Configure Conditional Access Policy for Microsoft 365 Guest Users
Question
You have a Microsoft 365 subscription.
Your organization is frequently collaborating with external users from different companies.
You want to automatically target all guest users, new and old, with a conditional access policy and also assign them a license.
How should you configure this?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A
Create a dynamic group in Azure AD with an expression in the Rule syntax box that locates all active guest users and adds them to the group.
Then you scope the conditional access policy to the group containing the guest users.
Then you add the license to the group, which in turn assigns the license to all its members.
/answer/imgckeditor_13.png)
To know more about grouping guest users in dynamics groups, please refer to the link below:
The correct answer is A. Create a dynamic group in Azure Active Directory.
Explanation:
To automatically target all guest users, new and old, with a conditional access policy and assign them a license, you can create a dynamic group in Azure Active Directory. A dynamic group is a collection of users that share a common attribute. In this case, the attribute that you can use to create the group is the user's user type. The user type for guest users in Microsoft 365 is "Guest".
Here are the steps to create a dynamic group in Azure Active Directory:
Sign in to the Azure portal with an account that has the appropriate permissions.
In the left-hand menu, click on "Azure Active Directory".
Click on "Groups" and then click on "New Group".
In the "Group type" section, select "Dynamic".
In the "Group membership rules" section, click on "Add dynamic query".
In the "Edit dynamic query" window, select "User" as the object type.
For the attribute, select "User type".
For the operator, select "Equals".
For the value, enter "Guest".
Click on "Save".
Give the group a name and a description.
Click on "Create".
Once you have created the dynamic group, you can create a conditional access policy and assign it to the group. The policy will apply to all guest users who are members of the group.
Here are the steps to create a conditional access policy:
In the Azure portal, click on "Security".
Click on "Conditional Access".
Click on "New policy".
Give the policy a name.
In the "Assignments" section, click on "Users and groups".
Click on "Select users and groups".
Search for the dynamic group that you created earlier and select it.
Click on "Done".
In the "Cloud apps or actions" section, select the Microsoft 365 apps that you want to apply the policy to.
In the "Conditions" section, configure the conditions for the policy. For example, you can require multi-factor authentication for all guest users.
In the "Access controls" section, configure the access controls for the policy. For example, you can block access or require approval for access.
Click on "Enable policy".
Finally, you can assign a license to the dynamic group. This will ensure that all guest users who are members of the group have access to the appropriate Microsoft 365 features.
Here are the steps to assign a license to the dynamic group:
In the Azure portal, click on "Azure Active Directory".
Click on "Licenses".
Click on "All products".
Select the Microsoft 365 product that you want to assign a license for.
Click on "Assignments".
Click on "Add group assignment".
Search for the dynamic group that you created earlier and select it.
Configure the license settings as appropriate.
Click on "Assign".
By following these steps, you can automatically target all guest users, new and old, with a conditional access policy and assign them a license.