Forum Discussion

veryConfused's avatar
veryConfused
Copper Contributor
Dec 15, 2021
Solved

Issue with two MFA . Disabling one MFA based on rules

Question is regarding authentication(s) in Azure AD for this set-up. To comply with security requirements customer has enabled MFA for their tenant and we have enabled MFA for our service hosted in o...
Azure Active Directory (AAD)
Identity Management
  • BilalelHadd's avatar
    BilalelHadd
    Dec 16, 2021

    Hi veryConfused,

    So If I understand your question correctly, and If I'm not, please correct me.
    You have User A in Tenant A and Tenant B (I assume as a guest user)? If this is the case, then it's correct that you need to configure Azure MFA twice. The reason for this is straightforward; your (authentication) methods are configured per tenant. This means, if you have configured your Authenticator in Tenant A, it won't be synchronized to Tenant B since this is a Unique user per tenant.

    If you receive an invite for another environment in the future, and they have configured Azure MFA as required, you should again configure MFA for this particular tenant.

    I hope this isn't veryConfused ;-). And if you still need some help, please let me know. 

BilalelHadd's avatar
BilalelHadd
Iron Contributor
Dec 16, 2021

Hi veryConfused,

So If I understand your question correctly, and If I'm not, please correct me.
You have User A in Tenant A and Tenant B (I assume as a guest user)? If this is the case, then it's correct that you need to configure Azure MFA twice. The reason for this is straightforward; your (authentication) methods are configured per tenant. This means, if you have configured your Authenticator in Tenant A, it won't be synchronized to Tenant B since this is a Unique user per tenant.

If you receive an invite for another environment in the future, and they have configured Azure MFA as required, you should again configure MFA for this particular tenant.

I hope this isn't veryConfused ;-). And if you still need some help, please let me know. 

  • veryConfused's avatar
    veryConfused
    Copper Contributor
    Dec 16, 2021
    yes , you understood the issue correctly. So I am more looking to what other alternatives I have? Can I do some kind of rules that will validate if users are coming from previous tenant and will disable MFA for my second tenant? or any other way?
    • BilalelHadd's avatar
      BilalelHadd
      Iron Contributor
      Dec 16, 2021
      You have some possibilities with Conditional Access, like including or excluding some guests users, but I wouldn't recommend you configure this. Like you stated yourself, "To comply with security requirements customer has enabled MFA for their tenant and we have enabled MFA for our service hosted in our subscription."

      ChristianJBergstrom, Indeed I was aware of this, but same here. Not many details yet. Keep me posted 😉

Resources