We’re working on features to make this experience better. Thanks for the feedback!
An error occurred while saving the commentChris Visscher commented
To be able to use Azure Active Directory to authenticate securely, a company's IT department needs to have the ability to enforce MFA for all (Cloud) applications that are being used by its users. This means ALL Cloud Apps, not just the ones that are registered in it's own Tenant.
In Conditional Access there is a control stating "Control user access based on all or specific cloud apps or actions". Setting this to All Cloud Apps does not actually apply to all cloud apps, it just applies to the Enterprise Apps registered in one's Tenant. Cloud Apps used in remote Tenants (where the user is B2B invited to as a Guest user) do not fall in this category, nor can they be included in any way at the moment.
The only sure, logical, and proper way of guaranteeing that users are forced to authenticate with MFA when using Cloud Apps in another AAD Tenant, is to make the user go through the MFA process inside it's own Tenant. Unfortunately, Microsoft currently does not (yet) support that.
As also already mentioned, going through one's own Tenant MFA process would make this a much more clear and straightforward experience for the End User. On top, it would save on (indirect) AAD Premium license cost in every remote Tenant used by an organization since they would not have to get an additional license to support MFA for Guest users in those remote Tenants. (This last part might not be a great incentive for Microsoft to change anything though).
In the AAD sign-ins log in one's own Tenant, the sign-ins to B2B provided / remote Tenant hosted Cloud Apps are visible including the remote App ID, so it would already be useful if Conditional Access would allow configuring specific (remote) App ID's to be included in an "MFA enforced" policy to allow better control as a first step to solve this problem.
1,064 votes140 comments · Azure Active Directory » User Creation, Deletion, and Profile Management · Flag idea as inappropriate… · Admin →
Thank for letting us know this is important to you. This is something we are considering, but there is no timeline yet. We would love to hear more about the specific scenarios that this is needed for, so keep providing info.
Currently, we are not aware of any plans from Windows Server for this capability. We’ll continue to work with Windows Server to revisit this in the near future