Home

Enforce MFA to external users

%3CLINGO-SUB%20id%3D%22lingo-sub-6827%22%20slang%3D%22en-US%22%3EEnforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-6827%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20news%20on%20enforcing%20MFA%20to%20O365%20external%20users%20when%20they%20will%20access%20externally%20shared%20SPO%20sites%3F%20Right%20now%20the%20challenge%20is%20we%20cannot%20enforce%20MFA%20on%20external%20users%20and%20MFA%20can%20be%20enabled%20only%20for%20licensed%20users.%3C%2FP%3E%3CP%3EAzure%20B2B%20is%20in%20public%20preview%20but%20I%20am%20assuming%20that%20this%20capability%20will%20be%20available%20as%20part%20of%20Azure%20B2B%20GA%20as%20mentioned%20in%20current%20limitiation%20%3CA%20title%3D%22Azure%20B2B%20Preview%20Limitations%22%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fdocumentation%2Farticles%2Factive-directory-b2b-current-preview-limitations%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20So%20question%20mark%20is%20if%20it%20will%20be%20enabled%20then%20will%20it%20also%20be%20applicable%20for%26nbsp%3Bnormal%26nbsp%3Bexternal%20sharing%20scenario%20(with%20Azure%20B2B)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-6827%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281593%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281593%22%20slang%3D%22en-US%22%3EThank%20you!%20We're%20on%20E4.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281590%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281590%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20a%20lot!%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Flicensing-guidance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Flicensing-guidance%3C%2FA%3E%3C%2FP%3E%3CP%3E%22There%20are%20some%20situations%20where%20a%20guest%20user%20isn't%20reported%20using%20the%201%3A5%20External%20User%20Allowance.%20If%20a%20guest%20user%20already%20has%20a%20paid%20Azure%20AD%20license%20in%20the%20user%E2%80%99s%20own%20organization%2C%20the%20user%20doesn't%20consume%20one%20of%20your%20B2B%20guest%20user%20licenses.%20Additionally%2C%20guest%20users%20can%20use%20free%20Azure%20AD%20features%20with%20no%20additional%20licensing%20requirements.%20Guest%20users%20have%20access%20to%20free%20Azure%20AD%20features%20even%20if%20you%20don%E2%80%99t%20have%20any%20paid%20Azure%20AD%20licenses.%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281510%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281510%22%20slang%3D%22en-US%22%3E%3CP%3EAFAIK%20at%20least%20E3%20does%20not%20have%20AD%20Premium%2C%20not%20sure%20about%20E5.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281476%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281476%22%20slang%3D%22en-US%22%3EYes%2C%20it%20is%20free%20to%20the%20external%20users.%20It%20does%20require%20you%20to%20have%20Azure%20AD%20premium%20licenses%2C%20so%20E3%20or%20E5%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281470%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281470%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66750%22%20target%3D%22_blank%22%3E%40Jesse%20Armstrong%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3EI%20was%20able%20to%20confirm%20that%20you%20can%20use%20Conditional%20Access%20Policies%20(features%20Azure%20AD%20Premium)%20to%20enforce%20MFA%20for%20external%20users%20on%20publicly%20shared%20SharePoint%20sites.%20External%20users%20must%20enroll%20in%20MFA%20immediately%20after%20signing%20in.%20An%20account%20is%20created%20in%20your%20Azure%20AD%20with%20the%20users%20email%20and%20some%20extra%20characters.%20For%20every%201%20licensed%20user%20%2C%205%20external%20users%20could%20use%20MFA.%20Some%20external%20users%20were%20confused%20whether%20to%20use%20their%20work%20federated%20account%20or%20their%20windows%20live%20account%2C%20and%20that%20caused%20confusion.%20It%20had%20to%20be%20clearly%20articulated%20that%20the%20account%20shared%20to%20had%20to%20be%20the%20one%20logging%20in.%20This%20caused%20some%20grief%20because%20the%20site%20was%20shared%20to%20a%20Microsoft%20live%20account%2C%20but%20the%20external%20user%20was%20trying%20to%20access%20the%20site%20from%20their%20network%20which%20had%20SSO%20and%20forced%20them%20to%20use%20their%20federated%20work%20account.%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%22%3CSPAN%3EFor%20every%201%20licensed%20user%20%2C%205%20external%20users%20could%20use%20MFA.%26nbsp%3B%3C%2FSPAN%3E%22%20is%20that%20free%20to%20the%20external%20users%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-107110%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-107110%22%20slang%3D%22en-US%22%3EI%20was%20able%20to%20confirm%20that%20you%20can%20use%20Conditional%20Access%20Policies%20(features%20Azure%20AD%20Premium)%20to%20enforce%20MFA%20for%20external%20users%20on%20publicly%20shared%20SharePoint%20sites.%20External%20users%20must%20enroll%20in%20MFA%20immediately%20after%20signing%20in.%20An%20account%20is%20created%20in%20your%20Azure%20AD%20with%20the%20users%20email%20and%20some%20extra%20characters.%20For%20every%201%20licensed%20user%20%2C%205%20external%20users%20could%20use%20MFA.%20Some%20external%20users%20were%20confused%20whether%20to%20use%20their%20work%20federated%20account%20or%20their%20windows%20live%20account%2C%20and%20that%20caused%20confusion.%20It%20had%20to%20be%20clearly%20articulated%20that%20the%20account%20shared%20to%20had%20to%20be%20the%20one%20logging%20in.%20This%20caused%20some%20grief%20because%20the%20site%20was%20shared%20to%20a%20Microsoft%20live%20account%2C%20but%20the%20external%20user%20was%20trying%20to%20access%20the%20site%20from%20their%20network%20which%20had%20SSO%20and%20forced%20them%20to%20use%20their%20federated%20work%20account.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106449%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106449%22%20slang%3D%22en-US%22%3E%3CP%3EMaybe%20this%20helps%3A%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2FExternal-User-with-conditional-access-for-SharePoint-Online-not%2Ftd-p%2F46735%22%20target%3D%22_blank%22%3E%3CSPAN%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2FExternal-User-with-conditional-access-for-SharePoint-Online-not%2Ftd-p%2F46735%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%3ELook%20for%20the%20solution%20suggested%20by%20Sarat.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-103550%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-103550%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20anyone%20ever%20close%20the%20loop%20on%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETesting%20MFA%20at%20the%20moment%2C%20but%20came%20up%20with%20the%20use%20case%20of%20shared%20content%20with%20teams%20outside%20of%20my%20org.%20How%20am%20I%20to%20enforce%20MFA%20for%20those%20senarios%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86866%22%20slang%3D%22en-US%22%3ERe%3A%20Enforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86866%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20also%20curious%20about%20this.%3C%2FP%3E%3CP%3EThe%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fcloud-platform%2Fazure-active-directory-pricing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20pricing%20%3C%2FA%3Esays%20for%20every%20Azure%20AD%20Premium%20account%2C%205%20guests%20can%20be%20invited%20and%20can%20use%20Azure%20AD%20Premium%20license.%20I%20used%20a%20Conditional%20Access%20policy%20to%20force%20MFA%20for%20all%20users%20(including%20guests%20I%20am%20assuming%2C%20as%20I%20see%20their%20account%20in%20the%20Active%20Users%20page%2C%20but%20without%20any%20licenses).%20When%20the%20guest%20is%20invited%2C%20they%20log%20in%20and%20do%20not%20get%20MFA.%20I%20want%20to%20make%20sure%20they%20get%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22caption%22%3E%3CEM%3E%3CFONT%20size%3D%222%22%3E4%3C%2FFONT%3EAzure%20AD%20allows%20for%20B2B%20collaboration%20by%20enabling%20the%20use%20of%20a%20select%20set%20of%20Azure%20AD%20features%20to%20guest%20users%20who%20are%20invited%20into%20the%20Azure%20AD%20tenant.%20While%20some%20features%20are%20free%2C%20for%20any%20paid%20Azure%20AD%20features%2C%20guest%20users%20must%20be%20licensed%20as%20follows%3A%20with%20each%20Azure%20AD%20paid%20edition%20license%20that%20you%20own%20for%20an%20employee%20or%20a%20non-guest%20user%20in%20your%20tenant%2C%20you%20will%20also%20be%20able%20to%20invite%20up%20to%205%20guest%20users%20to%20the%20tenant.%20The%20features%20you%20can%20extend%20to%20these%20guest%20users%20will%20depend%20on%20the%20type%20of%20Azure%20AD%20edition%20you%20purchase.%20There%20is%20no%20charge%20for%20inviting%20a%20guest%20user%20and%20assigning%20him%2Fher%20to%20an%20application%20in%20Azure%20AD%2C%20for%20up%20to%2010%20apps%20per%20guest%20user.%20For%20paid%20Azure%20AD%20features%20that%20are%20extended%20to%20guest%20users%2C%20the%20inviting%20tenant%20will%20need%20the%20appropriate%20number%20of%20Basic%20or%20Premium%20P1%20or%20Premium%20P2%20licenses%20to%20cover%20guest%20users%2C%20in%20the%201%20license%3A%205%20users%20ratio%20as%20described%20above.%3C%2FEM%3E%3C%2FP%3E%3CP%20class%3D%22caption%22%3E%3CEM%3E%3CFONT%20size%3D%222%22%3E5%3C%2FFONT%3EMulti-Factor%20Authentication%20is%20available%20for%20Azure%20AD%20Free%20and%20Azure%20AD%20Basic%2C%20when%20you%20create%20a%20Multi-Factor%20Authentication%20Provider%20by%20the%20'per%20user'%20or%20'per%20authentication'%20billing%2Fusage%20model.%20Pricing%20for%20MFA%20per-user%20and%20per-authentication%20options%20is%20described%20%3CA%20title%3D%22here%22%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fpricing%2Fdetails%2Fmulti-factor-authentication%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20color%3D%22%230066cc%22%3Ehere%3C%2FFONT%3E%3C%2FA%3E.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-8279%22%20slang%3D%22en-US%22%3ERE%3A%20Enforce%20MFA%20to%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-8279%22%20slang%3D%22en-US%22%3EWould%20like%20to%20know%20more%20about%20this%20also.%3C%2FLINGO-BODY%3E
Prashant Gupta
Contributor

