Microsoft Teams – Enforce Multifactor Authentication on guest accounts

Post the ignite sessions last month on Microsoft Teams, we have enhancements on security perspective that can be enabled which adds extra protection in any organization.

Inviting the external guest users to the teams channel have been a welcoming option for all of us which increases the communication between them and surges the productivity. However, there are few security guidelines that needs to be followed to ensure that our data is always secure even when they are shared outside the boundary. For instance, a guest account getting compromised where he is a member of a finance team will become a major security incident in any organization.

This article outlines the steps that can be carried over to enhance the security on Microsoft Teams guest accounts by enforcing the multi factor authentication.

Below are the steps to enforce the MFA on guest accounts:

First create a dynamic distribution group and target the guest account

Login to Azure AD Tenant with Admin privilege’s- Go to Groups – Create new group – make them security – membership type make them dynamic.

Now we need to add a dynamic query where the property is usertype  and the value is guest.

Once done populate the rule syntax and save them.

After some time now, we could see that the populated guest users in our Azure AD tenant will become the members of this group. Since it’s a dynamic query all the new upcoming accounts will be getting occupied automatically.

Create conditional access policy for guest accounts:

Now we need to create a conditional access policy for the Microsoft Teams guest accounts.

Navigate to enterprise applications – click on conditional access.

Now we need to target the dynamic group on this conditional access policy.

In cloud apps select Microsoft Teams , also better to select Sharepoint online which will enforce MFA for these Sharepoint guest users as well.

In conditions we are selecting only the locations. Further it can be manipulated based on the business prerequisite.

In the access control we are selecting only require MFA and the IT policy.

Now we have the MFA enforced on the guest accounts and we will see the action of this configuration from the invited user.

Experience of the guest users enforced with MFA:

In order to simulate this behavior , we are just adding one guest user a teams channel

Post after that the invited user receives  a welcome email and this is usual behavior for any invited Azure AD guest user accounts.

When clicking to login the user will be prompted to register and enroll in MFA.

User will be prompted to enter the mobile number in the invited tenant for MFA and needs to complete the initial authentication process.

If we have enabled the IT policy user will be prompted to read and accept the IT policy.

Finally the user is logged in with the guest account and able to participate on the invited team through a secured way of authentication.

With very nominal steps through the conditional access it creates a overall better security for Microsoft Teams.

10 thoughts on “Microsoft Teams – Enforce Multifactor Authentication on guest accounts

  1. prasannaraju December 9, 2019 at 12:50 pm Reply

    Nice one! Thanks for sharing your knowledge


  2. prasannaraju December 9, 2019 at 12:52 pm Reply

    Good one! Thanks for sharing your knowledge 🙂


  3. Alex June 12, 2020 at 1:11 pm Reply

    Why create a dynamic group? You can create a CA for select ‘All guest and external users’?


    • sathishveerapandian June 14, 2020 at 10:17 pm Reply

      You could do that as well. Creating a group for guest will help in viewing the guest accounts from a single group.


    • Michael Cheshire August 19, 2021 at 4:16 am Reply

      This doesn’t appear to require guests who are shared onedrive or sharepoint online links to use MFA – is there a way to do this?


      • Sathish Veerapandian September 1, 2021 at 11:44 pm

        Hi For Sharepoint and onedrive in the application section you can search and add them which will add them to this CA policy.


  4. Himanshu Kaushesh October 14, 2020 at 3:56 pm Reply

    how can guests change their MFA setup? eg: transfer authenticator to a new device.


    • Sathish Veerapandian October 16, 2020 at 11:43 am Reply

      From the Azure Portal – Navigate to the Guest Account – Authentication Methods – use the option Require re-register MFA


  5. PAV November 25, 2020 at 10:51 pm Reply

    When your guest has MFA available at his tenant. Does it need to reconfigure Auth App?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: