B2B Scenario - the B2B Guest User should use the MFA or their autheticating tenant
In a B2B scenario, I share information on ODfB or SPO with external users from another tenant and require MFA ot access this information.
The B2B user would need to enroll into the MFA for my tenant, even though he already is setup to use MFA in his tenant. This would result in multiple Authenticator accounts for the same orignal Azure Account.
I would expect the Service hosting Azure AD to accept the MFA of the users home tenant.
We’re working on features to make this experience better. Thanks for the feedback!
Chris Visscher commented
To be able to use Azure Active Directory to authenticate securely, a company's IT department needs to have the ability to enforce MFA for all (Cloud) applications that are being used by its users. This means ALL Cloud Apps, not just the ones that are registered in it's own Tenant.
In Conditional Access there is a control stating "Control user access based on all or specific cloud apps or actions". Setting this to All Cloud Apps does not actually apply to all cloud apps, it just applies to the Enterprise Apps registered in one's Tenant. Cloud Apps used in remote Tenants (where the user is B2B invited to as a Guest user) do not fall in this category, nor can they be included in any way at the moment.
The only sure, logical, and proper way of guaranteeing that users are forced to authenticate with MFA when using Cloud Apps in another AAD Tenant, is to make the user go through the MFA process inside it's own Tenant. Unfortunately, Microsoft currently does not (yet) support that.
As also already mentioned, going through one's own Tenant MFA process would make this a much more clear and straightforward experience for the End User. On top, it would save on (indirect) AAD Premium license cost in every remote Tenant used by an organization since they would not have to get an additional license to support MFA for Guest users in those remote Tenants. (This last part might not be a great incentive for Microsoft to change anything though).
In the AAD sign-ins log in one's own Tenant, the sign-ins to B2B provided / remote Tenant hosted Cloud Apps are visible including the remote App ID, so it would already be useful if Conditional Access would allow configuring specific (remote) App ID's to be included in an "MFA enforced" policy to allow better control as a first step to solve this problem.
Georgi Panayotov commented
We absolutely need that for a SaaS application. It is quite confusing for users to create multiple accounts in Authenticator. Moreover I’ve experienced lots of MFA requests (i.e. it doesn’t persist successful authentication) when I enable it on the child tenant.
+1 on this. Really need seamless guest access across tenants. I've also found that it tries to authenticate with the users home tenant first, errors out and never works until you click re-register MFA on the tenant where the guest user was added.
MFA is enforced with CA on both tenants.
I am really confused how this is working on Azure - displaying company A logo on login screen and requiring MFA methods from company B. Took me a while to find this out. Hope you can enroll this improvement really soon. Thats a bad user experience and causing lots of troubles
Yes please... we need this!!
Bryce Roney commented
Agreed, being able to enforce MFA for B2B guests but allow that to come from the host tenancy would be much more seamless.
Please consider a way to forward this claim between B2B tenant guest authentications. The "MFA requirement satisfied by claim in the token" authentication requirement for meeting MFA works great if you authenticate to your HOME realm tenant. After enforcing MFA via conditional access in the GUEST tenant, the claim is not sent in the federated authentication between HOME realm tenant and the GUEST tenant. This means B2B guest users must MFA twice with two different technologies if the HOME tenant is federated to a separate IDP.
Steve Drzaszcz commented
Better guidance over how Guests are handled would be nice. Many of the docs on MS site do not specifically point out Guests/B2B are a totally seperate ball game (things like MFA doesnt apply unless targeted appropriately)
Requiring MFA for guests should NOT require a Azure AD Premium license; pay to play security for the basics just seems wrong.
Alex Carlock commented
I was very surprised and confused by this behavior when we stated requiring MFA for all accounts (including guests). I'm worried it'll confuse our guests as we roll this out.
Nathan Sanders commented
Yes please! Urgently need!
Scott Pettit commented
I wish to add my support for this - with MFA requirements jumping between tenants with Teams and ODfB/SharePoint links it's totally unworkable for users to have to figure out adding lots of MFA accounts in Authenticator.
Where Microsoft controls Azure AD I think it's reasonable Microsoft should be able to pass some kind of attestation that MFA took place on the home tenant.
I understand this wouldn't necessarily be supported where a non Microsoft home authentication occurred (like Google auth etc), but perhaps organisations could make their own decision on whether to trust non-Microsoft MFA attestations.
Agree completly!! it's impossible to have dozens of MFAs on the authenticator app for the same account. it makes no sense.