Azure Active Directory Risky Sign-In Policy Blocks Guest Access to Office 365 Tenants

A New Policy Can Block Guests from Teams and SharePoint Online

Teams and SharePoint Online are the largest generator of Azure Active Directory guest user accounts within Office 365 tenants. Teams creates guest accounts to include external people in team membership while SharePoint Online uses guest accounts to control sharing, including access to documents owned by a site belonging to an Office 365 group (one that isn’t team-enabled).

Typically, everything goes smoothly, and guests have unimpeded access to their assigned resources in the host tenant. However, if the host tenant enables an Azure Active Directory risky sign-in policy, guests who have previously successfully connected to the tenant can be blocked if at-risk events exist for their account. If invoked, the block occurs when the guest tries to access resources in the host tenant (Figure 1).

Account Blocked by an AAD Sign-In Policy
Figure 1: Account Blocked by an AAD Sign-In Policy (source: Microsoft)

Solution in Home Tenant

Being blocked can come as a shock when no apparent reason for the problem exists and the account holder doesn’t know how to resolve the issue. No action exists that the account holder can take. Unless the host tenant is willing to exclude the account from their risky sign-in policy or increase the policy’s tolerance for risk, the problem must be resolved by an administrator in their home tenant.

The root cause is that the user’s account is deemed risky for some reason. Perhaps a suspicion exists that the account is compromised; maybe sign-ins to the account have been from unusual places. For whatever reason, Azure Active Directory has accumulated evidence that a problem might exist with the account. When the guest tries to access resources in a host tenant, the risk profile of their account is considered before access is granted. If the account’s risk profile exceeds the threshold set in the host tenant’s risky sign-in policy, access is blocked.

Azure Active Directory Risky Sign-In Report

To unblock access, the risk profile of the guest’s account must be reduced in their home tenant. The Azure Active Directory risky sign-in report lists the accounts that have problems. This is due to be replaced soon by the Risky Users (users flagged for risk) report (Figure 2).

Azure Active Directory Risky Users Report
Figure 2: Azure Active Directory Risky Users Report

To unblock a user, select them from the list and click Dismiss user risk. Azure Active Directory then initiates a process to reset the account’s risk profile, which might take several minutes to complete. Following the reset, the user should be able to sign-into other tenants as a guest.


Azure Active Directory is critical to Office 365. Learn more about Azure Active Directory in Chapter 3 of the Office 365 for IT Pros eBook.

Advertisements

2 Replies to “Azure Active Directory Risky Sign-In Policy Blocks Guest Access to Office 365 Tenants”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.