Hello @Alvin Strandberg,
Thank you for posting your query on Microsoft Q&A.
It's great to hear that you are exploring the possibility of enforcing MFA for either all users or specific groups using Conditional Access in an External Tenant. However, it is true that disabling Security Defaults is not recommended (Note: When you are not using Conditional access policies).
Since you're attempting to enable a Conditional Access policy, which is a best practice recommendation from Microsoft and a good starting point for protecting your identities, I understand the error you encountered while creating a new policy stating, "You need to turn off security defaults, and it's good that you want to enforce your own policies!" This is a generic message, but it's important to note that Security Defaults and Conditional Access policies are not meant to be combined. If you wish to use Conditional Access policies, you must disable Security Defaults.
I still want what Security Defaults offer. Are there any guidelines for this aimed at External Tenants?
As you are looking to have same level of security what security default is offering. To achieve that you can create a new conditional access policy after disabling security defaults. You can follow the steps below to create a Conditional Access policy that will provide the same level of security posture to all users in your tenant, including External tenant users (Guest Users).
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Protection > Conditional Access.
- Select Create new policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Under Target resources > Cloud apps > Include, select All cloud apps.
- Under Exclude, select any applications that don't require multifactor authentication.
- Under Access controls > Grant, select Grant access, Require multifactor authentication, and select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy. After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.
To create conditional access policy, you should have Microsoft Entra ID P1 or trial licenses enabled on working Microsoft Entra tenant.
Please refer below article for more information.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/plan-conditional-access
I hope this information is helpful. Please feel free to reach out if you have any further questions.
Thanks,
Raja Pothuraju.
If this answers your query, do click **Accept Answer**
and **Yes**
for was this answer helpful. And, if you have any further query do let us know.