Manage external access to resources with Conditional Access policies
Conditional Access interprets signals, enforces policies, and determines if a user is granted access to resources. In this article, learn about applying Conditional Access policies to external users. The article assumes you might not have access to entitlement management, a feature you can use with Conditional Access.
Learn more:
The following diagram illustrates signals to Conditional Access that trigger access processes.
Before you begin
This article is number 7 in a series of 10 articles. We recommend you review the articles in order. Go to the Next steps section to see the entire series.
Align a security plan with Conditional Access policies
In the third article, in the set of 10 articles, there's guidance on creating a security plan. Use that plan to help create Conditional Access policies for external access. Part of the security plan includes:
- Grouped applications and resources for simplified access
- Sign-in requirements for external users
Important
Create internal and external user test accounts to test policies before applying them.
See article three, Create a security plan for external access to resources
Conditional Access policies for external access
The following sections are best practices for governing external access with Conditional Access policies.
Entitlement management or groups
If you can’t use connected organizations in entitlement management, create an Azure AD security group, or Microsoft 365 Group for partner organizations. Assign users from that partner to the group. You can use the groups in Conditional Access policies.
Learn more:
- What is entitlement management?
- Manage Azure Active Directory groups and group membership
- Overview of Microsoft 365 Groups for administrators
Conditional Access policy creation
Create as few Conditional Access policies as possible. For applications that have the same access requirements, add them to the same policy.
Conditional Access policies apply to a maximum of 250 applications. If more than 250 applications have the same access requirement, create duplicate policies. For instance, Policy A applies to apps 1-250, Policy B applies to apps 251-500, etc.
Naming convention
Use a naming convention that clarifies policy purpose. External access examples are:
- ExternalAccess_actiontaken_AppGroup
- ExternalAccess_Block_FinanceApps
Block external users from resources
You can block external users from accessing resources with Conditional Access policies.
- Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Enter a policy a name.
- Under Assignments, select Users or workload identities.
- Under Include, select All guests and external users.
- Under Exclude, select Users and groups.
- Select emergency access accounts.
- Select Done.
- Under Cloud apps or actions > Include, select All cloud apps.
- Under Exclude, select applications you want to exclude.
- Under Access controls > Grant, select Block access.
- Select Select.
- Select Enable policy to Report-only.
- Select Create.
Note
You can confirm settings in report only mode. See, Configure a Conditional Access policy in repory-only mode, in Conditional Access insights and reporting.
Learn more: Manage emergency access accounts in Azure AD
Allow external access to specific external users
There are scenarios when it's necessary to allow access for a small, specific group.
Before you begin, we recommend you create a security group, which contains external users who access resources. See, Quickstart: Create a group with members and view all groups and members in Azure AD.
- Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Enter a policy name.
- Under Assignments, select Users or workload identities.
- Under Include, select All guests and external users.
- Under Exclude, select Users and groups
- Select emergency access accounts.
- Select the external users security group.
- Select Done.
- Under Cloud apps or actions > Include, select All cloud apps.
- Under Exclude, select applications you want to exclude.
- Under Access controls > Grant, select Block access.
- Select Select.
- Select Create.
Note
You can confirm settings in report only mode. See, Configure a Conditional Access policy in repory-only mode, in Conditional Access insights and reporting.
Learn more: Manage emergency access accounts in Azure AD
Service provider access
Conditional Access policies for external users might interfere with service provider access, for example granular delegated administrate privileges.
Learn more: Introduction to granular delegated admin privileges (GDAP)
Conditional Access templates
Conditional Access templates are a convenient method to deploy new policies aligned with Microsoft recommendations. These templates provide protection aligned with commonly used policies across various customer types and locations.
Learn more: Conditional Access templates (Preview)
Next steps
Use the following series of articles to learn about securing external access to resources. We recommend you follow the listed order.
Determine your security posture for external access with Azure AD
Discover the current state of external collaboration in your organization
Secure external access with groups in Azure AD and Microsoft 365
Transition to governed collaboration with Azure AD B2B collaboration
Manage external access to resources with Conditional Access policies (You're here)
Control external access to resources in Azure AD with sensitivity labels
Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business with Azure AD
Convert local guest accounts to Azure Active Directory B2B guest accounts
Feedback
Submit and view feedback for