Issue with two MFA . Disabling one MFA based on rules

New Contributor

Question is regarding authentication(s) in Azure AD for this set-up. To comply with security requirements customer has enabled MFA for their tenant and we have enabled MFA for our service hosted in our subscription in our tenant which means that the end users(customers) currently need to configure MFA 2 times, one time for their subscription and one time for our subscription and this has negative impact on  end users as they need to configure and log-in twice. Currently we are replication identities from customer's AAD to our AAD . 

What options do I have other than disabling one MFA? Is there a way that I can disable one of the MFA based on certain rules? What else?

(PS: Dont ask why we are doing this replication from one subscription to other , it will be a long story)

6 Replies
best response confirmed by veryConfused (New Contributor)

Hi @veryConfused,

So If I understand your question correctly, and If I'm not, please correct me.
You have User A in Tenant A and Tenant B (I assume as a guest user)? If this is the case, then it's correct that you need to configure Azure MFA twice. The reason for this is straightforward; your (authentication) methods are configured per tenant. This means, if you have configured your Authenticator in Tenant A, it won't be synchronized to Tenant B since this is a Unique user per tenant.

If you receive an invite for another environment in the future, and they have configured Azure MFA as required, you should again configure MFA for this particular tenant.

I hope this isn't @veryConfused ;-). And if you still need some help, please let me know. 

Agree this is confusing as I don't really get the description ;) What does it mean with "replication identities"? What and when does the MFA prompt at the locations?

For the record I know the Azure team is working on some sort of enhanced experience when it comes to the MFA claim and "satisfy" for host/resource tenant B2B scenarios. But no details I'm afraid.
yes , you understood the issue correctly. So I am more looking to what other alternatives I have? Can I do some kind of rules that will validate if users are coming from previous tenant and will disable MFA for my second tenant? or any other way?
@ChristianJBergstrom, BilalHead has explained the issue more clearly in the answer. and I would like to know if MFA can be configured on case to case basis for tenant B. thats one of the way I am thinking, if that is possible?
You have some possibilities with Conditional Access, like including or excluding some guests users, but I wouldn't recommend you configure this. Like you stated yourself, "To comply with security requirements customer has enabled MFA for their tenant and we have enabled MFA for our service hosted in our subscription."

@ChristianJBergstrom, Indeed I was aware of this, but same here. Not many details yet. Keep me posted ;)