Guest users in tenant enforcing phishing resistant MFA

No, guests using Okta MFA will not satisfy a phishing-resistant MFA requirement as enforced by Microsoft.

What can you do? (From what I can understand)

Option 1: Adjust Conditional Access for guests

1. Create an exception in the Conditional Access policy for guest users.
2. For example, allow guest access without enforcing phishing-resistant MFA or enforce regular MFA only.

Option 2: Require guests to perform MFA in your tenant

1. Configure Enforce MFA registration for guests and require them to register Microsoft MFA (or FIDO2) in your tenant.
2. This way, when they access resources, they perform phishing-resistant MFA in your tenant context.

Option 3: Federate guests through Entra ID with explicit phishing-resistant claims

1. Only feasible if the external identity provider can pass "phishing-resistant" signals via federated SAML or OIDC, which most cannot today.