How to avoid external users from being affected with an existing conditional access policy?

Daemetius 31 Reputation points
2020-05-23T23:20:44.68+00:00

I was tasked to find ways (if any) to have external users NOT be affected with existing conditional accesses in the company WITHOUT modifying said existing policies.

We have 1 policy that prevents any user from accessing the company's tenant content if they do not belong to a security group in azure. This policy was made for employees only. However because it's targeting "All users", this affects external user who have no need of belonging to a security group since they don't have licenses to manage the company's O365 tenant.

There's another policy that forces employees to access company tenant content only thru compliant devices. This means that if I tried to access the company from non managed device, then I won't have access. This also affects "All users", including external users.

I was told that I should avoid touching these existing conditional access policies, so I'm trying to look for a way (if any) of excluding external users from being affected with these 2 policies.

Is this possible? From what I understand, I can click on an option that says "All guests and external users" under the Exclusion section of a Conditional Access, but not sure if this is right way to do it or that there is no other way except doing it this way.

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
516 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-05-24T08:15:10.007+00:00

    @Daemetius As you have mentioned that the scope of the CA Policies is set to "All Users", the policies will apply to all users regardless of whether the user is member or guest. Without modifying the scope of the policy it won't be possible to exclude guest users.

    One option to exclude guest users is by excluding "All guests and external users" as you have already mentioned and I would suggest you to use this option.

    Another option is, you can create a Dynamic Group with a query "userType equals guest" so that all guest users automatically get added to this group and exclude this group from CA Policy.

    Although I suggest you to go with the first option but the reason for providing the second option is, let's say in future you would want to exclude all guest users except one guest user e.g. user@Stuff .com. You can then modify the query of your dynamic group to "userType equals to guest" AND userPrinicipalName Not equals user_gmail.com#EXT#@yourtenant.onmicrosoft.com. That way all Guest users will be excluded except user@Stuff .com. Instead of UPN, you may use objectId Not equals <objectId of user@Stuff .com> as well. This would provide you with some flexibility and more control over the User Scope in CA Policy.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jai Verma 461 Reputation points
    2020-05-24T03:56:55.913+00:00

    You are right on spot. You have to exclude guest users selecting - "All Guests and external users" in the existing policy. Logical and easier way is to modify existing policy. this way you always know where to look for settings and it sounds logically correct way of achieving the goal.

    0 comments