Is there any news on enforcing MFA to O365 external users when they will access externally shared SPO sites? Right now the challenge is we cannot enforce MFA on external users and MFA can be enabled only for licensed users.

Azure B2B is in public preview but I am assuming that this capability will be available as part of Azure B2B GA as mentioned in current limitiation here. So question mark is if it will be enabled then will it also be applicable for normal external sharing scenario (with Azure B2B)?

10 Replies
Would like to know more about this also.

I am also curious about this.

The Azure AD pricing says for every Azure AD Premium account, 5 guests can be invited and can use Azure AD Premium license. I used a Conditional Access policy to force MFA for all users (including guests I am assuming, as I see their account in the Active Users page, but without any licenses). When the guest is invited, they log in and do not get MFA. I want to make sure they get MFA.

 

4Azure AD allows for B2B collaboration by enabling the use of a select set of Azure AD features to guest users who are invited into the Azure AD tenant. While some features are free, for any paid Azure AD features, guest users must be licensed as follows: with each Azure AD paid edition license that you own for an employee or a non-guest user in your tenant, you will also be able to invite up to 5 guest users to the tenant. The features you can extend to these guest users will depend on the type of Azure AD edition you purchase. There is no charge for inviting a guest user and assigning him/her to an application in Azure AD, for up to 10 apps per guest user. For paid Azure AD features that are extended to guest users, the inviting tenant will need the appropriate number of Basic or Premium P1 or Premium P2 licenses to cover guest users, in the 1 license: 5 users ratio as described above.

5Multi-Factor Authentication is available for Azure AD Free and Azure AD Basic, when you create a Multi-Factor Authentication Provider by the 'per user' or 'per authentication' billing/usage model. Pricing for MFA per-user and per-authentication options is described here.

Did anyone ever close the loop on this?

 

Testing MFA at the moment, but came up with the use case of shared content with teams outside of my org. How am I to enforce MFA for those senarios? 

 

Thanks!

I was able to confirm that you can use Conditional Access Policies (features Azure AD Premium) to enforce MFA for external users on publicly shared SharePoint sites. External users must enroll in MFA immediately after signing in. An account is created in your Azure AD with the users email and some extra characters. For every 1 licensed user , 5 external users could use MFA. Some external users were confused whether to use their work federated account or their windows live account, and that caused confusion. It had to be clearly articulated that the account shared to had to be the one logging in. This caused some grief because the site was shared to a Microsoft live account, but the external user was trying to access the site from their network which had SSO and forced them to use their federated work account.

@Jesse Armstrong wrote:
I was able to confirm that you can use Conditional Access Policies (features Azure AD Premium) to enforce MFA for external users on publicly shared SharePoint sites. External users must enroll in MFA immediately after signing in. An account is created in your Azure AD with the users email and some extra characters. For every 1 licensed user , 5 external users could use MFA. Some external users were confused whether to use their work federated account or their windows live account, and that caused confusion. It had to be clearly articulated that the account shared to had to be the one logging in. This caused some grief because the site was shared to a Microsoft live account, but the external user was trying to access the site from their network which had SSO and forced them to use their federated work account.

"For every 1 licensed user , 5 external users could use MFA. " is that free to the external users?

 

Thanks in advance!

Yes, it is free to the external users. It does require you to have Azure AD premium licenses, so E3 or E5

AFAIK at least E3 does not have AD Premium, not sure about E5.

Thanks a lot!

https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance

"There are some situations where a guest user isn't reported using the 1:5 External User Allowance. If a guest user already has a paid Azure AD license in the user’s own organization, the user doesn't consume one of your B2B guest user licenses. Additionally, guest users can use free Azure AD features with no additional licensing requirements. Guest users have access to free Azure AD features even if you don’t have any paid Azure AD licenses."

Thank you! We're on E4.