B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant
In a B2B scenario, I share information on ODfB or SPO with external users from another tenant and require MFA ot access this information.
The B2B user would need to enroll into the MFA for my tenant, even though he already is setup to use MFA in his tenant. This would result in multiple Authenticator accounts for the same orignal Azure Account.
I would expect the Service hosting Azure AD to accept the MFA of the users home tenant.
We’re working on features to make this experience better. Thanks for the feedback!
Bryce Roney commented
Agreed, being able to enforce MFA for B2B guests but allow that to come from the host tenancy would be much more seamless.
Please consider a way to forward this claim between B2B tenant guest authentications. The "MFA requirement satisfied by claim in the token" authentication requirement for meeting MFA works great if you authenticate to your HOME realm tenant. After enforcing MFA via conditional access in the GUEST tenant, the claim is not sent in the federated authentication between HOME realm tenant and the GUEST tenant. This means B2B guest users must MFA twice with two different technologies if the HOME tenant is federated to a separate IDP.
Steve Drzaszcz commented
Better guidance over how Guests are handled would be nice. Many of the docs on MS site do not specifically point out Guests/B2B are a totally seperate ball game (things like MFA doesnt apply unless targeted appropriately)
Requiring MFA for guests should NOT require a Azure AD Premium license; pay to play security for the basics just seems wrong.
Alex Carlock commented
I was very surprised and confused by this behavior when we stated requiring MFA for all accounts (including guests). I'm worried it'll confuse our guests as we roll this out.
Nathan Sanders commented
Yes please! Urgently need!
Scott Pettit commented
I wish to add my support for this - with MFA requirements jumping between tenants with Teams and ODfB/SharePoint links it's totally unworkable for users to have to figure out adding lots of MFA accounts in Authenticator.
Where Microsoft controls Azure AD I think it's reasonable Microsoft should be able to pass some kind of attestation that MFA took place on the home tenant.
I understand this wouldn't necessarily be supported where a non Microsoft home authentication occurred (like Google auth etc), but perhaps organisations could make their own decision on whether to trust non-Microsoft MFA attestations.
Agree completly!! it's impossible to have dozens of MFAs on the authenticator app for the same account. it makes no sense.