app protection for guest users


so we're trying to go all mam, and recently created some changes that allow domain users to install apps, i.e. teams & outlook and the app protection configurations apply.

However, when I invite a guest user, that user is able to copy & paste data. 
To work around that, in azure ad, I added the guest ID to the group that should still provide the protections.

 But it is stil not  protecting the data. 

Should app protection policies apply globally? if not, what do I have to do?

the only documentation I have, says apply the app protection policies to a group called 'all users' which I thought guest users fall into... but seeing as it didn't, I made the change above.. Anyone have input?

13 Replies

We're having the same issue.  I have a call in to Premier regarding this.  


We invite a guest user.  I.e. (

We see that account show up as a guest in the tenant.

We are then able to assign a EMS E3 license - (after specifying a 'location (US) for the guest user)

We put the user in a Group and apply the app protection policies to that group.

We see nothing happen..  It basically says the user never checks in.


MS is escalating it internally, so we're waiting to hear back.

are you saying the guest cant even get into teams? or are you saying they get in, and can copy data, but you don't see anything in intune? I have tested on 2 os' with guest users, and they can get in, they can copy data, but I do not see the registration in intune or enrollment.. so it is pretty 'bad'. let us know if oyu hear anything, as I have been reaching out to my fasttrack.

MY guest user can get into TEams, fine.  We're able to force MFA with CA rules.  


What we can't prevent is "copy and paste" or Enforce Pin with app protection policies

Hi Folks, just wondering what the end result was for this thread?

Hello Everyone,


We're in the same boat now. Has anyone made any Progress here? We're about to put a call into Premier too but as some of you already have - could you kindly share your finidngs? 


Thank you :)

@Jeen Pallickaparampil 


Guest users do not adhere to InTune MAM controls on a mobile device.

What i had to do was block all the native apps with Conditional Access and rely on Security and Compliance center reporting for file activity.

@Phillip Kenyon Anything new with this? also interessted in a possible solution

 I think I ended up hearing back that it doesn't work because of licensing. Theres no way for them to enforce enrollment, across tenants in a way that supports the MAM. To that end we've made the choice to limit how much we do across tenants with Teams. @RobertHeep 

@Phillip Kenyon aw that was not the answer I was looking for :D so you ended up blocking mobile access for guests entirely?

not officially, but in a round-about way.  Our MAM policy I only apply to direct employees, others get our fully managed MDM policies.  @RobertHeep 

@Phillip Kenyon 


As mentioned above this doesn't work with guest users.  There are a number of reasons and it doesn't purely apply because of licensing today.  The main core reason is the fact that an external or guest user could be another user from another organisations azure tenant, where there own MAM policies may apply.


So what I do is this. For guest users block the rich client teams app.  This can be done using conditional based access, so when they access the team they have to go via the web.  Then using MCAS use session controls to block downloads inside teams.


Hope this helps.

Alright, I will try with CAS. If I can block the download for files, I am happy :)
Use this to have a secure Microsoft Teams Guest experience. Web only, GUEST MFA, Label policies, quarterly review setup to remove stale accounts, etc. Only alteration I did was set the web only policy to block instead of grant as I did not want BYOD devices into the MDM.