Enabling Multi-factor authentication (MFA) for external users can be accomplished by creating an Assigned or Dynamic Groups for external users, and then using this with a new Conditional Access policy.


In Azure Active Directory Groups

  • Create a new security group, name your new group and select membership type assigned
  • Add the desired external users to this group

Under Conditional Access – Policies

  • Create a new Conditional Access Policy
  • Assignments
    • Include the new group you created
    • Cloud apps: Select the desired apps
    • Conditions – Any Locations
  • Access Control
    • Grant Access – Require Multi Factor authentication
    • In the end, toggle the Enable policy button to On, and then Create the policy

Note: In spite of the fact that the procedure is manual, it can be automated by using dynamic groups and all the external users will be automatically added to the group.

How to create a dynamic group in the cloud and assign MFA for external users through policy


  • Create a dynamic group Dynamic_Group
  • Add all the external users using the following query UserType Equal Guest
  • The group will be automatically populated with all the external users

In order to reset the MFA, execute the following PowerShell command

Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName gsamoogle_gmail.com#EXT#@ WoodGroveAzureAD.onmicrosoft.com

Reference: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-mfa-instructions