Let’s say your company uses SaaS software (like Teams, SalesForce, Office 365) which leverages Azure AD as (cloud) identity provider, and your corporate users are collaborating with external users.



We all know a password as a single layer of defense isn’t sufficient anymore these days, and therefore companies are actively investing in implementing MFA (Multi Factor Authentication) for corporate access.

This tutorial will provide you with a step-by-step guide to enforce MFA for a specific group of (risky) users: external guest users (B2B). The solution leverages the Conditional Access feature provided by Azure Active Directory.

Overview

The guest user gets invited by an admin of Company A; He/she signs in with him/her own identity; He/she is required to complete a MFA challenge, which policies are defined by Company A; He/she sets up MFA with Company A and is allowed to access the application.

Prerequisites

An Azure AD tenant (of course)

Global Admin privileges

Azure AD Premium P1 or P2 license(s). (You can use a trial to test!)

A valid external email address

Create the test guest (B2B) user

Note: you can skip this step if you already have a test B2B account.

Sign in to the Azure Portal using a global admin account.

Navigate to the Azure AD blade, and to All users > +New guest user

At user name fill in the email address of the external user. Optionally provide a personal message and hit Invite to send the invitation email.

Create a Conditional Access policy

At the Azure AD blade, navigate to Conditional Access.

Click + New Policy .

. On the Name textbox, fill in a name, i.e. Require MFA for B2B users .

textbox, fill in a name, i.e. . Click Users and groups and select Select users and groups > All guest users (preview), and finally click Done.

Switch to Cloud apps , and customize the scope of applications on which you would like to force MFA. For example: click Select apps and select Microsoft Teams . Click Done .

, and customize the scope of applications on which you would like to force MFA. Optionally, configure the settings on the Conditions panel to limit the scope to specific conditions. We’ll skip this one for now.

panel to limit the scope to specific conditions. We’ll skip this one for now. Switch to Grant (at Access controls), select Grant access and click Require multi-factor authentication.

Test your policy

Go ahead and use your test guest user account to access the application which you’ve included within the CA (Conditional Access) policy scope.

The guest users should be prompted to provide additional authentication methods, for example to use the Azure Authenticator app.

That’s it! 😉

By the way….

Did you know you can protect remote access (using Conditional Access) to your on-premises applications when you hook them up to Azure AD Application Proxy?



It’s really cool, easy to implement and eliminates the need of opening inbound firewall ports. Go check it out on the following website. I will write a blogpost on this subject soon.

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy

Sources

Liked this tutorial? Please leave a comment!

You can read the following article for more information about Azure AD CA:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview