B2B User Identity Protection Status
B2B (Guest) users should show up in the "Risky Users" report if they are being blocked from your AAD tenant. I had a case where the B2B user failed to enroll in MFA within the grace period, then failed enough of their logins that Identity Protection flagged them as "High Risk", but there is nothing to indicate that in any query or report that the tenant admin has access to view. All we could find was a message that they needed to enroll in MFA, which we reset about 10 times before support checked diagnostics on the backend and found the issue.
This is something we are investigating.
I understand that exposing information from a user's home organisation to us could be problematic, but when a B2B federated guest tries to access one of our systems and is blocked due to user risk we should have *some* ability to see that this has happened.
We recently had a case where several guests whose home organisations didn't block access by "risky" users were blocked by our CA policies. They reported they could log in fine to their home organisation systems but were blocked from our systems, and the only indication available to us of what happened was the login record in our tenancy saying
Conditional access: Success
Failure reason: Other
Sign-in error code: 530032
and nothing in the AAD console under “Risky sign-ins”, “Risk detections”, or “Risky users”. This made determining the cause of their access being blocked extremely frustrating.
Currently resource tenants with an User Risk Policy in place, will face the problem that guest users with a risk, that doesn't meet the risk policy will get blocked from accessing the resource tenant. As the risk for guest user can neither be seen nor changed, the only way to allow access to resources is to exclude them from the policy. It would be beneficial for admins of resource tenants to be able reevaluate the risk for guest users on their tenant, instead of letting them bypass and ignoring all future risk events for the user.