Backround
I wanted to document some research related to updating Guest condition features of CaOptics
– Feedback appreciated if you happen to find any differences in the reported behavior!
Research
- If you update any existing guest policy via GUI that policy will be stored in beta ¹ endpoint
- (If you have automations that rely on v1.0 endpoint, that policy won’t show up there anymore after being updated via GUI)
- Regardless of if the policy is v1.0 or beta, the GUI will show you the new policy settings
- (If you have automations that rely on v1.0 endpoint, that policy won’t show up there anymore after being updated via GUI)
- If you look at policy enforcement, the parity between new and old policies seems to be as follow:
- Old policy
includeUsers: "GuestsOrExternalUsers"- Maps to new policy
"guestOrExternalUserTypes": "internalGuest,b2bCollaborationGuest,b2bCollaborationMember"
- Maps to new policy
- Old policy
¹ Even though updated policies are available from beta endpoint only (at the time of the test) this post does not speculate if the organization is doing opt-in for preview features. Historically information and settings on beta endpoint have been good indicator of something being a preview feature, but it does not mean explicitly that organization is opting-in preview of new features.
Test setup
- Delete all policies in the burner/honeypot tenant
- create guest policy with the GA conditions via v1.0 endpoint . To my best knowledge, this type of new policy created outside of beta endpoint would be similar to any pre-existing guest policy with the
"includeUsers": [ "GuestsOrExternalUsers"]...settings. - create guest policy with the preview conditions via beta endpoint
- Login with tenantIdentifier using test cases (resource tenant https://portal.azure.com/signin/index/@m.dewi.red )
| Type | user |
|---|---|
| internalGuest (user from the test tenant) | acira.moraes@m.dewi.red |
| b2bCollaborationMember (user from another tenant) | shantic@thx.dewi.red |
| b2bCollaborationGuest (user from another tenant) | jose@thx.dewi.red |
- Query results assuming you are exporting logs to log analytics
let homeTenant = "48f55450-183a-45d6-a9ce-68f3cbc68947";
SigninLogs
|where TimeGenerated > now() -20m
| extend isB2BCollaUser = iff(HomeTenantId == homeTenant,false,true)
| mv-expand ConditionalAccessPolicies
|where ConditionalAccessPolicies.displayName has "guest"
|where ResultType ==0|distinct UserPrincipalName, tostring(ConditionalAccessPolicies.displayName), tostring(ConditionalAccessPolicies.result), AppDisplayName, tostring(strcat('type:',UserType, ': B2BCollab:', isB2BCollaUser))
Policies
[
{
"displayName": "Guest users - old policy type",
"state": "enabled",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"platforms": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": []
},
"users": {
"includeUsers": [
"GuestsOrExternalUsers"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
},
{
"displayName": "Guest users - new policy type",
"state": "enabled",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"platforms": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"excludeGuestsOrExternalUsers": null,
"includeGuestsOrExternalUsers": {
"guestOrExternalUserTypes": "internalGuest,b2bCollaborationGuest,b2bCollaborationMember",
"externalTenants": {
"@odata.type": "#microsoft.graph.conditionalAccessAllExternalTenants",
"membershipKind": "all"
}
}
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('d68ecd62-e89c-4b69-82f3-aca18cba22a3')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}
]
SecureCloudBlog 
0 comments on “Research for CAOptics – Azure AD Conditional Access – Investigating Guest user conditions parity between new and old policies”