Unnie Ayilliath

Microsoft 365 | Azure | Identity Solutions

Block guest/external users from internal Enterprise Azure applications


You want to create an internal application for your organization which is accessible to all internal users. Now you decide to host the application in Azure and you use the native Azure way of protecting the app by enabling the App service authentication and configuring Azure AD authentication like below:

Screen Shot 2018-04-22 at 11.19.42.png

Now this will make sure that all users accessing the app has to be an authenticated user and should be present in your organization’s Azure AD. But this is not good enough if your organization have external sharing and external users or guest users are present in your Azure AD (Guest users are users who are from a different Azure AD or a Microsoft accounts (live id) who are present in your Azure AD). These guest users will also be able to login to your internal Azure apps unless they are not blocked. You can see below the guest user will be displayed in Azure AD.

Screen Shot 2018-04-22 at 11.49.21.png


Fortunately, Azure AD provides enough features through which we can add an authorization to the apps without writing any code.

PS: You need to have minimum Azure AD Premium P1 license or above to use this no code solution.

Step 1: Create an Azure AD Security Group

  1. Navigate to portal.azure.com
  2. Create an Azure AD group called “Internal Users Only” or any name you like.
  3. Now you need to add all internal users to this group.creategroup
  4. The easy way is Azure AD Dynamic group membership. This will allow users to be automatically added to the group based on some dynamic criteria. For our scenario, the criteria are User Type equals Member. For dynamic group membership, you need to have at least Azure AD Premium P1 licenses. More info about dynamic membership here.dynamicmembershiprule
  5. If dynamic groups cannot be created then assigned group needs to be created and the membership needs to be maintained manually.

Step 2: Configure Authorization or User Assignment for the Azure AD App

  1. Navigate to portal.azure.com
  2. Select Azure Active Directory and then select Enterprise Applications.
  3. From the list of registered apps select the app which was used to authenticate the app service.
  4. Now click on Properties and change User assignment required? to Yes. This means that users who can access this app need to be assigned to this Azure AD app.Screen Shot 2018-04-22 at 12.15.05.png
  5. Now click on Users & Groups from the left-hand panel of the app. Click Add user. Now select the group “All internal users only” from the list. Note that at least Azure AD Premium P1 license is required for adding groups to an Azure AD app.3

Now only users in the “All internal users only” group will be able to access the internal application. All guest users will get an unauthorized page from Azure AD after login.

Published by

2 responses to “Block guest/external users from internal Enterprise Azure applications”

  1. You may wish to revise this blog. It would appear assigning a group to an AAD App is an AAD P1 licensed feature:

    1. @Ryan Thanks for pointing out, it is corrected 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by WordPress.com.

%d bloggers like this: