Azure AD: Cross Tenant access requires multiple MFA registration?

%3CLINGO-SUB%20id%3D%22lingo-sub-2730309%22%20slang%3D%22en-US%22%3EAzure%20AD%3A%20Cross%20Tenant%20access%20requires%20multiple%20MFA%20registration%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2730309%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CP%3E%3CSPAN%3EIt%20is%20a%20requirement%20for%20Microsoft%20Partners%20to%20enable%20MFA%20for%20all%20users%20in%20organization%2C%20but%20as%20far%20as%20%3CA%20href%3D%22https%3A%2F%2Fbit.ly%2F3tqQY2j%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Emulti-tenant%20Azure%20AD%20MFA%3C%2FA%3E%20is%20concerned%2C%20Organizations%20can%20choose%20to%20enable%2Fdisable%20MFA%20for%20guests%20and%20single%20users.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMostly%20organizations%20select%20MFA%20to%20be%20enabled%20for%20whole%20Azure%20AD%20while%20setting%20up%20tenant%2C%20which%20can%20be%20later%20enabled%2Fdisabled%20for%20individuals.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ELet's%20focus%20on%20%22%3CSTRONG%3EWhy%20can%20a%20guest's%20home%20tenant%20not%20send%20some%20kind%20of%20attestation%20that%20MFA%20is%20in%20place%20on%20the%20home%20user%20account%3F%3C%2FSTRONG%3E%3CSTRONG%3E%22%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOne%20of%20the%20user%20to%20above%20question%20with%20in%20community%20speaks%20as%20follows%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%E2%80%9CWe%20have%20lots%20of%20our%20customers%20in%20our%20tenant%20as%20guests%20for%20Teams%20channels%20because%20we%20invite%20the%20customer%20primary%20contact(s)%20into%20a%20channel%20that%20has%20their%20support%20engineers%20present.%20When%20we%20switched%20on%20conditional%20access%20to%20enforce%20MFA%20on%20all%20users%20the%20guests%20got%20prompted%20to%20setup%20MFA%20even%20though%20they%20already%20have%20MFA%20on%20their%20home%20account.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EFor%20the%20time%20being%20I've%20added%20an%20exclusion%20on%20our%20conditional%20access%20policy%20to%20exclude%20guests%20and%20the%20dashboard%20is%20still%20saying%20we're%20100%25%20compliant%20after%20a%20few%20days%2C%20but%20what%20I'm%20reading%20here%20is%20that%20potentially%20these%20guest%20accounts%20are%20going%20to%20become%20useless%20unless%20all%20the%20guests%20wrestle%20with%20adding%20MFA%20on%20every%20instance%20they're%20a%20guest%20(which%20is%20totally%20mad).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe're%20not%20creating%20another%20tenant%20and%20shoving%20all%20our%20CSP%20stuff%20in%20there%2C%20it%20just%20adds%20so%20much%20friction%20and%20if%20anything%20reduces%20security%20because%20right%20now%20when%20someone%20joins%20or%20leaves%20our%20organization%20their%20%3CA%20href%3D%22https%3A%2F%2Fbit.ly%2F3CLWIrQ%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAzure%20AD%3C%2FA%3E%20account%20sets%20up%20and%20cuts%20off%20their%20access%20to%20everything.%20If%20we%20begin%20having%20separate%20accounts%20in%20another%20tenant%20for%20CSP%20you%20can%20bet%20someone%20is%20going%20to%20forget%20to%20cut%20that%20off%20when%20someone%20leaves%20and%20access%20carries%20on%20until%20someone%20notices.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20are%20100%25%20on%20board%20with%20MFA%20being%20required%2C%20and%20I%20understand%20requiring%20MFA%20on%20a%20guest%20that%20doesn't%20reside%20in%20another%20Azure%20AD%20tenant%20(like%20a%20random%20%40gmail.com%20user%20should%20be%20made%20to%20setup%20MFA)%2C%20but%20where%20the%20user%20originates%20from%20Azure%20AD%20and%20has%20MFA%20on%20their%20home%20account%2C%20can%20it%20be%20that%20hard%20for%20MSFT%20to%20pass%20some%20kind%20of%20trusted%20flag%20across%20to%20the%20guest%20login%20that%20skips%20MFA%20if%20the%20home%20account%20has%20it%3F%E2%80%9D%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EMY%20TAKE%3A%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20understand%20requiring%20MFA%20on%20a%20guest%20that%20doesn't%20reside%20in%20another%20Azure%20AD%20tenant%20(like%20a%20random%20%40gmail.com%20user%20should%20be%20made%20to%20setup%20MFA)%2C%20but%20where%20the%20user%20originates%20from%20Azure%20AD%20and%20has%20MFA%20on%20their%20home%20account%2C%20can%20it%20be%20that%20hard%20for%20MSFT%20to%20pass%20some%20kind%20of%20trusted%20flag%20across%20to%20the%20guest%20login%20that%20skips%20MFA%20if%20the%20home%20account%20has%20it%3F%20In%20same%20thread%20another%20user%20shared%20a%20suggestion%20for%20this%20feature%20to%20be%20available%2C%20but%20link%20may%20have%20expired%20or%20feature%20no%20longer%20being%20considered.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2730309%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMFA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

It is a requirement for Microsoft Partners to enable MFA for all users in organization, but as far as multi-tenant Azure AD MFA is concerned, Organizations can choose to enable/disable MFA for guests and single users.

 

Mostly organizations select MFA to be enabled for whole Azure AD while setting up tenant, which can be later enabled/disabled for individuals.

 

 

Let's focus on "Why can a guest's home tenant not send some kind of attestation that MFA is in place on the home user account?"

 

One of the user to above question with in community speaks as follows:

“We have lots of our customers in our tenant as guests for Teams channels because we invite the customer primary contact(s) into a channel that has their support engineers present. When we switched on conditional access to enforce MFA on all users the guests got prompted to setup MFA even though they already have MFA on their home account.

 

For the time being I've added an exclusion on our conditional access policy to exclude guests and the dashboard is still saying we're 100% compliant after a few days, but what I'm reading here is that potentially these guest accounts are going to become useless unless all the guests wrestle with adding MFA on every instance they're a guest (which is totally mad).

 

We're not creating another tenant and shoving all our CSP stuff in there, it just adds so much friction and if anything reduces security because right now when someone joins or leaves our organization their Azure AD account sets up and cuts off their access to everything. If we begin having separate accounts in another tenant for CSP you can bet someone is going to forget to cut that off when someone leaves and access carries on until someone notices.

 

We are 100% on board with MFA being required, and I understand requiring MFA on a guest that doesn't reside in another Azure AD tenant (like a random @gmail.com user should be made to setup MFA), but where the user originates from Azure AD and has MFA on their home account, can it be that hard for MSFT to pass some kind of trusted flag across to the guest login that skips MFA if the home account has it?”

 

MY TAKE:

I understand requiring MFA on a guest that doesn't reside in another Azure AD tenant (like a random @gmail.com user should be made to setup MFA), but where the user originates from Azure AD and has MFA on their home account, can it be that hard for MSFT to pass some kind of trusted flag across to the guest login that skips MFA if the home account has it? In same thread another user shared a suggestion for this feature to be available, but link may have expired or feature no longer being considered.

0 Replies