Issues with user accessing external tenant and not receiving MFA notifications

Copper Contributor

I have a user that has been invited to access some Sharepoint content in an external O365 tenant. When this user attempts to access the external content he is prompted for MFA, which he is set up for in his home tenant, however, he does not receive any push notification in Microsoft Authenticator. He has tried alternative MFA options (only OTP code is offered) and enters the OTP code from Microsoft Authenticator - but this is never accepted ("code is wrong") and so he cannot access the content in the external tenant.

 

We have Security Defaults enabled in our tenant and this user uses MFA flawlessly to access content in our tenant - i.e. push notifications work to the Microsoft Authenticator app and he does not have any issue logging in.

 

I have revoked his MFA sessions and forced him to re-register for MFA, i.e setting up Microsoft Authenticator and other methods again, but this does not help and he is still blocked accessing this external content.

 

The login to the external tenant is logged on our side as this:

 

User type: Guest
Cross tenant access type: B2B collaboration
Application: Office 365 SharePoint Online
Sign-in error code: 500121
Failure reason: Authentication failed during strong authentication request.
Additional Details: The user didn't complete the MFA prompt. They may have decided not to authenticate, timed out while doing other work, or has an issue with their authentication setup.

 

Searching for 500121, I have found other discussions with the same issue but no solution for it:

 

  1. https://techcommunity.microsoft.com/t5/sharepoint/mfa-error-external-user-accessing-sharepoint/m-p/3...

  2. https://techcommunity.microsoft.com/t5/microsoft-teams/teams-mfa-not-working-for-specific-user-as-gu...

 

Given that MFA works flawlessly on our side, is the issue the responsibility of the external tenant? I.e. it is they that are requiring MFA for guest users, therefore the issue lies with them somehow?

Any pearls of wisdom here... it's pretty frustrating.

 

EDIT: another user in our tenant has now been sent the link to the external Sharepoint content and this user is able to access it without any issue. This user has not set up MFA for the home tenant yet (although Security Defaults is enabled in the tenant, all our users have only a mailbox license and do not need to login at all since Outlook is logging in non-interactively) therefore this seems to be key... it seems like the MFA requirement is not being requested by the external tenant, since this user can access the content without being prompted for it at all...

The plot thickens...

3 Replies

@jimmyhurr 

 

Did you get any resolution to this? I am having a user with the same issue.

Did you get any further with this. I'm having a similar issue, external sharepoint asking for 'approve sign in request' to their Authenticator app, but no notification is received. I look in Azure and can see a failure for the user in 'sign-in logs' stating 'The user didn't complete the MFA prompt'. The only thing I could see was the 'onmicrosoft' fall back account name is referenced in the request, not the users default account name. 'Internal' MFA & Authenticator requests work fine.

Just thinking it may be because of the MFA device registered with the external tenant. Trying to get them to revoke/re-register/delete MFA for the user in their Azure.......