Forum Discussion
Guest users in tenant enforcing phishing resistant MFA
If a tenant uses a third party MFA .. I.E. Okta or similar, and users are guests in a another tenant via B2B trust and the tenant accepting guest accounts is enforcing MS Phishing resistant MFA ...
Will the tenant recognise "Okta" authenticated guests as Phishing resistant ?
Or will guest accounts need a Conditional Access Policy applied to allow the guest users access to tenant enforcing MS Phishing resistant MFA ?
1 Reply
No, guests using Okta MFA will not satisfy a phishing-resistant MFA requirement as enforced by Microsoft.
What can you do? (From what I can understand)
Option 1: Adjust Conditional Access for guests
- Create an exception in the Conditional Access policy for guest users.
- For example, allow guest access without enforcing phishing-resistant MFA or enforce regular MFA only.
Option 2: Require guests to perform MFA in your tenant
- Configure Enforce MFA registration for guests and require them to register Microsoft MFA (or FIDO2) in your tenant.
- This way, when they access resources, they perform phishing-resistant MFA in your tenant context.
Option 3: Federate guests through Entra ID with explicit phishing-resistant claims
- Only feasible if the external identity provider can pass "phishing-resistant" signals via federated SAML or OIDC, which most cannot today.
