Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Jinseng
Level 5 Contributor

Guest accounts require MFA?

I understand that ALL accounts in a tenant require MFA, but I want to confirm that guest accounts will reqire it too.  I enabled the Baseline Admin and End User policies in my test tenant (we'll call it TestTenant.com).  I added a user (Alex) from my production tenant (all it ProdTenant.com) to a MS Teams Team in TestTenant.com.  That created a guest account in TestTenant.com.  Alex @ ProdTenant.com has MFA enabled and enforced in ProdTenant.com.  Now when I try to access the Team in TestTenant.com using  Alex @ ProdTenant.com, I'm getting a message that I have 14 days to enable MFA.  But the really strange thing is that the logos on the screen are all for ProdTenant.com where MFA is already configured.

 

Has anyone else tested Guest access to a tenant with the policies enabled?  Are you seeing similar behavior?

 

If this is expected behavior, it'll make it extremly unplesant/impossible for customers to interact with us (Joinin our teams, sharing OneDrive documents with them, granting access to SharePoint sites, etc.).

54 REPLIES 54
shakhov
Level 1 Contributor

We use two CSP tenants to host our web applications in Azure, one Azure subsriptions in first tenant and two subscriptions in second. I have admin account in one tenant, which is also enrolled as guest admin in second tenant. After enabling baseline polices to require MFA for admins in both tenants my experience as a developer is completely pathetic.

 

When using Visual Studio, Azure Storage Explorer, Azure Artifacts, Powershell and other tools I have to login up to 3 times to access all Azure subscriptions in out tenants.

 

For example, I am deploying ARM template using Visual Studio 2017.

 

Before enabling baseline policy:

 

1) Click add account in Deploy to resource group dialog

2) Enter admin login

3) Enter admin password

4) Enter code from MFA from main tenant of the admin account

5) Deploy to any of the 3 Azure subscriptions

 

 

After enabling baseline policy:

1) Click add account in Deploy to resource group dialog

2) Enter admin login

3) Enter admin password

4) Enter code from MFA from main tenant of the admin account

5) Enter admin login

6) Enter admin password

7) Enter code from MFA from guest tenant of the admin account

😎 Enter admin login

9) Enter admin password

10) Enter code from MFA from guest tenant of the admin account

11) Deploy to any of the 3 Azure subscriptions

 

What makes things worse that there is no indication what tenant I am logging in right now on the login screen (see attached image). Each tenant has different MFA and you need to guess which one to use. After trial and error I have figured out that at first it requires main tenant credentials, than guest tenant two times (for each subscription in tenant I suppose).

 

Another issue is that for some reason Visual Studio forgets account much sooner now, and I have to go through this painful process at least every week. For Azure Storage Explorer it fails to remember credentials at all,  I have to login 3 times after each restart of the application.

JanoschUlmer
Microsoft

Why do you use to seperate tenants? As a Direct CSP you can also use the Azure Partner Shared Services which also allows to provision multiple subscription in the same tenant. 

And while it is certainly adviseable to enable MFA for admin roles everywhere possible, MFA is only mandatory in the tenant you as CSP partner are using for Partner Center & end customer management, not in all tenants you as company own and where your services are running.

 

Using e.g. Azure Partner Shared Services  this would automatically allow you to use your Partner delegated admin credentials and no need to work with guest accounts - which solves certain issues you are seeing. 

 

When you are adding your account as guest to a tenant which also requires MFA, there will be always multiple MFA prompts. One time for authenticating in your home tenant, when accessing the other tenant MFA will be again required for the guest account - and since this other tenant can not use the MFA registration info from your home tenant it is a completely seperated MFA process. If you would work with delegated admin credentials, there would be only one prompt when authenticating in your home tenant - when accessing the 2nd tenant no additional MFA prompt would be triggered.

 

Finally you could also choose to use the push notification in your token app instead of entering the code - this way you don't have to guess which of the accounts is used.

 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
shakhov
Level 1 Contributor

Thank you for your replay, it makes sense.

 

We ought to use sepparate tenants because they are from different countries and purchased from different top level CSP partners by two sepparate companies.

 

We decided to remove guest admin account and use sepparate accounts in each tenant. This way all development tools work as expected.

fguardone
Level 2 Contributor

What happens if we use the MFA functionality that comes with AAD P1 and not the baseline policies? Do we comply with the requirement despite not requiring guest users to authenticate with MFA?

