Forum Discussion
Entra External ID (External Tenant) employee login question
Hello,
We are creating an app for our customers. We have created an External ID Tenant for our customers to live in. We have set everything up and things are working as expected for the customers.
I am struggling with the right settings for our employees to log in and manage/administrate inside the application. They currently have to MFA in twice when logging into this app using the same page that our customers use to log in. I have added these users as guests in the External ID tenant so that they can use the same credentials as our Work-Force tenant. This works, but as I said, they MFA in twice. Once for our Work-Force tenant, and once for the External ID tenant.
I do have a conditional access policy set up to force MFA on anyone who has admin access to the External ID tenant, but when logging into our application, you have to MFA in EVERY time. When logging into Azure, it's very different. I seems to cache that I'm logged in, and/or cache that I've previously passed MFA and doesn't require it again.
I have multiple questions:
- How can I stop having 2 MFA prompts every time an employee/admin logs into our application and keep things secure. I assume I could disable MFA on external guest accounts to get rid of one MFA prompt. My concern is that there is a way to directly log into the External ID tenant and bypass our Work-Force tenant which requires the MFA.
- Is there a way to disable MFA from my Work-Force tenant when logging into the app registered in the External ID tenant?
- Why is the app not operating like Azure Authentication. Shouldn't it keep my session open just like Azure does unless I log out or time out? Why does it not remember that I've previously satisfied MFA from my location.
- Is this something a developer needs to look at?
I'm open to other suggestions as well to accomplish this. We are trying to avoid our tech support staff and other admins from having to MFA in twice when they access the admin section of this application.
So I do it so quickly I didn't even notice it. The first MFA was actually passwordless authentication, then it gets to the app in the external ID tenant and requires MFA.
Also, originally the developers were passing prompt=login. They changed it to promp=none and then just removed it completely. It is now working similarly to how the Azure website works. Users now do not need to MFA in so much, they stay authenticated until they log out (or I assume, clear their cache).
This brings up another issue. How can we sign users out after a period of time? The developers had something set, but if the user already closed the tab, there is nothing that chooses the account they need to log out of.
