charlie.tools
2 min read

Enforcing conditional access for guests without breaking B2B invites

Lock down guest access with conditional access policies that require MFA and compliant devices, without wrecking the B2B invite redemption flow. The trick is in the include/exclude targeting.

The first time I rolled out a “guests must MFA” conditional access policy, I locked out every new B2B invitee. They hit the redemption URL, were challenged for MFA against their home tenant, passed, then got blocked by our policy because they had not yet registered MFA in our directory. The fix is not complicated, but it is counter-intuitive.

The policy target should be All guest and external users, but you need to exclude the b2b-invitation-redemption user action and carve out the Azure AD service principal that handles invite sign-ins. Here is the target section I ship:

ca-policy-guests.json
{
  "displayName": "Require MFA for guests",
  "state": "enabled",
  "conditions": {
    "users": {
      "includeGuestsOrExternalUsers": {
        "guestOrExternalUserTypes": "b2bCollaborationGuest,b2bCollaborationMember",
        "externalTenants": { "membershipKind": "all" }
      },
      "excludeUsers": ["<your-break-glass-account-object-id>"]
    },
    "applications": {
      "includeApplications": ["All"],
      "excludeUserActions": ["urn:user:registersecurityinfo"]
    }
  },
  "grantControls": {
    "operator": "AND",
    "builtInControls": ["mfa"]
  }
}

Three things I wish someone had told me:

  1. Do not exclude the B2B invitation redemption user action. It is tempting, because that is what is failing. But the redemption itself does not need a grant control — and if a guest is already in your directory from a previous invite, you still want MFA on the redeemed session. Excluding registersecurityinfo is enough to let them complete MFA registration in the target tenant.
  2. Scope to b2bCollaborationGuest and b2bCollaborationMember rather than the old includeUsers: "GuestsOrExternalUsers". The newer schema is more granular and lets you write separate policies for B2B, B2C, and service provider users without a dozen excludes.
  3. Use report-only mode for at least 72 hours. Every tenant has a long-tail of guest sign-ins from external sharing that nobody has thought about in two years. Report-only catches them before they become support tickets.

If you are rolling this out via New-MgIdentityConditionalAccessPolicy, let me know — the PowerShell version has one more gotcha around the external tenants schema that is worth a separate writeup.