Xiyuan
Visitor 1

first one is specific around guest user. according to document, guest user must also have MFA enabled.

  • what if a customer who collaborate with us, e.g. using MS teams created under partner tenant
  • but the guest
    • doesn’t have any business, company issued, mobile device
    • doesn’t want to use personal mobile device for any business-related activity
  • the Azure AD end-user baseline policy only allows free MFA based on mobile authenticator app

in this scenario, how can guest collaborate with us? Are you suggesting we terminate modern collaboration, and use email and phone only?

 

second one is specific around internal staff, like guest user scenario above,

  • the user/staff
    • doesn’t have any business, company issued, mobile device
    • doesn’t want to use personal mobile device for any business-related activity
  • doesn’t want to use any personal accounts for any business-related activity
    • this itself is generally even recommended in various spaces, where keep personal stuff personal.

in this scenario, how can user/staff even register MFA?

 

please note that this is real world scenario and we do have existing customers, who can’t enable MFA even in their own tenant because of reasons outline above.

JanoschUlmer
Microsoft

@Xiyuan : Thank you for providing those examples. The solutions available will not solve all the issues in our scenario.

Alternative 2nd factor authentication solutions that could be used:

 - Virtual Android device running on a workstation PC where MS Authenticator app is used (Not user friendly for collaboration, but maybe for some internal users). Microsoft offers such an emulated device as part of Visual Studio, but there are 3rd party solutions which might be easier to deploy.

 - Phone, SMS, OATH Hardware tokens - these all require that you obtain AzureAD Premium Plan1, baseline policies can not be used if you need thse authentication options. For guest users there is a 1:5 licensing rule, for each paid AAD license 5 guest users can use those features. OATH hardware tokens are certainly not suitable for guest users, but maybe an alternative option for the internal users.

 - 3rd party MFA services and their authentication methods when using e.g. custom controls - This is also requires to have AAD Premium Plan1 like above, and of course a 3rd party MFA service.

 

So, if none of the above solution work there are little remaining options. As a last resort you could evaluate splitting tenants and e.g. move production to another tenant not subject to the MFA requirements. This has further implication though and is certainly a complex project.

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
HammerofPompey
Level 3 Contributor

Thank you for confirming that the MFA requirement for guests is ridiculous!

Will just have to migrate away from Teams and OneDrive - and tell clients:

"No, I don't use the licences I get as part of my partner fee as they do not allow me to work in the way I recommend you work"

JonW
Level 4 Contributor


@HammerofPompey wrote:

Thank you for confirming that the MFA requirement for guests is ridiculous!

Will just have to migrate away from Teams and OneDrive - and tell clients:

"No, I don't use the licences I get as part of my partner fee as they do not allow me to work in the way I recommend you work"


If we had it to do over again, we would have two organizations. One for the partner stuff that admins have an account. And a second, separate tenant, for our corporate accounts (like sales).

 

Then, these rules for the partner tenant would not be affecting our corporate accounts. It would be super annoying because I like phone sign-in and it's only supported for one directory. But then fewer people have to deal with the security requirements in the partner tenant.

brianjensen
Visitor 1

I understand that using the Baseline policies will require MFA across all users, but if we are using Azure AD premium and not the baseline policies, will we be in compliance if we exclude Guest users from the MFA requirement or is the requirement not just for licensed users/employees, but for guest users to use MFA as well?

JonW
Level 4 Contributor

Requirements as written say that all user accounts must have MFA enabled. I'm not a fan of this language as it includes Guest accounts which have have a user in the Partner's Azure ActiveDirectory.

 

https://docs.microsoft.com/en-us/partner-center/partner-security-requirements

 

Should everyone in the world have MFA enabled? Yes

Does everyone have it enabled now? Nope

Is there a better way to get everyone in the world to enable MFA? Yes!

 

Hey Microsoft, have every user created in O365 come with MFA enabled, and don't allow anyone to create user accounts that do not have MFA enabled. Then require it for all users in the CSP partner tenant :).

 

If that strategy doesn't sit well with you, figure out why and then re-evaulate the position you are putting partners in.

 

Thanks!

-jon

idwilliams
Moderator

Yes, this is the expected behavior. The reason behind this is that the End user protection baseline policy covers all users including guest and service accounts. It is a change in experience, which might cause confusion initially but overall it will improve the security posture for users accessing resources provided through your tenant.  

 

JimDuncan
Level 1 Contributor

The only accounts that should require MFA are those pictured below.

 

Annotation 2019-08-29 195619.png

idwilliams
Moderator

Please note that the program guide for the Cloud Solution Provider program does not make any distinction between the various types of accounts (e.g. admin, non-admin, guest, service, etc..). All accounts are required to have MFA enforced. There are multiple reason behind this, and several of those reasons have been discussed through this thread. Given the highly privileged nature of being a partner and the numerous methods credentials can compromised all accounts are subject to these requirements. 

KyleCarter
Level 1 Contributor

Im currently trying to setup a new surfacehub 2S in our tenancy. 

The surface hub support have confirmed that the room user account that the surface hub uses cant have MFA as it will require MFA everytime the device is rebooted, or used.

 

We arent allowed to use conditional access to exclude this device from requiring MFA when used from our office.   How on earth are we supposed to be able to demo these units if we cant even get them going in our own tenancy?

JanoschUlmer
Microsoft

@KyleCarter : Currently you have only two options from technical perspective: Either use a different tenant to demo the devices, or exclude the account from MFA requirements (even though this is not compliant).

 

Do you use AzureAD Security Defaults or custom CA policies ? 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
KyleCarter
Level 1 Contributor

We now use azure ad security defaults.
We were using custom conditional access policies but due to this tenancy being our microsoft partner tenancy it wasnt meeting the partner requirements.

The enforcement of these lockdowns has effectively halted our surface hub deployment.. We will probably build a new tenancy but then we will be missing a lot of the featureset of the device at a guess.

The funny thing is we just went through this with our joan meeting room signage (getjoan.com) and was told by microsoft they need to change their auth method.. but it appears their own products have a similar issue.
JimDuncan
Level 1 Contributor

Thank you for the clarification, Isaiah.

 

If we (a Partner) were to

     a) have all our customers remove any existing delegated administration rights we have, and

     b) never ask for or be granted delegated administration rights by any customer, and

     c) therefore never access customer tenants using our own accounts,

does that remove the requirement to have MFA enabled on our tenant?

JanoschUlmer
Microsoft

I think I have answered this questions also on the Partner Yammer - but for completeness and for others in this forum:

 

It does not change anything, the contractual requirement make no distinction if delegated admin (DAP) is set or not. 

This would also not reduce the overall risk imo - not having DAP right now does not mean an attacker would not find a way that customer would accept a new relationship invite with DAP he received from his trusted business partner.

Also not having DAP at all means that you can not create a support request on behalf of the customer, certainly not an acceptable scenario long term.

 

The only way not to implement MFA is to offboard this tenant from CSP, so not doing any business as CSP or as Advisor with this tenant.

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
kevensantos
Level 1 Contributor

HI Isaiah Williams

 

We  enabled the Baseline Admin and End User policies in test  but guest accounts dont request token,

Only users in partner center.

 

Did I do something wrong?

 

thanks.

 

Keven.

idwilliams
Moderator

I would like to add some clarity here if a guest user is added to a partner tenant they will have to authenticate using MFA. However, if the home tenant for that user is not a partner tenant and they do not have MFA enforced, then they will not be prompted for MFA when accessing resources normally. That only happens when they are accessing resources for the partner that are dependent on the guest user. As an example partner A add user@company.com as a guest user to their tenant, and then provides them permissions over an Azure subscription. Then MFA will be required when user@compamy.com changes from any tenant to the partner's so they can access resources in the Azure subscription associated with the partner's Azure AD tenant. 

 

@kevensantos you have not done anything wrong. Currently this is the expected behavior. The baseline policies will continue to evolve over time. Part of this evolution will change the behavior you are encountering today. 

HammerofPompey
Level 3 Contributor

"I would like to add some clarity here if a guest user is added to a partner tenant they will have to authenticate using MFA."

So in removing Skype for Business and replacing with teams will require sales prospects to implement MFA.  Ridiculous!  

Please explain the risk of an unlicenced guest accessing the tenant and or partner portal.  How is that any different depending on whether they are authenticated via an invite or invite and MFA.  There is only an issue if there is a risk of privilege escalation in which case it makes zero difference whether authentication uses MFA or not- guests are either in or not breaking out is either an issue or not.

This policy makes no business sense