Configuring MFA for External Users and Blocking Legacy Authentication in Microsoft Entra External ID
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 21%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBK%3C/text%3E%3C/svg%3E)
Brian Kanode
0
Reputation points
I'm trying to enable Multi-Factor Authentication (MFA) for external users in my Microsoft Entra External ID tenant (free tier) using Conditional Access policies. I've followed the documentation to create a policy for this, which requires me to disable security defaults. However, I want to ensure my internal accounts (especially admin accounts) remain protected from legacy authentication methods.
The documentation:
- https://learn.microsoft.com/en-us/entra/external-id/customers/concept-multifactor-authentication-customers
- https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-multifactor-authentication-customers
The message I see while creating a conditional access policy:
To re-enable this protection, I'm trying to create a separate Conditional Access policy to block legacy authentication. Unfortunately, the "Client apps" condition, which is necessary for this policy, is grayed out and displays "Not available" in the policy creation form.
The document on creating a policy to block legacy authentication: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-legacy-authentication#create-a-conditional-access-policy
The policy creation form:
My questions are:
- Why is the "Client apps" condition unavailable? Is this feature limited to a higher-tier subscription like P1/P2?
- If this feature is not available in the free tier, does this mean I cannot block legacy authentication while also configuring MFA for external users?
- Why aren't the default security protections enforcing MFA on my external users, even though they're enabled for all users?
- Am I approaching this correctly, or is there a different method to achieve both goals in a free-tier tenant?
Note: I have created multiple other conditional access policies with no issues.
I created a Stack Overflow question as well: https://stackoverflow.com/questions/79728813/configuring-mfa-for-external-users-and-blocking-legacy-authentication-in-microso
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Sign in to answer