoint group to the policy rather than individual guest accounts?

 

Thank you,

Ollie

 

 

3 Replies

It needs to be a group that exists in Azure AD, "pure" SPO groups don't qualify. But a group synced from AD should be OK. Do note that the picker control only lists a limited set of results, so search for the group.

@Vasil Michev 

Thanks for this Vasil.

We usually invite guests to pure SPO groups.

Is it possible to add a guest as a contact in our on-prem AD group which is synced up to Azure, then add the Azure AD group to the CA policy.

 

Otherwise, every time we invite a guest to the SPO group that has access to a subsite with sensitive information, we will have to manually add them to the CA policy.

 

Ollie

I don't think so, that would be a different object, not related to the guest user object you will have in your tenant.