Forum Discussion
All users receive "Your organization needs more information to keep your account secure" when logon
Thank you for the hint.
Finally solved by:
Azure Active Directory > Properties
Manage security defaults
set Enable security defaults to No
I think the best response marked is not the right solution.
I guess I won't be the only one to have that scenario:
With a Microsoft 365 plan, you get
- Microsoft Entra (previously named Azure Active Directory)
- SharePoint
And you just want to simply share documents from your SharePoint to external users from your organization and to simply use One time password (OTP) passcode through e-mail
You do not want your external users to be requested to create a Microsoft Account or to be linked to Microsoft services or needed to install Microsoft Authenticator or to be in your Microsoft Entra Directory.
You also do not want to set your SharePoint Sharing Settings to "Anyone" (very bad to enable that option)
A lot of websites and people say, just add a Conditional Access Policies to exclude external users from MFA
BUT You also do not want to use Conditional Access Policies because you need Azure AD Premium (Entra Premium?)
Then some people suggest removing the Security Defaults but it's not the answer to the issue, it's just a workaround.
Then I finally find / understand how this mess works:
https://identity-man.eu/2022/01/11/securing-sharepoint-online-guest-users-with-the-azure-ad-b2b-experience/
I really recommend reading that page blog, it will clarify the situation about, how to have a simple file sharing system with a OTP code without having Conditional Access Policies and use the default settings "Security Defaults" which enables MFA for all users in your Entra Directory (Azure AD)
Just in case the blog is down. I will sum up the situation here:
The answer is, do not use Azure B2B Integration with SharePoint. It seems to be enabled by default on any new Microsoft 365 plan.
Hence all the policies set in your Microsoft Entra (I really do not like that name, AAD was so much better I do not understand why they changed it but anyway), are set by "Security Defaults"
It is really badly documented or at least really confusing on the Microsoft learn/docs. They barely mentioned it (to push you to use Conditional Access Policies?)
You need to disable the following settings: EnableAzureADB2BIntegration
Set-SPOTenant -EnableAzureADB2BIntegration $false
By using this command, external user sharing will use SharePoint B2B instead of Azure B2B for SharePoint
You will see that every time someone from your organization (based on how you set up your SharePoint policies of course) shares a doc from SharePoint with an external user, but you will not see the e-mail of that external user in your Microsoft Entra.
If you want to see the SharePoint B2B Directory (=all sharepoint users (internal+external users), it's very weird, I do not get why Microsoft does not improve the UI/UX.
To access to it, you need to go to that link (manually, as I do find a menu to access to it - It still SharePoint Classic page (facepalm))
https://YOUR_SHAREPOINT_NAME.sharepoint.com/sites/Shared/_layouts/15/people.aspx?MembershipGroupId=0
Very important to put 0 for the MembershipGroupId
Then you will be able to see (clean up, update, ...) all internal/external users who are in your SharePoint B2B
Hope it will help anyone who is facing that issue
That is some good information! Considering this question was all about Security Defaults i.e. NOT have Entra P1 or 2 licensing, with Security Defaults you are essentially forced to require MFA for all users without exception. This includes Guest users. Your suggestion is great as it will work with Security Defaults in place, by disconnecting SharePoint from the equation. For those with P1 or P2, you would not do this as you can control who is or is not prompted using CA policies.
There are two things I find people miss when it comes to MFA / SSPR:
1. As in the screenshot, the number of methods required to reset a password is important because the registration for MFA is tied to this (combined registration is a forced setting). If this is set to '2', your users in scope for SSPR will be prompted continually for a second method, because it is required for password reset. This is where you can register an Email, which is not supported for MFA, but is supported as a method for password reset - again slightly confusing, easily misunderstood until you read the docs. Generally you want SSPR set to all in which case I recommend keeping the number of methods set to '1', otherwise it gets confusing for users.
2. It's okay to have SSPR enabled for all with security defaults, as long as you disable 'Registration' which is two down on the menu from where you enable it. Set it to 'No'. Users will not be prompted for SSPR, but will be prompted for MFA registration.
NOTE: This has all changed recently for Entra Premium, with the move to the Security => Authentication Methods blade. You need to migrate from the current configurations to the new methods, then you benefit from some new methods like 'Temporary Access Pass'. The new methods include a 'Registration Campaign' where you can control the prompts that occur during login, and the number of days it can be skipped.
Here's a step by step walk-though for the migration:
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage
Good luck!