Jaa


Policies for allowing guest access and B2B external user access

This article discusses adjusting the recommended Zero Trust identity and device access policies to allow access for guests and external users that have a Microsoft Entra Business-to-Business (B2B) account. This guidance builds on the common identity and device access policies.

These recommendations are designed to apply to the starting point tier of protection. But you can also adjust the recommendations based on your specific needs for enterprise and specialized security protection.

Providing a path for B2B accounts to authenticate with your Microsoft Entra tenant doesn't give these accounts access to your entire environment. B2B users and their accounts have access to services and resources, like files, shared with them by Conditional Access policy.

Updating the common policies to allow and protect guests and external user access

This diagram shows which policies to add or update among the common identity and device access policies, for B2B guest and external user access.

Diagram that shows the summary of policy updates for protecting guest access.

The following table lists the policies you either need to create and update. The common policies link to the associated configuration instructions in the Common identity and device access policies article.

Protection level Policies More information
Starting point Require MFA always for guests and external users Create this new policy and configure:
  • For Assignments > Users and groups > Include, choose Select users and groups, and then select All guest and external users.
  • For Assignments > Conditions > Sign-in risk and select all Sign-in risk levels.
Require MFA when sign-in risk is medium or high Modify this policy to exclude guests and external users.

To include or exclude guests and external users in Conditional Access policies, for Assignments > Users and groups > Include or Exclude, check All guest and external users.

Screenshot of the controls for excluding guests and external users.

More information

Guests and external user access with Microsoft Teams

Microsoft Teams defines the following users:

  • Guest access uses a Microsoft Entra B2B account that can be added as a member of a team and have access to the communications and resources of the team.

  • External access is for an external user that doesn't have a B2B account. External user access includes invitations, calls, chats, and meetings, but doesn't include team membership and access to the resources of the team.

For more information, see the comparison between guests and external user access for teams.

For more information on securing identity and device access policies for Teams, see Policy recommendations for securing Teams chats, groups, and files.

Require MFA always for guest and external users

This policy prompts guests to register for MFA in your tenant, regardless of whether they're registered for MFA in their home tenant. Guests and external users accessing resources in your tenant are required to use MFA for every request.

Excluding guests and external users from risk-based MFA

While organizations can enforce risk-based policies for B2B users using Microsoft Entra ID Protection, there are limitations in the implementation of Microsoft Entra ID Protection for B2B collaboration users in a resource directory because their identity exists in their home directory. Due to these limitations, Microsoft recommends you exclude guests from risk-based MFA policies and require these users to always use MFA.

For more information, see Limitations of ID Protection for B2B collaboration users.

Excluding guests and external users from device management

Only one organization can manage a device. If you don't exclude guests and external users from policies that require device compliance, these policies block these users.

Next step

Screenshot of the policies for Microsoft 365 cloud apps and Microsoft Defender for Cloud Apps.

Configure Conditional Access policies for: