Guest MFA - require register phone as well as authenticator app

%3CLINGO-SUB%20id%3D%22lingo-sub-3256342%22%20slang%3D%22en-US%22%3EGuest%20MFA%20-%20require%20register%20phone%20as%20well%20as%20authenticator%20app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3256342%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20am%20aware%20of%20cross-tenant%20MFA%20settings%20and%20we%20are%20testing%20this%20feature%2C%20but%20it%20does%20not%20help%20in%20all%20scenarios%20e.g.%20guest%20has%20AAD%20but%20doesn't%20have%20MFA%20enforced%20in%20their%20home%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20Guests%20are%20forced%20to%20register%20for%20MFA%20in%20our%20tenant%20using%20a%20conditional%20access%20policy.%20This%20uses%20the%20authenticator%20app%20by%20default%2C%20unless%20they%20click%20the%20text%20'I%20want%20to%20set%20up%20a%20different%20method'%20at%20the%20bottom%20(which%20no%20one%20notices).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20using%20the%20app%20for%20Guests%20is%20problematic.%20Frequently%20they%20change%20phones%20and%20forget%20to%20move%20their%20authenticator%20app%20over%2C%20resulting%20in%20loss%20of%20access.%20When%20that%20happens%2C%20they%20have%20no%20way%20of%20getting%20back%20in%20since%20the%20app%20is%20their%20only%20authentication%20method.%20They%20don't%20have%20the%20number%20of%20our%20helpdesk%20since%20they%20are%20external%2C%20so%20don't%20know%20how%20to%20call%20support%20and%20get%20their%20authentication%20methods%20reset.%20So%20they%20basically%20get%20locked%20out%20forever%20and%20just%20give%20up%20try%20to%20access%20content%20shared%20with%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20would%20like%20to%20do%20one%20of%20the%20following%3A%3C%2FP%3E%3CUL%3E%3CLI%3EForce%20them%20to%20add%20a%20phone%20number%20upon%20first%20registration%3C%2FLI%3E%3CLI%3EChange%20phone%20number%20to%20default%2C%20before%20app%20registration%3C%2FLI%3E%3CLI%3EOr%20better%20still%20-%20use%20email%20as%20a%20fall%20back%2C%20since%20we%20already%20have%20their%20external%20email%20address%20they%20could%20just%20be%20sent%20a%20one-time%20code.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI%20think%20the%20last%20option%20is%20the%20best%2C%20since%20SMS%20is%20not%20exactly%20secure.%20There%20is%20an%20option%20'email%20one-time%20passcode%20for%20guests'%2C%20however%20this%20only%20applies%20to%20Guests%20who%20don't%20have%20an%20AAD%20or%20MS%20account.%20It%20would%20be%20great%20if%20this%20option%20also%20applied%20to%20AAD%20guests%20who%20lost%20their%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20a%20way%20around%20this%20situation%3F%20We%20can't%20ask%20guests%20to%20go%20in%20via%20myapps%2C%20switch%20tenants%2C%20and%20add%20a%20method%2C%20that's%20just%20not%20going%20to%20happen.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHal%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3256342%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%20B2B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3272883%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20MFA%20-%20require%20register%20phone%20as%20well%20as%20authenticator%20app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3272883%22%20slang%3D%22en-US%22%3EIf%20you%20require%202%20methods%20In%20SSPR%2C%20it%20will%20force%20the%20user%20to%20register%20both%20Authenticator%20and%20Phone%20number%20for%20SMS.%20That's%20how%20it%20works%20for%20normal%20users%20at%20least%20and%20I%20think%20this%20would%20apply%20to%20Azure%20AD%20Guest%20users%20too.%20However%20that%20cause%20all%20users%20to%20be%20forced%20to%20register%20two%20methods%20ju%20which%20might%20not%20what%20you%20want.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20also%20think%20Microsoft%20lack%20some%20features%20here.%20You%20should%20be%20able%20to%20ask%2Fencourage%20them%20to%20register%20more%20methods%20but%20maybe%20not%20force%20them.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3259947%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20MFA%20-%20require%20register%20phone%20as%20well%20as%20authenticator%20app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3259947%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F229095%22%20target%3D%22_blank%22%3E%40halsc%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20far%20as%20my%20knowledge%20goes%2C%20there%20isn't%20such%20a%20possibility%20that%20you%20can%20configure%20a%20(default)%20authentication%20method%20order%20for%20a%20user.%20Instead%2C%20the%20user%20itself%20should%20do%20this.%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%2C%20when%20we%20talk%20about%20forcing%20an%20authentication%20method%2C%20there%20are%20some%20possibilities.%3CBR%20%2F%3EYou%20can%20pre-populate%20authentication%20methods%20for%20a%20(guest)%20user.%20Many%20blogs%20on%20the%20internet%20show%20you%20how%20to%20configure%20this.%20If%20you%20wish%20to%20do%20it%20without%20scripts%2C%20you%20can%20manually%20add%20the%20authentication%20method%20when%20creating%2Finviting%20a%20guest%20account%20under%20the%20authentication%20methods%20section%20when%20selecting%20the%20user.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20hope%20this%20helps!%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all

 

So I am aware of cross-tenant MFA settings and we are testing this feature, but it does not help in all scenarios e.g. guest has AAD but doesn't have MFA enforced in their home tenant.

 

So Guests are forced to register for MFA in our tenant using a conditional access policy. This uses the authenticator app by default, unless they click the text 'I want to set up a different method' at the bottom (which no one notices).

 

Now using the app for Guests is problematic. Frequently they change phones and forget to move their authenticator app over, resulting in loss of access. When that happens, they have no way of getting back in since the app is their only authentication method. They don't have the number of our helpdesk since they are external, so don't know how to call support and get their authentication methods reset. So they basically get locked out forever and just give up try to access content shared with them.

 

So I would like to do one of the following:

  • Force them to add a phone number upon first registration
  • Change phone number to default, before app registration
  • Or better still - use email as a fall back, since we already have their external email address they could just be sent a one-time code.

I think the last option is the best, since SMS is not exactly secure. There is an option 'email one-time passcode for guests', however this only applies to Guests who don't have an AAD or MS account. It would be great if this option also applied to AAD guests who lost their app.

 

Does anyone know a way around this situation? We can't ask guests to go in via myapps, switch tenants, and add a method, that's just not going to happen.

 

Thanks

 

Hal

 

 

2 Replies
Hi @halsc,

As far as my knowledge goes, there isn't such a possibility that you can configure a (default) authentication method order for a user. Instead, the user itself should do this.

However, when we talk about forcing an authentication method, there are some possibilities.
You can pre-populate authentication methods for a (guest) user. Many blogs on the internet show you how to configure this. If you wish to do it without scripts, you can manually add the authentication method when creating/inviting a guest account under the authentication methods section when selecting the user.

I hope this helps!
If you require 2 methods In SSPR, it will force the user to register both Authenticator and Phone number for SMS. That's how it works for normal users at least and I think this would apply to Azure AD Guest users too. However that cause all users to be forced to register two methods ju which might not what you want.

I also think Microsoft lack some features here. You should be able to ask/encourage them to register more methods but maybe not force them.