Prevent Unauthorized Azure Tenant Access by External Users
Microsoft Entra
Jan 12, 2024 2:00 PM

Prevent Unauthorized Azure Tenant Access by External Users

by HubSite 365 about Merill Fernando

Product Manager @ Microsoft 👉 Sign up to Entra.News my weekly newsletter on all things Microsoft Entra | Creator of &

AdministratorMicrosoft EntraM365 AdminLearning Selection

Master Azure Entras Block CA Policy to Secure External User Access!

Key insights


Understand Conditional Access to prevent unauthorized Azure access: The video presented by Merill Fernando highlights the importance of blocking conditional access to safeguard Azure resources. It demonstrates creating a conditional access policy that targets the Windows Azure Management API, protecting access through both the Azure portal and PowerShell.

  • Blocking External Users: The policy aims to prevent external users from accessing resources they shouldn't by applying block conditional access.
  • Detailed Demonstrations: Throughout the video, demonstrations show how to view an external user's access and then how to create and apply a block conditional access policy.
  • Focus on Azure Management: The policy focuses specifically on the Windows Azure Management API, crucial for managing access from administrative tools.

Recommendations for Multifactor Authentication (MFA): It's advised to require MFA for users accessing privileged resources via Azure tools. This measure enhances security by adding an additional authentication step to prevent unauthorized access.

  • Excluding Specific Accounts: Certain accounts, like emergency access and service accounts, should be excluded from conditional access policies to avoid lockouts and enable necessary programmatic access.
  • Policy Deployment Options: Organizations can deploy their conditional access policies manually or utilize predefined Conditional Access templates.
  • Creating and Enabling Policies: After creating a new conditional access policy in the Microsoft Entra admin center, its effects can be initially observed in report-only mode before fully enabling it.

Understanding Conditional Access in Microsoft Entra

Conditional Access policies serve as an essential tool in the Microsoft Entra suite to enhance organizational security practices. By requiring multifactor authentication for privileged Azure service access, these policies protect against unauthorized changes to subscription configurations, service settings, and billing information. Excluding necessary accounts like break-glass and service accounts ensures that automated processes continue to function while maintaining strict access control. Organizations have a choice in policy deployment, with the flexibility to either manually set up policies or use Microsoft-provided templates. Tracking the effects of new policies in report-only mode allows for careful assessment and adjustment before full implementation. Overall, Conditional Access is a pivotal part of a robust security posture within the Azure ecosystem.


Are External users getting privileged access to your Azure tenant? Mastering Microsoft Entra Conditional Access policies is essential for security. This video provides a thorough guide on implementing robust access control.

Merill Fernando dives into the BLOCK conditional access policy and its crucial role. He demonstrates how to apply this policy to restrict unauthorized user access to critical resources effectively.

The video starts by evaluating what external users can access by default. It then guides viewers through creating a targeted conditional access policy. This targets the Windows Azure Management API to secure both portal and PowerShell accesses.

Merill Fernando's tutorial includes a step-by-step demonstration on Azure Portal access setup. It illustrates how external user access can be viewed and managed. This clarity in presentation helps viewers understand the real-world applications of conditional access policies.

Subsequent segments of the video showcase PowerShell access by external users. The effectiveness of conditional access policies is highlighted when external access is successfully blocked, demonstrating the policy's immediacy and efficiency.

The video concludes with examples of a blocked external user, providing evidence of the policy's effectiveness. Through these demonstrations, viewers can understand the importance of proper access control within Azure services.

  • 00:00 Block CA Policy Overview
  • 02:03 Demo: Azure Portal - External user access
  • 03:47 Demo: PowerShell - External user access
  • 04:48 Demo: Create Block CA Policy
  • 07:33 Demo: PowerShell - External user blocked
  • 08:28 Demo: Azure Portal - External user blocked

Merill Fernando emphasizes common conditional access policies like requiring MFA for Azure management. These policies increase security for sensitive administrative tasks within the Azure portal, Azure PowerShell, and Azure CLI.

Users should be aware of the necessity to protect resources capable of altering configurations and subscription settings. For this purpose, Microsoft recommends multifactor authentication (MFA) to tightly control access.

Exceptions are critical to conditional access policy success. Fernando suggests excluding emergency access accounts to prevent lockouts and service accounts that can't perform MFA, ensuring seamless backend operations.

Organizations are guided on deploying conditional access policies, either manually or using available templates. Step-by-step instructions are provided for setting up a policy mandating MFA for users accessing the Windows Azure Service Management API suite.

Merill Fernando advises on the preliminary use of report-only mode for new policies. This allows organizations to verify their setup before full implementation, ensuring no unintended blocks are created.

For users interested in further implementation strategies, the video points to conditional access templates and the use of report-only mode. This detailed approach ensures that IT personnel can confidently implement and manage access policies within their Azure environment.

Read the full article Are External users getting privileged access to your Azure tenant?


People also ask

Is it possible for outside users to have access to resources in Azure?

Yes, it is possible for outside users to access resources in Azure. This capability is provided through Azure's B2B (business-to-business) collaboration feature, which allows users from outside the Azure Active Directory (Azure AD) tenant to be invited to access resources within the tenant.

What is the difference between guest and external users in Azure?

Guest and external users in Azure generally refer to the same category of users. These are individuals who are not employees, contractors, or onsite agents for the organization owning the tenant but who require access to certain internal resources. In Azure AD, you can invite users from other Azure AD tenants (external organizations) or even users with consumer email accounts (like Gmail, Yahoo, etc.), which are recognized as guest users and are given access permissions to resources within your tenant.

How do I invite an external user to my Azure tenant?

To invite an external user to your Azure tenant, you need administrative privileges in Azure AD. You can send an invitation through the Azure portal by entering the external user's email address and assigning an appropriate role or access level to them. Once invited, the user will receive an email containing a link to accept the invitation. Upon accepting, they will be prompted to create an account or log in with their existing Microsoft credentials, after which they can access the designated resources.

What is an external user in Azure?

An external user in Azure is someone who is not a member of your organization's Azure AD tenant but needs to access certain resources in your environment. This typically includes partners, suppliers, or customers. They are added to your directory as guest users and are limited in terms of privileges and access compared to members, but these limitations can be configured by Azure AD tenant administrators.



Azure tenant external access, privileged access management, Azure AD guest users, secure external access Azure, manage Azure external identities, monitor Azure tenant access, Azure B2B collaboration, control Azure AD external access, Azure external user privileges, Azure tenant security audit