This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 11%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hello,
I am exploring the possibility of enforcing MFA for either all users or specific groups using Conditional Access in an External Tenant. However, this requires disabling "Security Defaults," which is not recommended. When I try to add the Conditional Access policy, I receive a message along the lines of "You need to turn off security defaults, and it's good that you want to enforce your own policies!"
When reading about Conditional Access in a Workforce tenant, it is recommended to apply basic foundation policy templates if you turn off Security Defaults. These templates are not available in an External Tenant, which is concerning. I don't want to turn off Security Defaults and shoulder all the responsibility in case I miss a basic policy.
I still want what Security Defaults offer. Are there any guidelines for this aimed at External Tenants?
Security Defaults offer:
**"**These basic controls include:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Alvin Strandberg,
Thank you for posting your query on Microsoft Q&A.
It's great to hear that you are exploring the possibility of enforcing MFA for either all users or specific groups using Conditional Access in an External Tenant. However, it is true that disabling Security Defaults is not recommended (Note: When you are not using Conditional access policies).
Since you're attempting to enable a Conditional Access policy, which is a best practice recommendation from Microsoft and a good starting point for protecting your identities, I understand the error you encountered while creating a new policy stating, "You need to turn off security defaults, and it's good that you want to enforce your own policies!" This is a generic message, but it's important to note that Security Defaults and Conditional Access policies are not meant to be combined. If you wish to use Conditional Access policies, you must disable Security Defaults.
I still want what Security Defaults offer. Are there any guidelines for this aimed at External Tenants?
As you are looking to have same level of security what security default is offering. To achieve that you can create a new conditional access policy after disabling security defaults. You can follow the steps below to create a Conditional Access policy that will provide the same level of security posture to all users in your tenant, including External tenant users (Guest Users).
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Protection > Conditional Access.
- Select Create new policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Under Target resources > Cloud apps > Include, select All cloud apps.
- Under Exclude, select any applications that don't require multifactor authentication.
- Under Access controls > Grant, select Grant access, Require multifactor authentication, and select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy. After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.
To create conditional access policy, you should have Microsoft Entra ID P1 or trial licenses enabled on working Microsoft Entra tenant.
Please refer below article for more information.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/plan-conditional-access
I hope this information is helpful. Please feel free to reach out if you have any further questions.
Thanks,
Raja Pothuraju.
If this answers your query, do click **Accept Answer** and **Yes** for was this answer helpful. And, if you have any further query do let us know.
Hello @Alvin Strandberg,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hello @Alvin Strandberg,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 20%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Hi,
I have the same issue, however, there is conflicting information. On the one hand, Security Defaults is meant to force MFA registration for all users. This does not occur for Entra External ID.
This is why the original poster and myself are looking at conditional access because the Security Defaults is not doing what it says.
Next, a P1 or P2 presumably isn't required for enabling a basic feature for Entra External ID.
It would be nice if the Microsoft Authenticator app works for external OTP. External ID seems quite crippled.