question

daemetius avatar image
0 Votes"
daemetius asked ·

How to avoid external users from being affected with an existing conditional access policy?

I was tasked to find ways (if any) to have external users NOT be affected with existing conditional accesses in the company WITHOUT modifying said existing policies.

We have 1 policy that prevents any user from accessing the company's tenant content if they do not belong to a security group in azure. This policy was made for employees only. However because it's targeting "All users", this affects external user who have no need of belonging to a security group since they don't have licenses to manage the company's O365 tenant.

There's another policy that forces employees to access company tenant content only thru compliant devices. This means that if I tried to access the company from non managed device, then I won't have access. This also affects "All users", including external users.

I was told that I should avoid touching these existing conditional access policies, so I'm trying to look for a way (if any) of excluding external users from being affected with these 2 policies.

Is this possible? From what I understand, I can click on an option that says "All guests and external users" under the Exclusion section of a Conditional Access, but not sure if this is right way to do it or that there is no other way except doing it this way.









azure-active-directoryazure-ad-multi-factor-authenticationazure-information-protection
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

@daemetius As you have mentioned that the scope of the CA Policies is set to "All Users", the policies will apply to all users regardless of whether the user is member or guest. Without modifying the scope of the policy it won't be possible to exclude guest users.

One option to exclude guest users is by excluding "All guests and external users" as you have already mentioned and I would suggest you to use this option.

Another option is, you can create a Dynamic Group with a query "userType equals guest" so that all guest users automatically get added to this group and exclude this group from CA Policy.

Although I suggest you to go with the first option but the reason for providing the second option is, let's say in future you would want to exclude all guest users except one guest user e.g. user@gmail.com. You can then modify the query of your dynamic group to "userType equals to guest" AND userPrinicipalName Not equals user_gmail.com#EXT#@yourtenant.onmicrosoft.com. That way all Guest users will be excluded except user@gmail.com. Instead of UPN, you may use objectId Not equals <objectId of user@gmail.com> as well. This would provide you with some flexibility and more control over the User Scope in CA Policy.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@daemetius have you had a chance to test it out?

1 Vote 1 ·
daemetius avatar image daemetius amanpreetsingh-msft ·

yes! This worked! Thank you!

0 Votes 0 ·
JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered ·

You are right on spot. You have to exclude guest users selecting - "All Guests and external users" in the existing policy. Logical and easier way is to modify existing policy. this way you always know where to look for settings and it sounds logically correct way of achieving the goal.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.