![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 21%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBK%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Brian Kanode,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Below I have tried to give you solutions for your questions:
Why is the "Client apps" condition unavailable? Is this feature limited to a higher-tier subscription like P1/P2?
The "Client apps" condition is unavailable not because of licensing (P1/P2), but due to platform limitations. Microsoft Entra External ID does not support client app filtering for external users. This is a design constraint, not a subscription issue.
Reference: https://learn.microsoft.com/en-us/entra/external-id/authentication-conditional-access
If this feature is not available in the free tier, does this mean I cannot block legacy authentication while also configuring MFA for external users?
You can still enforce MFA for external users using Conditional Access policies. However, blocking legacy authentication is more complex:
- Since client app filtering is unavailable, you cannot block legacy protocols (like IMAP, SMTP) via Conditional Access for external users.
- Instead, you must disable legacy authentication at the service level, such as Exchange Online or use authentication policies. Reference: https://learn.microsoft.com/en-us/entra/fundamentals/configure-security
Why aren't the default security protections enforcing MFA on my external users, even though they're enabled for all users?
Default security settings in Microsoft Entra ID do not apply to external users by default. These settings are designed for internal users unless you explicitly target external identities using Conditional Access policies.
Reference: https://learn.microsoft.com/en-us/entra/external-id/authentication-conditional-access
Am I approaching this correctly, or is there a different method to achieve both goals in a free-tier tenant?
You're on the right track, but here’s how to refine your approach:
- Create a Conditional Access policy targeting external users:
- Include MFA requirement.
- Exclude client app filtering (since it's unsupported).
- Use cross-tenant access settings to trust MFA claims from the external user's home tenant if applicable.
- Block legacy authentication:
- Use Exchange Online authentication policies or disable legacy protocols directly.
- Consider app passwords or OAuth 2.0 for non-interactive service accounts if needed. Reference of similar question: https://learn.microsoft.com/en-us/answers/questions/2156303/creating-service-accounts-in-entra-id-to-bypass-mf
I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it.
Regards,
Monalisha