Aug 22 2016 05:57 AM
Is there any news on enforcing MFA to O365 external users when they will access externally shared SPO sites? Right now the challenge is we cannot enforce MFA on external users and MFA can be enabled only for licensed users.
Azure B2B is in public preview but I am assuming that this capability will be available as part of Azure B2B GA as mentioned in current limitiation here. So question mark is if it will be enabled then will it also be applicable for normal external sharing scenario (with Azure B2B)?
Jul 12 2017 12:25 PM
I am also curious about this.
The Azure AD pricing says for every Azure AD Premium account, 5 guests can be invited and can use Azure AD Premium license. I used a Conditional Access policy to force MFA for all users (including guests I am assuming, as I see their account in the Active Users page, but without any licenses). When the guest is invited, they log in and do not get MFA. I want to make sure they get MFA.
Sep 05 2017 01:20 PM
Did anyone ever close the loop on this?
Testing MFA at the moment, but came up with the use case of shared content with teams outside of my org. How am I to enforce MFA for those senarios?
Thanks!
Sep 14 2017 10:05 AM
Maybe this helps:
Look for the solution suggested by Sarat.
Sep 16 2017 10:08 AM
Nov 01 2018 08:21 PM - edited Nov 01 2018 08:22 PM
@Jesse Armstrong wrote:
I was able to confirm that you can use Conditional Access Policies (features Azure AD Premium) to enforce MFA for external users on publicly shared SharePoint sites. External users must enroll in MFA immediately after signing in. An account is created in your Azure AD with the users email and some extra characters. For every 1 licensed user , 5 external users could use MFA. Some external users were confused whether to use their work federated account or their windows live account, and that caused confusion. It had to be clearly articulated that the account shared to had to be the one logging in. This caused some grief because the site was shared to a Microsoft live account, but the external user was trying to access the site from their network which had SSO and forced them to use their federated work account.
"For every 1 licensed user , 5 external users could use MFA. " is that free to the external users?
Thanks in advance!
Nov 01 2018 09:13 PM
Nov 02 2018 12:59 AM
AFAIK at least E3 does not have AD Premium, not sure about E5.
Nov 02 2018 04:19 AM
Thanks a lot!
https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance
"There are some situations where a guest user isn't reported using the 1:5 External User Allowance. If a guest user already has a paid Azure AD license in the user’s own organization, the user doesn't consume one of your B2B guest user licenses. Additionally, guest users can use free Azure AD features with no additional licensing requirements. Guest users have access to free Azure AD features even if you don’t have any paid Azure AD licenses."