MFA and B2B - Trusting Partner MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-198340%22%20slang%3D%22en-US%22%3EMFA%20and%20B2B%20-%20Trusting%20Partner%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-198340%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20would%20like%20to%20use%20Conditional%20Access%20to%20enforce%20MFA%20on%20Guest%20users%20but%20trust%20the%20MFA%20configuration%20in%20the%20source%20company.%20It%20was%20mentioned%20in%20this%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2FMFA-and-Azure-B2B%2Fm-p%2F85234%22%20target%3D%22_self%22%3EMFA%20and%20Azure%20B2b%3C%2FA%3E%26nbsp%3Bby%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38147%22%20target%3D%22_blank%22%3ESarat%20Subramaniam%3C%2FA%3E%26nbsp%3Bthat%20Microsoft%20is%20%22%3CSPAN%3Eooking%20into%20enabling%20the%20resource%20tenant%20to%20trust%20certain%20partner%20organizations'%20MFA%22%20which%20looks%20like%20exactly%20what%20we%20want.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EDoes%20anyone%20have%20any%20idea%20on%20progress%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESpecifically%2C%20we%20have%20a%20partner%20company%20with%20ADFS%2FAzure%20and%20On-Premise%20MFA%20(supportsMFA%20is%20true%20in%20MSOL%20Domain%20Federation%20Settings)%20and%20want%20to%20use%20their%20ADFS%20based%20MFA.%20When%20we%20require%20MFA%2C%20users%20are%20prompted%20for%20Azure%20MFA%20setup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20any%20info%20you%26nbsp%3B%20have!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShane%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-198340%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%20B2B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098740%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20and%20B2B%20-%20Trusting%20Partner%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098740%22%20slang%3D%22en-US%22%3EDo%20we%20have%20any%20updates%20for%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1461305%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20and%20B2B%20-%20Trusting%20Partner%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1461305%22%20slang%3D%22en-US%22%3E%3CP%3EAgree%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151119%22%20target%3D%22_blank%22%3E%40Shane%20Wright%3C%2FA%3E%2C%20this%20would%20improve%20the%20end-user%20experience%20by%20re-using%20their%20existing%20MFA%20profile%20in%20their%20home%20tenant%20and%20not%20requiring%20them%20to%20re-establish%20it.%20However%2C%20it%20probably%20needs%20to%20present%20a%20claim%20of%20some%20sort%20so%20that%20the%20resource%20tenant%20can%20use%20its%20own%20MFA%20settings%20if%20the%20end-user's%20home%20tenant%20does%20not%20have%20MFA%20enabled%20via%20a%20conditions%20set%20in%20conditional%20access.%3CBR%20%2F%3E%3CBR%20%2F%3EDoes%20anyone%20know%20if%20there%20have%20been%20more%20recent%20developments%20on%20a%20feature%20such%20as%20this%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

We would like to use Conditional Access to enforce MFA on Guest users but trust the MFA configuration in the source company. It was mentioned in this MFA and Azure B2b by Sarat Subramaniam that Microsoft is "ooking into enabling the resource tenant to trust certain partner organizations' MFA" which looks like exactly what we want.

 

Does anyone have any idea on progress?

 

Specifically, we have a partner company with ADFS/Azure and On-Premise MFA (supportsMFA is true in MSOL Domain Federation Settings) and want to use their ADFS based MFA. When we require MFA, users are prompted for Azure MFA setup.

 

Thanks for any info you  have!

 

Shane

2 Replies
Highlighted
Do we have any updates for this?
Highlighted

Agree @Shane Wright, this would improve the end-user experience by re-using their existing MFA profile in their home tenant and not requiring them to re-establish it. However, it probably needs to present a claim of some sort so that the resource tenant can use its own MFA settings if the end-user's home tenant does not have MFA enabled via a conditions set in conditional access.

Does anyone know if there have been more recent developments on a feature such as this?