Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
JANA6
Visitor 1

Enforcing 2 mfa methods for guest accounts

Hi everyone,

 

I am trying to configure external mfa for guest accounts in my azure environment, but we are a bit worried about the number of problems we are going to get if we enabled it for every guest account. Because the mfa application doesn’t work or if someone lost his phone or something else.

 

So first we want to enable sspr for guest accounts. So that they will register 2 types of methods. If the users authenticator app doesn’t work anymore, then they will get a text message to login into our tenant. But after some research and some testing sspr doesn’t work for guest accounts. So right now we have problem, because the ICT-Servicedesk will be very busy if the guest users mfa doesn’t work. They will call us for support. This is something we don’t want, because too many people are involved in this flow.

 

Right now I see two options for us. The first option is to give the servicedesk employees an admin account to re-register the mfa for guest users. This will be a risk, because some employees doesn’t have the knowledge to work with azure ad yet and they will have almost full access to our azure ad. The second option/better option we have is to let guest users register 2 mfa methods at the beginning. I have done some research around the internet, but I didn’t find a solution yet.

 

So my questions to you guys are:

  1. Is there a possibility to let guest users registers 2 mfa methods at start without the use of sspr?
  2. Is there a better solution for the servicedesk to update guest users mfa settings without making a admin account for all the employees?

 

1 ACCEPTED SOLUTION
mlamberty
Level 2 Contributor

@JANA6 

I have 2 suggestions to resolve the your concerns:

1 you can give the helpdesk users a limited admin role such as user administrator or Authentication administrator

2 Guest users can chose to use email instead of phone or Authenticator App as the MFA method, this would remove the problem of lost or stolen devices.

View solution in original post

2 REPLIES 2
mlamberty
Level 2 Contributor

@JANA6 

I have 2 suggestions to resolve the your concerns:

1 you can give the helpdesk users a limited admin role such as user administrator or Authentication administrator

2 Guest users can chose to use email instead of phone or Authenticator App as the MFA method, this would remove the problem of lost or stolen devices.

JanoschUlmer
Microsoft

@JANA6 : Well, sspr does not apply to guest users, since you don't control their password, thus self-service password reset is not applicable. I would recommend to open a request n Technical Presales & deployment Services team (see my signature below) so a consultant can check and research if there is any way to enforce two authentication methods for guest users. I don't think this is possible though, but better double check.

 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team