B2B User Identity Protection Status
B2B (Guest) users should show up in the "Risky Users" report if they are being blocked from your AAD tenant. I had a case where the B2B user failed to enroll in MFA within the grace period, then failed enough of their logins that Identity Protection flagged them as "High Risk", but there is nothing to indicate that in any query or report that the tenant admin has access to view. All we could find was a message that they needed to enroll in MFA, which we reset about 10 times before support checked diagnostics on the backend and found the issue.
I understand that exposing information from a user's home organisation to us could be problematic, but when a B2B federated guest tries to access one of our systems and is blocked due to user risk we should have *some* ability to see that this has happened.
We recently had a case where several guests whose home organisations didn't block access by "risky" users were blocked by our CA policies. They reported they could log in fine to their home organisation systems but were blocked from our systems, and the only indication available to us of what happened was the login record in our tenancy saying
Conditional access: Success
Failure reason: Other
Sign-in error code: 530032
and nothing in the AAD console under “Risky sign-ins”, “Risk detections”, or “Risky users”. This made determining the cause of their access being blocked extremely frustrating.