Tutorial: Require MFA for B2B guest users in your cloud apps

Posted by
Estimated Reading Time: 3 minutes

Let’s say your company uses SaaS software (like Teams, SalesForce, Office 365) which leverages Azure AD as (cloud) identity provider, and your corporate users are collaborating with external users.

We all know a password as a single layer of defense isn’t sufficient anymore these days, and therefore companies are actively investing in implementing MFA (Multi Factor Authentication) for corporate access.

This tutorial will provide you with a step-by-step guide to enforce MFA for a specific group of (risky) users: external guest users (B2B). The solution leverages the Conditional Access feature provided by Azure Active Directory.


  1. The guest user gets invited by an admin of Company A;
  2. He/she signs in with him/her own identity;
  3. He/she is required to complete a MFA challenge, which policies are defined by Company A;
  4. He/she sets up MFA with Company A and is allowed to access the application.


  • An Azure AD tenant (of course)
  • Global Admin privileges
  • Azure AD Premium P1 or P2 license(s). (You can use a trial to test!)
  • A valid external email address

Create the test guest (B2B) user

Note: you can skip this step if you already have a test B2B account.

  • Sign in to the Azure Portal using a global admin account.
  • Navigate to the Azure AD blade, and to All users > +New guest user
  • At user name fill in the email address of the external user. Optionally provide a personal message and hit Invite to send the invitation email.

Create a Conditional Access policy

  • At the Azure AD blade, navigate to Conditional Access.
  • Click + New Policy .
  • On the Name textbox, fill in a name, i.e. Require MFA for B2B users.
  • Click Users and groups and select Select users and groups > All guest users (preview), and finally click Done.
  • Switch to Cloud apps, and customize the scope of applications on which you would like to force MFA.
    • For example: click Select apps and select Microsoft Teams.
    • Click Done.
  • Optionally, configure the settings on the Conditions panel to limit the scope to specific conditions. We’ll skip this one for now.
  • Switch to Grant (at Access controls), select Grant access and click Require multi-factor authentication.

Test your policy

  • Go ahead and use your test guest user account to access the application which you’ve included within the CA (Conditional Access) policy scope.
  • The guest users should be prompted to provide additional authentication methods, for example to use the Azure Authenticator app.
  • That’s it! 😉

By the way….

Did you know you can protect remote access (using Conditional Access) to your on-premises applications when you hook them up to Azure AD Application Proxy?

It’s really cool, easy to implement and eliminates the need of opening inbound firewall ports. Go check it out on the following website. I will write a blogpost on this subject soon.



Liked this tutorial? Please leave a comment!
You can read the following article for more information about Azure AD CA:



  1. Hi, We have successfully implemented this Policy and it works well for users with an existing AAD identity and MS Account. However we are having trouble with OTP users combined with MFA. We have some accounts that are working, however some OTP users never get the option to register MFA info. We have tried registering phone number for user manually and forced re-register but this never seems to work. Please advise 🙂

    1. Thanks for your comment 🙂
      I’ve tried to reproduce your issue, but each B2B OTP-based user seems to be prompted for additional phone verification. Also each login attempt seems to require to fulfill second step authentication.
      What happens when the particular user doesn’t get the prompt to register MFA? Is he able to login to cloud applications? It will depend on the Conditional Access policy you’ve configured.

Leave a Reply

Your email address will not be published. Required fields are marked *