Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Visitor 1

Baseline policy enforces Teams Guests to register using the mobile app

Hi All,


I have a real world scenario that is being detrimentally affected by the Baseline policies 'sledgehammer to crack a nut' approach, and would appreciate some suggestions on how to resolve.


We use Teams as a mechanism to run projects jointly with customers, and invite customer stakeholders as guests into the associated Teams in our tenant. With the 'End User Protection' Baseline policy, all users, even guests are required to register for MFA access, and can only select the Azure Authenticator Mobile app as authentication method.


I appreciate that this is the most secure method of pushing MFA prompts, however it is impractical to enforce customer guests accounts to install an app on their phone and register their guest account against the app for the sole purpose of 'potentially' having to receive an MFA prompt. It would be much less onerous and intrusive if we could at least have an option for them to register for SMS/phone call (we can even pre-fill their auth details) - I appreciate this is less secure, but really the security breach footprint of a guest account access to a single team is neglible at best. Keep in mind also that some customer stakeholders do not have corporate mobile devices, and are unwilling to install 3rd party MFA apps on their personal devices.


A potential workaround is to use the customers tenant for authoring the Team and invite ourselves as guests into their tenant, however this is exceedlingly impractical as we are being charged with the project management and need to retain the content.


The blanket MFA rules being enforced are really hurting the productivity of your partners.