Azure AD Conditional Access Policies Add Check for External User Types



Azure AD conditional access policies can exert fine-grained control over the type of external users who can connect and what tenants they belong to. The new capability works especially well alongside Azure B2B Collaboration (guest users) and Azure B2B Direct Connect (used by Teams shared channels). It’s yet another way to impose control over who you allow to connect to your tenant.

3 Replies
You don't happen to know where we could find more information when it comes to Direct Connect users and this preview? Did some searching but didn't find the details I'm looking for. As the "shared channels" users don't get at presence (account) in the resource org., we've been presented with the three trust settings in External Identities in AAD for conditional access using the host orgs; 1) claims for MFA, 2) complaint devices and 3) hybrid Azure AD joined. I had to try some other settings and they are not being enforced even though you can complete those policies without being prompted. Perhaps a no brainer here but people not familiar with the trust settings could be confused as why their policies doesn't work.
Direct connect users are not guests in your tenant, so looking up presence requires a cross-tenant query. I don't believe that this is covered by the access policy, and I can imagine that some people would be unhappy to expose their presence to people in another tenant where they share a channel.

Agreed. Simply miss clarification in the docs (not for myself) but as it’s in preview I imagine it will be published going forward.