Guest User gets MFA registration in my tenant, while having MFA in own tenant?

%3CLINGO-SUB%20id%3D%22lingo-sub-1850021%22%20slang%3D%22en-US%22%3EGuest%20User%20gets%20MFA%20registration%20in%20my%20tenant%2C%20while%20having%20MFA%20in%20own%20tenant%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1850021%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20an%20IT%20Pro%2C%20so%20trying%20new%20stuff%20all%20the%20time.%20Possibly%20turned%20something%20on%20that%20shouldn't.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20my%20problem%2C%20or%20something%20that%20surprised%20me%3A%3C%2FP%3E%3CP%3EMy%20own%20tenant%20has%20security%20defaults%20enabled%2C%20so%20MFA%20is%20required%20(I%20guess).%20That's%20good.%20I%20like%20that%20my%20tenant%20is%20secure.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20invite%20guest%20users%2C%20it%20is%20no%20surprise%20they%20also%20are%20required%20to%20setup%20MFA%20if%20they%20don't%20have%20this%20in%20their%20own%20tenant.%20The%20most%20strict%20tenant%20wins.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20invite%20a%20guest%20user%2C%20which%20I%20know%20has%20MFA%20setup%20in%20his%20own%20tenant.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20accepting%20the%20invitation%20(by%20entering%20the%20emailaddress%20where%20he%20was%20invited)%2C%20not%20only%20does%20he%20get%20a%20message%20telling%20him%20that%20MFA%20is%20required%20in%20my%20tenant.%20He%20is%20also%20redirected%20to%20a%20MFA%20setup%20page%2C%20asking%20him%20to%20install%20Microsoft%20Authenticator%20(which%20he%20already%20has)%20and%20scan%20the%20QR%20code%2C%20after%20which%20he%20has%20to%20accounts%20configured%20in%20the%20Microsoft%20Authenticator.%20One%20for%20his%20own%20tenant%20and%20one%20with%20his%20%23ext%20guest%20address%20in%20my%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20expect%20that%20authenticating%20with%20his%20own%20Azure%20AD%20credentials%20would%20also%20mean%20using%20his%20own%20MFA%20and%20should%20just%20mean%20that%20he%20should%20be%20push%20one%20%22ok%2C%20let's%20go%22%20button%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20user%20is%20Azure%20AD%20joined%20on%20his%20computer.%20Going%20to%20e.g.%20office.com%20doesn't%20have%20a%20sign%20in%20step.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20be%20my%20configuration%3F%20Or%20misinterpretation%20of%20MFA%3F%20If%20this%20is%20by%20design%20I'm%20disappointed.%20This%20means%20user%20training%20and%20this%20is%20to%20complicated%20for%20my%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1850021%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1850074%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20User%20gets%20MFA%20registration%20in%20my%20tenant%2C%20while%20having%20MFA%20in%20own%20tenant%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1850074%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3205%22%20target%3D%22_blank%22%3E%40Michiel%20van%20den%20Broek%3C%2FA%3E%26nbsp%3BI%20mean%20I'm%20disappointed%20that%20it's%20not%20a%20%22guide%20your%20user%20ones%20in%20setting%20up%20MFA%20in%20their%20own%20tenant%20and%20don't%20worry%20about%20it%20when%20they%20enter%20a%20guest%20tenant%22.%20If%20my%20user%20gets%20a%20MFA%20setup%20everytime%20he%20is%20invited%20in%20another%20tenant%2C%20then%20he%20is%20not%20enjoying%20collaborating%20and%20will%20return%20to%20simply%20sending%20files%20with%20email.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1850151%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20User%20gets%20MFA%20registration%20in%20my%20tenant%2C%20while%20having%20MFA%20in%20own%20tenant%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1850151%22%20slang%3D%22en-US%22%3E%3CP%3EAfaik%20it's%20by%20design%2C%20the%20reasoning%20being%20that%20the%20%22resource%22%20tenant%20can%20have%20specific%20requirements%20with%20regards%20to%20MFA%2C%20with%20no%20guarantee%20they%20will%20be%20satisfied%20within%20the%20%22home%22%20tenant.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

I'm an IT Pro, so trying new stuff all the time. Possibly turned something on that shouldn't. :)

 

Here is my problem, or something that surprised me:

My own tenant has security defaults enabled, so MFA is required (I guess). That's good. I like that my tenant is secure. 

 

When I invite guest users, it is no surprise they also are required to setup MFA if they don't have this in their own tenant. The most strict tenant wins.

 

Now I invite a guest user, which I know has MFA setup in his own tenant. 

 

On accepting the invitation (by entering the emailaddress where he was invited), not only does he get a message telling him that MFA is required in my tenant. He is also redirected to a MFA setup page, asking him to install Microsoft Authenticator (which he already has) and scan the QR code, after which he has two accounts configured in the Microsoft Authenticator. One for his own tenant and one with his #ext guest address in my tenant.

 

I would expect that authenticating with his own Azure AD credentials would also mean using his own MFA and should just mean that he should be push one "ok, let's go" button?

 

The user is Azure AD joined on his computer. Going to e.g. office.com doesn't have a sign in step. 

 

Could be my configuration? Or misinterpretation of MFA? If this is by design I'm disappointed. This means user training and this is to complicated for my users.

3 Replies

@Michiel van den Broek I mean I'm disappointed that it's not a "guide your user ones in setting up MFA in their own tenant and don't worry about it when they enter a guest tenant". If my user gets a MFA setup everytime he is invited in another tenant, then he is not enjoying collaborating and will return to simply sending files with email. 

Afaik it's by design, the reasoning being that the "resource" tenant can have specific requirements with regards to MFA, with no guarantee they will be satisfied within the "home" tenant. 

@Vasil Michev Thank you!

 

I thought about this reason. But why is it different from e.g. MAM/MDM where you require a minimum of security setting (updated, pin set, no jailbreak, etc.) before accessing your files. So, if the user doesn't have a pin code, you require him to set a pincode to unlock his device. And if he has a pincode but it's 4 digits and you require 6 digits then the user has to change his pin. It's not like he's getting a second pincode.

 

Same for MFA. If the user has allready installed Microsoft Authenticator with this Azure AD account, then don't give him a second setup. Just use the setup that belongs to his "home" account. 

 

1 username, 1 password, 1 MFA. That's already complicated enough to understand.