External User Types

External User Types for CA Policies in Azure AD

Previously, conditional access policies created in Azure AD were limited to external users as a whole. But that is not the case now. With the new preview feature, you can specify external user types instead of settling with the ‘All guest or external users‘ option. This amazing preview feature lets you apply conditional access policies to external user types in Azure AD, added through various collaboration methods. For a CA policy, the ‘Users or workload identities’ section under the ‘Assignments’ blade encompasses this new preview feature. 

Specify External User Types in Conditional Access 

The ‘All’ is expanded to ‘Select’ now! Here’s a comparison that shows the Azure AD conditional access page before and after the preview feature. 

BEFORE: 

Experience before the preview feature

NOW: 

Experience after the preview feature

Thus, organizations can enforce multiple Conditional Access policies by either including or excluding specific external user types. 

What are the Newly Added External User Types? 

When you create a conditional access policy in Azure AD, you can apply it to the following types of external users. 

  • B2B collaboration guest users 
  • B2B collaboration member users 
  • B2B direct connect users 
  • Local guest users 
  • Service provider users 
  • Other external users 

Let’s have a brief look at them. 

B2B Collaboration Guest Users 

  • Has an external Azure AD account in your organization. 
  • Has guest-level permissions with UserType as ‘Guests’ 
  • These are guest users who are added to the Azure AD directory using invitations or self-service sign up. 

B2B Collaboration Member Users 

To convert UserType from Guest to Member, Select the user from the list > Edit User Properties > Select ‘Member’ from the UserType dropdown. 

  • Has an external Azure AD account in your organization. 
  • Has member-level permissions with UserType as ‘Member’ 
  • These users mostly belong to organizations that manage multiple tenants. 

B2B Direct Connect Users 

Local Guest Users 

So, who might be these local guest users? These users are designated with UserType ‘Guests’ at the time of creation by setting up internal credentials. 

Service Provider Users 

These users are those who serve as cloud service providers for your organization. 

Other External Users 

These are users that don’t fall into the above-mentioned categories. They don’t authenticate internally via Azure AD and don’t hold UserType of Member

Control Access for External Azure AD Organizations 

The new preview feature for external Azure AD organizations further allows the user to either choose all or specific external Azure AD organizations for the selected external user types. 

Specify External Azure AD Organizations

For applying the policy to a specific external Azure AD organization, you have to add them by entering their Tenant ID or domain name. 

User Experience 

To make the point clear, we will try out the preview feature with an example. 

  • First, let’s create a conditional access policy. I have named it ‘Azure AD B2B Member Users Block’ as my concern is to block access by B2B collaboration member users. 
  • Under the Assignments section, select only ‘B2B collaboration member users’ 
  • For instance, I have included only Office apps for ‘Cloud apps or actions’ and the ‘Access controls’ is set to Block access. 
  • I have a user (Alex) from another tenant who is an external user with UserType ‘Member’. 
  • According to the policy I created, Alex’s access must be blocked and external users of any other type must be able to access the resource. 
Conditional Access Policy created for B2B collaboration member users

Now, I try sending an invitation for an Excel file from the home tenant to Alex. When he tries to access the resource, the following error appears. 

Experience for the selected B2B collaboration member

But, when the same invitation is sent to another user say, a B2B collaboration guest, they are prompted to access the resource immediately. 

Experience for other external user types

This is how you can utilize the new preview feature within the Azure AD conditional access policy. 

I hope this blog will guide you through the concepts of applying conditional access control to external user types. Feel free to reach us in the comments for any assistance. 

Leave a Reply

Your email address will not be published. Required fields are marked *

External User Types for CA Policies in Azure AD

time to read: 3 min
Follow us!