SOLVED

Enable Conditional Access template for guest MFA requirement and SharePoint sharing

Brass Contributor

Hi,

 

I plan to enable template for Conditional Access for GUEST and External users to be forced for MFA. I just cant find answer whether this will affect also external users that we have shared SharePoint folders with? Will they be asked to user/register with MFA? ... or it will affect only users that are GUESTS members in our Entra?

 

 

Thank you.

8 Replies
best response confirmed by sumo83 (Brass Contributor)
Solution

Hi @sumo83,

 

When you start using this template all external users will be included, see screenshot below. That means that all authentication to Entra that is not from a member user will be affected by this conditional access rule.

So to concretely answer your question: Yes this also applies to external users with whom you have shared an SP folder.

 

JosvanderVaart_0-1707486275467.png

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,

thank you for info... Under which group will fall an external user that I simply share a folder with via link as "People you choose" option please?

I'm still a bit confused about it...

@sumo83 It depends who you share with and what platform he is on.

I see... OK.. looks like I need to do some research about those groups to get more familiar with it... Thanks again!

may I have one more question please...

as the external user is not a guest in our MS Entra.... how the MFA will work for him? Or will enabling MFA cause that also external users that are not a GUESTS will be added as GUESTS to our Entra?... Lets say that they will have issue with MFA at some point, on which site it needs to be fixed?

If they are as Guests showing in our Entra, i know their the MFA is managed by our Entra... But if I share it externaly via link, and they are not GUESTs in our Entra.... how MFA works in that case?

Trying to search for some good documentations and trainings... but these are not really answered there... :?

To enforce MFA through Conditional Access for users, it's necessary to activate the Entra B2B integration for SharePoint and OneDrive. In cases where SharePoint External Sharing is utilized, users authenticate by entering a verification code sent to their email. My personal advice is to opt for the Entra B2B integration, as it offers extra security enhancements. Check this > Microsoft Entra B2B integration for SharePoint & OneDrive - SharePoint in Microsoft 365 | Microsoft ...

I'm about to enable B2B integration... Do I understand that correctly that when I enable it, even one-time password via email external users will be created as guests in our Entra... and then I can enable MFA for guests/external....

for existing sharing - user will just need to re-authenticate via email one time password again (before I go to next step and enable MFA)

Correct @sumo83. Just make sure that Email OTP is enable in Entra (should be by default). 

 

Log into the Microsoft Entra admin center with Security Administrator or higher privileges. Navigate to Identity > External Identities > All identity providers and choose Email one-time passcode from the list of identity providers. Make sure that the value is set to Yes.

1 best response

Accepted Solutions
best response confirmed by sumo83 (Brass Contributor)
Solution

Hi @sumo83,

 

When you start using this template all external users will be included, see screenshot below. That means that all authentication to Entra that is not from a member user will be affected by this conditional access rule.

So to concretely answer your question: Yes this also applies to external users with whom you have shared an SP folder.

 

JosvanderVaart_0-1707486275467.png

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,

View solution in original post