B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant
In a B2B scenario, I share information on ODfB or SPO with external users from another tenant and require MFA ot access this information.
The B2B user would need to enroll into the MFA for my tenant, even though he already is setup to use MFA in his tenant. This would result in multiple Authenticator accounts for the same orignal Azure Account.
I would expect the Service hosting Azure AD to accept the MFA of the users home tenant.
We’re working on features to make this experience better. Thanks for the feedback!
Steve Drzaszcz commented
Better guidance over how Guests are handled would be nice. Many of the docs on MS site do not specifically point out Guests/B2B are a totally seperate ball game (things like MFA doesnt apply unless targeted appropriately)
Requiring MFA for guests should NOT require a Azure AD Premium license; pay to play security for the basics just seems wrong.
Alex Carlock commented
I was very surprised and confused by this behavior when we stated requiring MFA for all accounts (including guests). I'm worried it'll confuse our guests as we roll this out.
Nathan Sanders commented
Yes please! Urgently need!
Scott Pettit commented
I wish to add my support for this - with MFA requirements jumping between tenants with Teams and ODfB/SharePoint links it's totally unworkable for users to have to figure out adding lots of MFA accounts in Authenticator.
Where Microsoft controls Azure AD I think it's reasonable Microsoft should be able to pass some kind of attestation that MFA took place on the home tenant.
I understand this wouldn't necessarily be supported where a non Microsoft home authentication occurred (like Google auth etc), but perhaps organisations could make their own decision on whether to trust non-Microsoft MFA attestations.
Agree completly!! it's impossible to have dozens of MFAs on the authenticator app for the same account. it makes no sense.