Post the ignite sessions last month on Microsoft Teams, we have enhancements on security perspective that can be enabled which adds extra protection in any organization.
Inviting the external guest users to the teams channel have been a welcoming option for all of us which increases the communication between them and surges the productivity. However, there are few security guidelines that needs to be followed to ensure that our data is always secure even when they are shared outside the boundary. For instance, a guest account getting compromised where he is a member of a finance team will become a major security incident in any organization.
This article outlines the steps that can be carried over to enhance the security on Microsoft Teams guest accounts by enforcing the multi factor authentication.
Below are the steps to enforce the MFA on guest accounts:
First create a dynamic distribution group and target the guest account
Login to Azure AD Tenant with Admin privilege’s- Go to Groups – Create new group – make them security – membership type make them dynamic.
Now we need to add a dynamic query where the property is usertype and the value is guest.
Once done populate the rule syntax and save them.
After some time now, we could see that the populated guest users in our Azure AD tenant will become the members of this group. Since it’s a dynamic query all the new upcoming accounts will be getting occupied automatically.
Create conditional access policy for guest accounts:
Now we need to create a conditional access policy for the Microsoft Teams guest accounts.
Navigate to enterprise applications – click on conditional access.
Now we need to target the dynamic group on this conditional access policy.
In cloud apps select Microsoft Teams , also better to select Sharepoint online which will enforce MFA for these Sharepoint guest users as well.
In conditions we are selecting only the locations. Further it can be manipulated based on the business prerequisite.
In the access control we are selecting only require MFA and the IT policy.
Now we have the MFA enforced on the guest accounts and we will see the action of this configuration from the invited user.
Experience of the guest users enforced with MFA:
In order to simulate this behavior , we are just adding one guest user a teams channel
Post after that the invited user receives a welcome email and this is usual behavior for any invited Azure AD guest user accounts.
When clicking to login the user will be prompted to register and enroll in MFA.
User will be prompted to enter the mobile number in the invited tenant for MFA and needs to complete the initial authentication process.
If we have enabled the IT policy user will be prompted to read and accept the IT policy.
Finally the user is logged in with the guest account and able to participate on the invited team through a secured way of authentication.
With very nominal steps through the conditional access it creates a overall better security for Microsoft Teams.
Nice one! Thanks for sharing your knowledge
Good one! Thanks for sharing your knowledge 🙂
Why create a dynamic group? You can create a CA for select ‘All guest and external users’?
You could do that as well. Creating a group for guest will help in viewing the guest accounts from a single group.
This doesn’t appear to require guests who are shared onedrive or sharepoint online links to use MFA – is there a way to do this?
Hi For Sharepoint and onedrive in the application section you can search and add them which will add them to this CA policy.
how can guests change their MFA setup? eg: transfer authenticator to a new device.
From the Azure Portal – Navigate to the Guest Account – Authentication Methods – use the option Require re-register MFA
When your guest has MFA available at his tenant. Does it need to reconfigure Auth App?
No its only that we have to enforce on guest account on our tenant