SOLVED

Problem with multi-factor authentication with multiple organizations

Copper Contributor

I'm using Teams with two different organizations, but a single O365 account.

 

With my home organization, I have multi-factor authentication that has options to call/text my cell phone, call my home phone, call my office phone, or use Microsoft Authenticator, and I can successfully pick the 2nd factor for whereever I am (in office, home, or on the road with my mobile).   Everything is great!

 

I also work with a second organization who also uses Teams, and they added me to their team with my home organization O365 account, but they also require multi-factor authentication..   So when when I first logged in, I specified my home organization email and password and then I was prompted to set up MFA..   I was on the road at the time, so I specified my mobile for the 2nd factor, and everything seemed to be fine, I could log in to both organizations' Teams sites and work..

 

The problem however showed up later:  when I was back in the office, I tried logging into our partner organization again, and this time, it said it had sent a code to my mobile (we can't bring our mobiles into the building where I work), but I had no options to use any of my other MFA options, it could only use my cell phone as the 2nd factor..   OK, so run out to my car to get the code and run back in to find out that the validity period had expired, tried again several times and finally got in..   Went to the account settings where the option to change multi-factor authentication settings was, and Teams sent me to my home organization MFA setup page, where all of my MFA options were already provisioned (office phone, home, mobile, MS Auth).   I changed the default to office phone, but when I logged out of our partner organization and tried to log in again, the 2nd factor was still my cell phone and no other options were available.  

 

The admin at the partner organization says he has no options available to him to change my settings, and my home organization admin has confirmed that as far as he can tell, everything is set up properly..   Does anyone out there have any clue to how I can get the MFA settings for the 2nd organization to respect my home organization O365 MFA options, or if there's a way to get to a settings page for the 2nd organization specifically (again, even when I am logged into the partner organization's Teams site, the account settings options always send me back to my home organization's options, but the problem is that my preferences don't seem to be propagated back to the partner org)??

 

4 Replies
MFA settings are defined in the tenant that you are logging into, regardless of where the account cone from as far as I know.

So if your MFA is wrong when logging in as a guest or not using the correct verification method you need to contact the admin for that tenant.

I do know that you can turn off email verification for MFA so if I have read your problem correctly that may have been done by the admin of the tenant you are trying to log into as a guest. The tenants I have access to they have turned odd or it has already defaulted to not be able to use email as the factor.
I am having the same problem, except that I was trying to switch to a new phone. I was able to add my home organization to the new phone but the partner organization's sign-in is still only on the old phone. Like the OP, I use my home organization's account to sign on to both. I have been forced to carry around my old phone at work all day in order to be able to sign in to the partner org's page. This is a hassle. I've scoured the web site and tried clicking everywhere I can find, and I haven't found any help online about this.

Hi, try this resolution https://stackoverflow.com/questions/63079154/how-does-a-guest-user-reset-their-ms-authenticator-mfa-...

Adding these so you can verify your settings.

https://aka.ms/mfasetup
https://myaccount.microsoft.com
https://account.activedirectory.windowsazure.com/r#/profile

 

Btw, if no luck reach out to the guest orgs admin to have them enabling your account for re-registering MFA.

 

Found this on the topic, you should vote on it to stay updated when status changes B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant – Azure Product F...

best response confirmed by ChristianJBergstrom (MVP)
Solution

Adding to this old topic as we now have a Trust MFA check box in the Cross-tenant access settings in Azure AD. In preview but works great.

 

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-over...

1 best response

Accepted Solutions
best response confirmed by ChristianJBergstrom (MVP)
Solution

Adding to this old topic as we now have a Trust MFA check box in the Cross-tenant access settings in Azure AD. In preview but works great.

 

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-over...

View solution in original post