Weird issue with MFA for Guest Users

Copper Contributor



we have implemented MFA for external Guest Users in Entra ID. It is working fine for every external user so far. However, there are two users from the same external company who cannot get into our environment since the implementation. Both of them receive the following error when trying to login:


AADSTS500082: SAML assertion is not present in the token.


When I check their Sign-In Logs, I see this "error":

User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.


They also told me that they are not prompted with MFA. Their company does not have MFA configured. However, they are using MFA with other external environments just fine.


I tried revoking their MFA settings and their sessions. We also tried different browsers, private browser sessions and deleting cookies. Nothing has worked so far.


Does anyone have any idea what could cause these issues?

3 Replies

Hello @Random_User9801,


Thank you for creating this post where you encounter AADSTS500082. I am contributor with knowledge in Entra ID.


The sign-in process with SAML looks something like this:

An employee logs uses a URL leading to Microsoft Sign-in.

UPN and credential is provided so the identity provider verifies the employee’s identity using authentication details (e.g., username, password, PIN, device, or biometric data).

Now comes the MFA, in this case it's stopping the authentication flow, so the error is observed.


Usually, if SAML is mentioned, Single Sign-On (SSO) us also in the mix. I can suggest to check the application using the SSO settings. What you can do is to test the application from Enterprise applications > Find the app > Manage (left panel) > Test this application

Should this work, the application's SSO is working so checking MFA settings and especially Security Defaults, per-user MFA, and the applied Conditional Access Policies which affect the sign-in.


If the issue persists and caused impact on the production, you are always able to open a service request using






Hello @ehalmiTke,

thank you for your response.

As mentioned, those are external guest users which were invited into our environment. They are just trying to access Teams and/or SharePoint.

We are not their identity provider nor do we have SSO implemented for them.

They are not receiving a MFA prompt when trying to enter our environment, they just get greeted with the SAML error.

I am a bit confused, since I can't see the connection between the error and the missing MFA prompt for an external user.
You can use fiddler to investigate what is happening. My suggestion is provided as the error indicate SAML, hence SSO is happening on the backend. To use fiddler, check the following Learn Article -