Conditional Access Policies: Require MFA For Guests In o365 Tenant

Your organization uses Sharepoint/OneDrive and works very hard to make sure all of your sensitive documents are secure and safe against any attackers or wrongdoers. Your IT Department has done what they think are all of the necessary things and have went as far as turning on Multi Factor Authentication for everyone in the entire company to ensure only people with MFA turned on can access their sensitive data securely.


What is Multi Factor Authentication?

Multi-factor Authentication is a method that uses a second factor, besides your password, in order to login and access the intended data that you have been given rights to access by your administrator. The most common method is to use your mobile phone to receive a text, call or an installed Authenticator App to get a code that is then inputted after you have initially entered your password. This secures your login by not allowing someone without your mobile phone to access your account just by knowing your password – which can often be cracked.


Now that you are feeling pretty good about the status of the security of your sensitive documents, you and other members of your organization can safely share documents for collaboration as needed. Also, you have the ability to share links with people you work with outside of your company where they can simply view the material or even edit it as needed. This is a great way to collaborate on these important documents. However, sharing these documents from your company's Sharepoint/OneDrive with people outside by sending a link only to the intended person can definitely decrease the Security of these documents. You have no control over these persons' email accounts. So you must ask yourself, who really has access to the link you sent?


Conditional Access Policy

But wait! There is a way to ensure more safety, even when sending access outside of your company. Your company can set up a Conditional Access Policy that requires MFA for guest users in your o365 tenant. Along with this policy, you will also need to set your Sharepoint's External Sharing policy to allow outside sharing. The below example shows the different sharing levels from most to least permissive that you need to set in the Sharepoint Admin center of your company's o365 tenant.


Conditional Access Policies  Require MFA For Guests In o365 Tenant_1

Now that you have the setting to allow guests to be sent Sharepoint/OneDrive links we need to create a Conditional Access Policy that will require MFA for these guests. This policy will need to be created in the Azure Active Directory Admin Center under Security/Conditional Access Policy.


I created the policy called "Require MFA for External Users" and under the "Assignments/Users and groups" I chose "All guest and external users" under “Select users and groups” as shown below.


Conditional Access Policies Require MFA For Guests In o365 Tenant_2


Under the Cloud apps or actions setting I chose "Office 365" which covers both Sharepoint and OneDrive.


Conditional Access Policies Require MFA For Guests In o365 Tenant_3

Finally, under "Access controls/Grant", I selected "Require multi-factor authentication"


Conditional Access Policies Require MFA For Guests In o365 Tenant_4


You have different "Enable policy" settings at the bottom of your policy. It is always a good idea to turn the policy to “Report-only” so you can test and make sure you are getting the desired outcomes whenever working with Conditional Access Policies.


Conditional Access Policies Require MFA For Guests In o365 Tenant_5


This Conditional Policy is great for an organization to keep their Sharepoint/OneDrive data as secure as possible. You can even make policies that control which of your company's users can share externally and what domains they can share with for even tighter security.


Conditional Access Policies Require MFA For Guests In o365 Tenant_6


The important thing to remember is that your company has the ability to take action to secure your documentation on its own terms to fit its needs.


If you would like to discuss how to set this up or how to ensure your documents and data are secure, please contact us


Subscribe Here For Our Blogs:

Recent Posts