Forum Discussion
Enable MFA for external idetnities in MS Entra
Hi all,
I am planning to enable MFA for guest accounts and external identities using Conditional Access in MS Entra. I am however wondering how I can select what Authentication methods can they use - or what would be the default behaviour.
Currently, I am still using legacy MFA for internal users. I will migrate MFA to MS Entra later this year however, not sure how this is working when enabling MFA for external users.
As I do use legacy MFA, my setting in " Authentication methods > Policies" have MS Authenticator set to NO.
Now, do I need to switch MS Authenticator to YES if I want guests to use that app? And if I enable it, how do I assign it to External identities only? I do not see that kind of option there at all... I can assign it to all, for example, but I am not yet ready to migrate internal users as well...
Would be happy to get some clarification on this.
Thank you
- micheleariisSteel Contributor
sumo83 Hi, you could enable Microsoft Authenticator without mandating immediate use.
In Authentication methods - Policies, you can enable Microsoft Authenticator as an available method for your organization. This makes the method available to all users, but does not force anyone to use it until it is specifically required.Then you could use Conditional Access Policies to create a policy that requires MFA, but without specifying that it must be Microsoft Authenticator.
In this case, users can use Microsoft Authenticator if they choose to do so, or another available MFA method, such as SMS or email.Once you have enabled Microsoft Authenticator as an available method, you can create a Conditional Access policy to require MFA under specific circumstances, such as access from risky locations or devices, but without forcing the use of Microsoft Authenticator. Users will be able to choose an MFA method from those enabled (e.g., SMS or Authenticator, if both are enabled).
Enabling Microsoft Authenticator as an available method but without configuring mandatory MFA on Conditional Access will offer a smooth transition.
Internal and external users will be able to configure Microsoft Authenticator, but will not be required to use it until you have completed the MFA transition for everyone.- sumo83Iron ContributorHi micheleariis
I should have mention that before - I do have conditional access that requires all users to use MFA when accessing cloud apps. I am however not sure what will be the impact of enabling Authentication methods in MFA for internal users, as there is this "migration" in place and all guides I've read is that when you enable Authentication method in MS Entra, you should disable that method in legacy MFA portal....
However, I do not want to migrate internal users for now... and I just want to enable MFA for Guest/External users...- micheleariisSteel Contributor
sumo83 Can't you make 2 separate conditional access rules? One for external users and one for internal users?