Forum Discussion
All users receive "Your organization needs more information to keep your account secure" when logon
Thank you for the hint.
Finally solved by:
Azure Active Directory > Properties
Manage security defaults
set Enable security defaults to No
I think the best response marked is not the right solution.
I guess I won't be the only one to have that scenario:
With a Microsoft 365 plan, you get
- Microsoft Entra (previously named Azure Active Directory)
- SharePoint
And you just want to simply share documents from your SharePoint to external users from your organization and to simply use One time password (OTP) passcode through e-mail
You do not want your external users to be requested to create a Microsoft Account or to be linked to Microsoft services or needed to install Microsoft Authenticator or to be in your Microsoft Entra Directory.
You also do not want to set your SharePoint Sharing Settings to "Anyone" (very bad to enable that option)
A lot of websites and people say, just add a Conditional Access Policies to exclude external users from MFA
BUT You also do not want to use Conditional Access Policies because you need Azure AD Premium (Entra Premium?)
Then some people suggest removing the Security Defaults but it's not the answer to the issue, it's just a workaround.
Then I finally find / understand how this mess works:
https://identity-man.eu/2022/01/11/securing-sharepoint-online-guest-users-with-the-azure-ad-b2b-experience/
I really recommend reading that page blog, it will clarify the situation about, how to have a simple file sharing system with a OTP code without having Conditional Access Policies and use the default settings "Security Defaults" which enables MFA for all users in your Entra Directory (Azure AD)
Just in case the blog is down. I will sum up the situation here:
The answer is, do not use Azure B2B Integration with SharePoint. It seems to be enabled by default on any new Microsoft 365 plan.
Hence all the policies set in your Microsoft Entra (I really do not like that name, AAD was so much better I do not understand why they changed it but anyway), are set by "Security Defaults"
It is really badly documented or at least really confusing on the Microsoft learn/docs. They barely mentioned it (to push you to use Conditional Access Policies?)
You need to disable the following settings: EnableAzureADB2BIntegration
Set-SPOTenant -EnableAzureADB2BIntegration $false
By using this command, external user sharing will use SharePoint B2B instead of Azure B2B for SharePoint
You will see that every time someone from your organization (based on how you set up your SharePoint policies of course) shares a doc from SharePoint with an external user, but you will not see the e-mail of that external user in your Microsoft Entra.
If you want to see the SharePoint B2B Directory (=all sharepoint users (internal+external users), it's very weird, I do not get why Microsoft does not improve the UI/UX.
To access to it, you need to go to that link (manually, as I do find a menu to access to it - It still SharePoint Classic page (facepalm))
https://YOUR_SHAREPOINT_NAME.sharepoint.com/sites/Shared/_layouts/15/people.aspx?MembershipGroupId=0
Very important to put 0 for the MembershipGroupId
Then you will be able to see (clean up, update, ...) all internal/external users who are in your SharePoint B2B
Hope it will help anyone who is facing that issue
That is some good information! Considering this question was all about Security Defaults i.e. NOT have Entra P1 or 2 licensing, with Security Defaults you are essentially forced to require MFA for all users without exception. This includes Guest users. Your suggestion is great as it will work with Security Defaults in place, by disconnecting SharePoint from the equation. For those with P1 or P2, you would not do this as you can control who is or is not prompted using CA policies.
There are two things I find people miss when it comes to MFA / SSPR:
1. As in the screenshot, the number of methods required to reset a password is important because the registration for MFA is tied to this (combined registration is a forced setting). If this is set to '2', your users in scope for SSPR will be prompted continually for a second method, because it is required for password reset. This is where you can register an Email, which is not supported for MFA, but is supported as a method for password reset - again slightly confusing, easily misunderstood until you read the docs. Generally you want SSPR set to all in which case I recommend keeping the number of methods set to '1', otherwise it gets confusing for users.
2. It's okay to have SSPR enabled for all with security defaults, as long as you disable 'Registration' which is two down on the menu from where you enable it. Set it to 'No'. Users will not be prompted for SSPR, but will be prompted for MFA registration.
NOTE: This has all changed recently for Entra Premium, with the move to the Security => Authentication Methods blade. You need to migrate from the current configurations to the new methods, then you benefit from some new methods like 'Temporary Access Pass'. The new methods include a 'Registration Campaign' where you can control the prompts that occur during login, and the number of days it can be skipped.
Here's a step by step walk-though for the migration:
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage
Good luck!
We have this same issue. We use CA, no defaults are configurable. Out of nowhere users are getting hit with
Your organization requires you to set up the following methods of proving who you are.Additional authentication is required to complete this sign-in.Then you go to a redirect/Azure and around in circles it goes and finally back to this message, just a loop over and over and you can't do anything.MFA is supposed to be the first line of things Azure checked if enabled. We do have CAs for hybrid joined/intune compliant devices...but how do you setup MFA if you can't even get the page to show to download the MS App or enter a phone number. Which this is another issue I have a support ticket open on. We can't modify the default Authentication methods or disabled MS Auth app it just gives an error and 3 days later no support response, just send us info...dead in water. Cluster and mess as usual with MS and this entire CAs, Auth apps, Intune dumpster fire....Rant over. Any ideas, let us know. Only way to get a user in is turn off MFA, they sign in, then setup MFA methods, then put them in the groups to enforce CAs Intune policies. Giant mess. And let's not get into the 18hrs it takes for a CA rule change to go into effect. Literally spending weeks on end making single changes to troubleshoot issues and getting nowhere fast. MS is useless their support.I had same issue, using Intune to sign up a new user on a new PC. Got the AADSTS50192 message.
Then tried to login on an existing windows laptop via a browser, same issue.After scratching my head for a while I figured it must be to do with the user needing to log in with MFA but no security info setup for the user, so they cannot log in with MFA.
1) Logged in as an Administrator to "Microsoft 365 Admin Center"
2) Selected *"Identity" under "Admin Centers" to Access "Microsoft Entra Admin Center"
3) "Microsoft Entra Admin Center" select "Users" > "All Users"
4) Select the relevant user
5) Under the user screen select "Authentiction Methods", enter an authentication method,
6) When complete press save icon.User should now be prompted for additional data when logging in as there will be an authentication method available when logging in.
Suggestions to Microsoft
1) * Rename "Identity" to "Microsoft Entra Admin Center" in "Microsoft 365 Admin Center"
2) ** In "Microsoft 365 Admin Center", add method to enter user authentication method when setting up a user, setting up a user without it is pretty useless.
