IBP-IDENTITY-All Apps: [Require MFA] for [All Guests & Externals]

✅ Require all guest and external users accessing your tenant to complete multi‑factor authentication (MFA).
➡️ Ensures that all users coming from outside your organisation authenticate securely before accessing any resource.

✅ Users:

➡️ All external identities must complete MFA unless specifically excluded.

✅ Applications: All cloud applications
✅ Client types: Browser, mobile, desktop, modern auth, legacy auth (if enabled)

➡️ Any access to any Microsoft cloud resource by an external user requires MFA.

✅ MFA is required for every sign‑in by a guest/external user
✅ Enforced using Conditional Access built‑in MFA control
❌ No Authentication Strength applied (standard MFA only)

➡️ Password‑only sign‑ins from external users are blocked.

This policy covers only external identities.
Internal member users are not included because includeUsers is intentionally empty, and the includeGuestsOrExternalUsers block is used instead.

🚫 Device compliance
🚫 Location restrictions
🚫 Platform restrictions
🚫 User risk
🚫 Sign‑in risk
🚫 Device filters
🚫 Session controls

➡️ MFA is enforced for external users everywhere, on every device, with no conditional exceptions.

✅ Enabled
➡️ Actively enforcing MFA for all external/guest users.

✅ Supports Microsoft identity protection best practices
➡️ Ensures external users cannot access your tenant without MFA
ℹ️ Complements Essential Eight uplift by strengthening authentication for all non‑internal identities.

This Conditional Access policy ensures that:

✅ Every guest or external identity
✅ Accessing any Microsoft cloud application in your tenant
✅ Must authenticate using multi‑factor authentication

This prevents unauthenticated or weakly authenticated external access and forms a key part of a secure external collaboration boundary.