How can we improve Azure Active Directory?

← Azure Active Directory

B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant

In a B2B scenario, I share information on ODfB or SPO with external users from another tenant and require MFA ot access this information.
The B2B user would need to enroll into the MFA for my tenant, even though he already is setup to use MFA in his tenant. This would result in multiple Authenticator accounts for the same orignal Azure Account.
I would expect the Service hosting Azure AD to accept the MFA of the users home tenant.

87 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Franck shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

9 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Mateusz commented  ·   ·  Flag as inappropriate

    I am really confused how this is working on Azure - displaying company A logo on login screen and requiring MFA methods from company B. Took me a while to find this out. Hope you can enroll this improvement really soon. Thats a bad user experience and causing lots of troubles

  • Bryce Roney commented  ·   ·  Flag as inappropriate

    Agreed, being able to enforce MFA for B2B guests but allow that to come from the host tenancy would be much more seamless.

  • Chad commented  ·   ·  Flag as inappropriate

    Please consider a way to forward this claim between B2B tenant guest authentications. The "MFA requirement satisfied by claim in the token" authentication requirement for meeting MFA works great if you authenticate to your HOME realm tenant. After enforcing MFA via conditional access in the GUEST tenant, the claim is not sent in the federated authentication between HOME realm tenant and the GUEST tenant. This means B2B guest users must MFA twice with two different technologies if the HOME tenant is federated to a separate IDP.

  • Steve Drzaszcz commented  ·   ·  Flag as inappropriate

    Better guidance over how Guests are handled would be nice. Many of the docs on MS site do not specifically point out Guests/B2B are a totally seperate ball game (things like MFA doesnt apply unless targeted appropriately)

    Requiring MFA for guests should NOT require a Azure AD Premium license; pay to play security for the basics just seems wrong.

  • Alex Carlock commented  ·   ·  Flag as inappropriate

    I was very surprised and confused by this behavior when we stated requiring MFA for all accounts (including guests). I'm worried it'll confuse our guests as we roll this out.

  • Scott Pettit commented  ·   ·  Flag as inappropriate

    I wish to add my support for this - with MFA requirements jumping between tenants with Teams and ODfB/SharePoint links it's totally unworkable for users to have to figure out adding lots of MFA accounts in Authenticator.

    Where Microsoft controls Azure AD I think it's reasonable Microsoft should be able to pass some kind of attestation that MFA took place on the home tenant.

    I understand this wouldn't necessarily be supported where a non Microsoft home authentication occurred (like Google auth etc), but perhaps organisations could make their own decision on whether to trust non-Microsoft MFA attestations.

  • Paolo commented  ·   ·  Flag as inappropriate

    Agree completly!! it's impossible to have dozens of MFAs on the authenticator app for the same account. it makes no sense.

Azure Active Directory: B2B

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice