Oct 31 2018 12:47 PM
Oct 31 2018 12:47 PM
so we're trying to go all mam, and recently created some changes that allow domain users to install apps, i.e. teams & outlook and the app protection configurations apply.
However, when I invite a guest user, that user is able to copy & paste data.
To work around that, in azure ad, I added the guest ID to the group that should still provide the protections.
But it is stil not protecting the data.
Should app protection policies apply globally? if not, what do I have to do?
the only documentation I have, says apply the app protection policies to a group called 'all users' which I thought guest users fall into... but seeing as it didn't, I made the change above.. Anyone have input?
Nov 02 2018 07:19 AM
We're having the same issue. I have a call in to Premier regarding this.
We invite a guest user. I.e. (Guestuser@gmail.com)
We see that account show up as a guest in the tenant.
We are then able to assign a EMS E3 license - (after specifying a 'location (US) for the guest user)
We put the user in a Group and apply the app protection policies to that group.
We see nothing happen.. It basically says the user never checks in.
MS is escalating it internally, so we're waiting to hear back.
Nov 02 2018 11:08 AM
Nov 02 2018 01:36 PM
MY guest user can get into TEams, fine. We're able to force MFA with CA rules.
What we can't prevent is "copy and paste" or Enforce Pin with app protection policies
Mar 27 2019 09:47 PM
We're in the same boat now. Has anyone made any Progress here? We're about to put a call into Premier too but as some of you already have - could you kindly share your finidngs?
Thank you :)
Feb 20 2020 07:49 AM
I think I ended up hearing back that it doesn't work because of licensing. Theres no way for them to enforce enrollment, across tenants in a way that supports the MAM. To that end we've made the choice to limit how much we do across tenants with Teams. @RobertHeep
Jul 02 2020 03:43 AM
As mentioned above this doesn't work with guest users. There are a number of reasons and it doesn't purely apply because of licensing today. The main core reason is the fact that an external or guest user could be another user from another organisations azure tenant, where there own MAM policies may apply.
So what I do is this. For guest users block the rich client teams app. This can be done using conditional based access, so when they access the team they have to go via the web. Then using MCAS use session controls to block downloads inside teams.
Hope this helps.
Jan 19 2021 07:20 PM