External User with conditional access for SharePoint Online not working


I'm excited about the new introduced features and I immediately tried it out. What my customer are looking for is to enhance the external collaboration on their SharePoint Online. I want to enforce MFA for all or selected external users. The users are already added to the AAD the SPO belongs to (owner tenant). I've enabled a conditional policy in the new Azure Portal for the enterprise application named "Office 365 SharePoint Online" but even after an our for potential sync between AAD and SharePoint the policy is not working. I tested the MFA enforcement with a basic ASP.NET app hosted and registered as an enterprise app in the same tenant. The policy is working if enabled for this app. The external user had to enroll using MFA and the access is granted as expected. I then changed the policy to not select specific apps but the apply to all apps in the tenant. But also without any noticeable results even after some time passed.


Is it a bug? A feature? Or a topic on the roadmap? Any ETA? It is a really important app in the AAD ecosystem and respecting the AAD policies would be beneficial if not mandatory!

12 Replies

We love your enthusiasm on the new features, Marco!


@Sarat Subramaniam, @Mary Lynch, do you have inputs on the behavior described by Marco?

Marco - can you try the instructions I have included here to enable MFA for SPO and let us know if it works for you?


Let’s say the goal is: MFA for guest users only, accessing SPO


  1. Set up a group in your tenant that includes all guest users – I would highly recommend you use dynamic groups for this.
    • Sign in to as the global admin b. Click on “Users & Groups” c. Click on “All groups”
    • Click on “Add” at the top e. Enter a name for the group – for instance, “All guest users”
    • Optionally, enter a description g. Under “Membership type”, select “Dynamic user”
    • Don’t select anything for “Enable Office Features”
    • Click on “Add dynamic query” j. Click on the tab called “Advanced rule”
    • Type in (user.userType -contains "Guest")
    • Click on “Add Query” button at the bottom
    • Click on “Create” button at the bottom
    • At this point, a dynamic group has been created that will house any guest user you invite – note that there is a latency between a B2B user is added and the dynamic group membership being updated
  2. Set up conditional access to SharePoint such that all external users would need to MFA
    • Click on “Conditional access” at the root level of your tenant within the Azure admin portal
    • Click on “Add” to add a conditional access policy
    • Give a name to the policy, for example “CA to SPO for guest users”
    • Under “Users and Groups”, add the group you created above, i.e., “All guest users”
    • Under “Cloud apps”, add SPO – the app would be called “Office 365 SharePoint Online”
    • Skip the “Conditions” option – basically, you want all users from that group to always be MFA’d whenever they access SharePoint Online
    • Under “Controls”, select “Allow access” and check the box that says “require multi-factor authentication” – leave the other two boxes unchecked and under the “for multiple controls” options below, select the one that says “require one of the selected controls” (though this is really moot since you are only selecting one control)
    • Make sure the “Enable Policy” is set to “On” and save the policy
    • At this point, you have created a conditional access policy that stipulates that all external users will be required to do MFA when accessing your tenant’s SharePoint online resources
best response confirmed by Marco Scheel (Contributor)
Following up on this, The SPO team informed me that inorder for this to work, you need to be enrolled for First Release, andfor Guest MFA you need a fix that SPO made.

THis should be available globally by end of March, but if you direct message me your tenant details, we can get it enabled for your tenant only.

My (LAB) tenant is configured as first release and the DM is send already with my tenant name and ID. So glad a solution is already available and also scheduled for a nearby release :) Once I have the fix enabled in my tenant I will write back and mark your reply as the answer.


Ciao Marco

We have been informed by the SharePoint online team that during their private preview they have discovered an issue with this that has caused them to roll back this change. They hope to be able to deploy the fix by end of April. Please stay tuned.

Hi Sarat - Is the planned update still end of April and how will it be communicated?

I will update this forum as soon as we have firmly committed dates.

Did we ever get this update applied?

what if we aren't on First Target Release? what do we do for conditional Access?

The feature is STILL not active.

...any's been quite a while......

any update on this Sarat?  We are looking to force our external users to use MFA and its been a long while since this was "coming". Does anyone have a solution?  (I am looking for B2C - for an external user using their gmail or generic work accounts)  Thanks in advance.


i too would like to know.

it is not easy to keep up with roadmap items on o365.