Conditional Access Policy enforces MFA for guest and external users
entra_conditional_access_policy_mfa_enforced_for_guest_users
Microsoft Entra Conditional Access is verified to have at least one enabled policy that requires multifactor authentication for all guest and external user types across all cloud applications. This includes internal guests, B2B collaboration guests and members, B2B direct connect users, other external users, and service providers.
Risk
Without MFA for guest users, compromised external accounts can access tenant resources using only a password. Attackers may exploit B2B collaboration, direct connect, or service provider accounts to exfiltrate data, escalate privileges, or move laterally across the organization.
prowler m365 --checks entra_conditional_access_policy_mfa_enforced_for_guest_users
Recommendation
Enforce MFA via Conditional Access for all guest and external user types across all cloud applications. Prefer phishing-resistant methods, monitor guest sign-ins, and regularly review external collaboration settings.
Remediation
- Navigate to the Microsoft Entra admin center (https://entra.microsoft.com).
- Expand Protection > Conditional Access and select Policies.
- Click New policy.
- Under Users, select Include > Select users and groups > check Guest or external users > select all guest user types.
- Under Target resources, select Include > All cloud apps.
- Under Grant, select Grant access > check Require multifactor authentication > click Select.
- Set the policy to Report-only until validated, then enable it.
Source Code
Resource Type
NotDefined
Related To
- entra_policy_guest_users_access_restrictions
- entra_policy_guest_invite_only_for_admin_roles
- entra_dynamic_group_for_guests_created