Forum Discussion

jdbst56's avatar
jdbst56
Brass Contributor
Oct 11, 2024

Phishing resistant MFA options for Entra ID Guest users

What are the phishing resistant MFA options for Entra ID B2B guest users who authenticate from an IDP that is not configured for inbound cross tenant trust?  From our testing, there does not appear to be any way to use fido2/passwordless/certificate-based authentication with the guest account on the resource tenant. The following links appear to indicate that this is not supported.

 

Overview of custom authentication strengths and advanced options for FIDO2 security keys and certificate-based authentication in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

 

Microsoft Entra passwordless sign-in - Microsoft Entra ID | Microsoft Learn

 

When we enable MFA requirements in conditional access policy for Guest users, the only option that seems to work is MS Authenticator which the user can enroll for on our tenant.  Would switching the account from a B2B guest to an internal Guest allow something like CBA to function or is the only real option to enable cross tenant trust and force the user to enable MFA on the account in their home IDP?

 

 

No RepliesBe the first to reply

Resources