Secure Guest-access to Microsoft Teams with Azure MFA

Microsoft has just enabled guest access in Microsoft Teams. This is a great add for the service and allows us to collaborate easier and more with our external parties. But, maybe we also want to verify that our external users actually are who they say they are. Let’s try to protect our external user access to teams with Azure MFA.¬†

Create a dynamic user group in Azure AD

And make sure it containing all our external users. Go into and Azure Active Directory – Users and Groups and All Group – New Group

Create a new group in Azure AD
Make it a dynamic user group, and choose userType equals Guest

Make sure you have all your guest users in the group by checking the groups members. NB: You will probably have to wait a few minutes before the group are populated.

All my external users are now in this group

Another neat benefit of having this group is to be able to watch how many external users you have by going to the overview tab:

I have 9 external users in my tenant

Create the MFA requirement condition

Now we have the group of users and we can go an create the conditional access requirements for this group of users. Go into Azure Active Directory and Conditonal Access. (QuickLink)

Create a new policy

Make sure to include the app (Microsoft Teams) that you want to protect.

Go into Cloud apps – select Microsoft Teams

Set your required access control. (MFA)

Select require multi-factor authentication as your access control for Teams

Target your group with the policy and enable it.

Choose scope to Guest Users and enable the Policy.

We have now enable multi-factor verification of our external users so that they will not get access if they do not verify their identity with a second factor. If you want to see the user experience, watch the video below where you can see that the user will get MFA challenged when he changes company association in Teams.

So go ahead and start using Teams with external sharing a little bit more secure.

If you haven’t yet figured out how to enable external sharing and how that works, take a look at this blogpost from¬†Tony Redmond

Regarding licensing you will need one license pr 5 guests using Azure AD Premium features like conditional access and MFA. This means that if you have 100 licensed users in your tenant, you can collaborate with 500 guests.
Take a look here for the details:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.