Implementing MFA for Guest Access - Azure AD

 Hello All

Today we are going to see, how to implement MFA for guest users ,  why we need it and how to test the conditional access policy with what if tool and Manual testing.

Implement multi-factor authentication: Multi-factor authentication significantly reduces the chances of an account being compromised. Since guests may be using personal email accounts that don’t adhere to our organisation's governance policies or best practices, it is especially important to require multi-factor authentication for guests.

Why we need to implement MFA for guest users

It is  recommended Zero Trust identity to allow access for guests and external users that have an Azure Active Directory (Azure AD) Business-to-Business (B2B) account.

Let us see with example : suppose your organisation is hiring some developers from external company to develop the some application using Azure Devops

There are two ways to manage their identities. 

1. Create an identity in our own domain and ask the developers to access our resources with limited permission by assigning roles in Azure AD. In this case, Authentication happens from our own identity provider

2. create guest user account and invite the developers to access our resources by granting the some roles in AD. In this case, User identity is managed by external company

In case that developers has quits the external company, External organisation team  will manage the identities  Authentication happens at external identity providers 

Let us jump into the steps below to configure the MFA in Azure AD Conditional Access policy

Login to to portal.azure.com

and open the Azure AD Conditional Access

Create a New Policy

Name for it like "MFA for Guest Users "

Select user and Groups

Enable "Guest or External Access

In the Drop Down Select the B2B collaboration Guest users and Other External Users

More information

Guests and external user access with Microsoft Teams

Microsoft Teams defines the following users:

• Guest access uses an Azure AD B2B account that can be added as a member of a team and have access to the communications and resources of the team.

• External access is for an external user that doesn't have a B2B account. External user access includes invitations, calls, chats, and meetings, but doesn't include team membership and access to the resources of the team.

In the Cloud Apps  Select -- > Select Office365

In The Grant Section , select "Grant Access  and Require  MFA 

Enable the policy and create it 

What if tool

Once the Conditional Access Policy created , we can test with the What if tool in CA

The Conditional Access What If policy tool allows you to understand the impact of Conditional Access policies in your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.

click on what if tool

Add the extrenal / guest  user UPN

Come to the bottom of the page and tap the what if and see the result down in the bottom pane

Manual Testing by adding the guest users in Microsoft Teams groups 

Create a group and add the guest user 

Guest user receive the invitation in the email 

It open the authentication page

Enter the guest user user name and password

It enforce to use the MFA page for the guest user account

Follow the MFA steps to complete it

Once the Authenticated successful through MFA , then user can access the MS Teams groups on which the guest users belongs to

I hope everyone enjoyed this article and Happy learning 🙂