Mar 14 2022 06:01 AM - edited Mar 14 2022 06:03 AM
Hi all
So I am aware of cross-tenant MFA settings and we are testing this feature, but it does not help in all scenarios e.g. guest has AAD but doesn't have MFA enforced in their home tenant.
So Guests are forced to register for MFA in our tenant using a conditional access policy. This uses the authenticator app by default, unless they click the text 'I want to set up a different method' at the bottom (which no one notices).
Now using the app for Guests is problematic. Frequently they change phones and forget to move their authenticator app over, resulting in loss of access. When that happens, they have no way of getting back in since the app is their only authentication method. They don't have the number of our helpdesk since they are external, so don't know how to call support and get their authentication methods reset. So they basically get locked out forever and just give up try to access content shared with them.
So I would like to do one of the following:
I think the last option is the best, since SMS is not exactly secure. There is an option 'email one-time passcode for guests', however this only applies to Guests who don't have an AAD or MS account. It would be great if this option also applied to AAD guests who lost their app.
Does anyone know a way around this situation? We can't ask guests to go in via myapps, switch tenants, and add a method, that's just not going to happen.
Thanks
Hal
Mar 17 2022 05:51 AM
Mar 31 2022 09:57 AM
Sep 23 2022 12:39 PM