This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article discusses adjusting the recommended Zero Trust identity and device access policies to allow access for guests and external users that have a Microsoft Entra Business-to-Business (B2B) account. This guidance builds on the common identity and device access policies.
These recommendations are designed to apply to the starting point tier of protection. But you can also adjust the recommendations based on your specific needs for enterprise and specialized security protection.
Providing a path for B2B accounts to authenticate with your Microsoft Entra organization doesn't give these accounts access to your entire environment. B2B users and their accounts have access to services and resources (for example, files) designated by Conditional Access policy.
This diagram shows which policies to add or update among the common identity and device access policies, for B2B guest and external user access:
The following table lists the policies you need to create and update. The common policies link to the associated configuration instructions in Common identity and device access policies.
| Protection level | Policies | More information |
|---|---|---|
| Starting point | Require MFA always for guests and external users | Create this new policy and configure the following settings:
|
| Require MFA when sign-in risk is medium or high | Modify this policy to exclude guests and external users. |
To exclude guests and external users from Conditional Access policies, go to Assignments > Users > Exclude > Select users and groups: Select Guest or external users, and then select all of the available user types:
Microsoft Teams defines the following users:
For more information, see Compare external access and guest access in Teams.
For more information on securing identity and device access policies for Teams, see Policy recommendations for securing Teams chats, groups, and files.
This policy requires guests to register for MFA in your organization, regardless of whether they're registered for MFA in their home organization. Guests and external users in your organization are required to use MFA for every request to access resources.
While organizations can enforce risk-based policies for B2B users using Microsoft Entra ID Protection, there are limitations in a resource directory because their identity exists in their home directory. Due to these limitations, we recommend that you exclude guests from risk-based MFA policies and require these users to always use MFA.
For more information, see Limitations of ID Protection for B2B collaboration users.
Only one organization can manage a device. If you don't exclude guests and external users from policies that require device compliance, these policies block these users.
Configure Conditional Access policies for:
Training
Module
Manage access for external users. - Training
Work with external users in Teams and the access controls from different places, including Microsoft Entra ID, Microsoft 365, Teams, and SharePoint admin centers.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.