Microsoft has just enabled guest access in Microsoft Teams. This is a great add for the service and allows us to collaborate easier and more with our external parties. But, maybe we also want to verify that our external users actually are who they say they are. Let’s try to protect our external user access to teams with Azure MFA.
Create a dynamic user group in Azure AD
And make sure it containing all our external users. Go into https://aad.portal.azure.com and Azure Active Directory – Users and Groups and All Group – New Group
Make sure you have all your guest users in the group by checking the groups members. NB: You will probably have to wait a few minutes before the group are populated.
Another neat benefit of having this group is to be able to watch how many external users you have by going to the overview tab:
Create the MFA requirement condition
Now we have the group of users and we can go an create the conditional access requirements for this group of users. Go into Azure Active Directory and Conditonal Access. (QuickLink)
Make sure to include the app (Microsoft Teams) that you want to protect.
Set your required access control. (MFA)
Target your group with the policy and enable it.
We have now enable multi-factor verification of our external users so that they will not get access if they do not verify their identity with a second factor. If you want to see the user experience, watch the video below where you can see that the user will get MFA challenged when he changes company association in Teams.
So go ahead and start using Teams with external sharing a little bit more secure.
If you haven’t yet figured out how to enable external sharing and how that works, take a look at this blogpost from Tony Redmond
Regarding licensing you will need one license pr 5 guests using Azure AD Premium features like conditional access and MFA. This means that if you have 100 licensed users in your tenant, you can collaborate with 500 guests.
Take a look here for the details: