Forum Discussion
MFA and Guest Access
As it stands right now, if I include guest users in my MFA requirements (via Conditional Access), they are required to set up MFA for our tenant specifically, in addition to the MFA they have for their own tenant. What I was expecting to have happen when I added a guest was that our MFA requirement made sure that they had MFA enabled on their account, not that it would have a separate MFA policy unique to our tenant. Is there a way to tweak this? If they've already proved their identity with two forms of authentication, why should they need to prove it again with a third? But I definitely want to make sure that guest users have MFA somewhere along the authentication chain, which presumably means that I can't remove them from the CA policy.
- Cross tenant access setting can help you trust MFA & device claims from other AD organizations -
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-overview
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration
6 Replies
shahlakhanMicrosoft
Cross tenant access setting can help you trust MFA & device claims from other AD organizations -
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-overview
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration- It's how it works currently. And there are changes coming in this space, so stay tuned.
VasilMichev Wow - we're just starting a project activating MFA for 10,000+ Guests and we suspect it will be chaos since the guests are not really supported by us but use our apps. But if you tell us change is coming here and we should wait - please tell us a liiiitle bit more? 😉
- I'm sure you will hear a lot about it at Ignite next month 🙂
