Conditional access, guests & all users

Copper Contributor

It's my understanding that all B2B guests in your tenant are technically classified as all users.


I have a policy that blocks from macos for All Users.
I also have a policy that allows guest users access from macos with MFA.


In theory, the block should override.  What If suggests this is the case.  Upon actual evaluation (there are not in report only mode), it says the user does not match.  What am I missing?







2 Replies
Can you show the policy setup? The WhatIf tool is not always correct in my experience...

@Vasil Michev 


Sometimes, you stare at something for some time, and you have to walk away.  Then you look back a day or two later and see what you foolishly did wrong :)


I had the "Guests" excluded from my all block.  So "What if" is wrong.  Lesson learnt, don't rely on that tool.