MS Teams - External Access (Federation) Conditional Access

%3CLINGO-SUB%20id%3D%22lingo-sub-2290801%22%20slang%3D%22en-US%22%3EMS%20Teams%20-%20External%20Access%20(Federation)%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2290801%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20familiar%20with%20setting%20up%20Conditional%20Access%20policies%20to%20block%20member%20and%20guest%20users%2C%20using%20named%20locations%20but%20can't%20find%20information%20on%20whether%20these%20policies%20would%20also%20be%20applied%20to%20federated%20external%20users%20of%20Teams%20-%20e.g.%20I%20have%20CAP%20to%20block%20non-UK%20access%20to%20Teams%20service%20-%20are%20Teams%20federated%20users%20affected%20by%20this%20policy%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20answer%20this%20please%20and%20ideally%20reference%20the%20relevant%20Microsoft%20Docs%20article%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5BUpdate%5D%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fteams-access-policies%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fteams-access-policies%3Fview%3Do365-worldwide%3C%2FA%3E%3CBR%20%2F%3EI%20think%20this%20article%20has%20the%20answer%2C%20CAP%20doesn't%20apply%20to%20external%20access%3A%3C%2FP%3E%3CP%3E%3CEM%3EExternal%20access%20is%20for%20an%20external%20user%20that%20does%20not%20have%20an%20Azure%20AD%20B2B%20account.%20External%20access%20can%20include%20invitations%20and%20participation%20in%20calls%2C%20chats%2C%20and%20meetings%2C%20but%20does%20not%20include%20team%20membership%20and%20access%20to%20the%20resources%20of%20the%20team.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EConditional%20Access%20policies%20only%20apply%20to%20guest%20access%20in%20Teams%20because%20there%20is%20a%20corresponding%20Azure%20AD%20B2B%20account.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2290801%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFederation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

I am familiar with setting up Conditional Access policies to block member and guest users, using named locations but can't find information on whether these policies would also be applied to federated external users of Teams - e.g. I have CAP to block non-UK access to Teams service - are Teams federated users affected by this policy?

 

Can anyone answer this please and ideally reference the relevant Microsoft Docs article?

 

[Update]

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/teams-access-policies?vi...
I think this article has the answer, CAP doesn't apply to external access:

External access is for an external user that does not have an Azure AD B2B account. External access can include invitations and participation in calls, chats, and meetings, but does not include team membership and access to the resources of the team.

Conditional Access policies only apply to guest access in Teams because there is a corresponding Azure AD B2B account.

1 Reply
Great update. Just adding to it. Federated users have valid credentials and are treated as authenticated by Teams, but they are still considered external to the org.