Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Jinseng
Level 5 Contributor

Guest accounts require MFA?

I understand that ALL accounts in a tenant require MFA, but I want to confirm that guest accounts will reqire it too.  I enabled the Baseline Admin and End User policies in my test tenant (we'll call it TestTenant.com).  I added a user (Alex) from my production tenant (all it ProdTenant.com) to a MS Teams Team in TestTenant.com.  That created a guest account in TestTenant.com.  Alex @ ProdTenant.com has MFA enabled and enforced in ProdTenant.com.  Now when I try to access the Team in TestTenant.com using  Alex @ ProdTenant.com, I'm getting a message that I have 14 days to enable MFA.  But the really strange thing is that the logos on the screen are all for ProdTenant.com where MFA is already configured.

 

Has anyone else tested Guest access to a tenant with the policies enabled?  Are you seeing similar behavior?

 

If this is expected behavior, it'll make it extremly unplesant/impossible for customers to interact with us (Joinin our teams, sharing OneDrive documents with them, granting access to SharePoint sites, etc.).

54 REPLIES 54
matgus
Level 1 Contributor

@idwilliams Can you please clarify a bit more?
If I understand your comment a Guest will NOT need MFA when invited to a Team, OneDrive, SharePoint to get access to documents or other information?

Only if that Guest needs to access "things" from the portal or Azure resources, MFA registration will be required, even if Guest does not have this requirement in his own tenant?
I will need this very clear and precise to understand all implications of enabling MFA for all users in our tenant. Give us plenty of examples :-)!

 

Thanks

Mats

HammerofPompey
Level 3 Contributor

Not how I read it.  To me, it says if the guest has their own tenant, where MFA is not turned on, then MFA is not enforced on their home tenant, just as a guest on a partner portal.

JanoschUlmer
Microsoft

OK, an example:

 

contoso.com is the CSP tenant where MFA is enforced.

adventureworks.com is a separate customer tenant where no MFA is enforced.

 

If user@adventureworks.com is invited as guest to contoso.com, they will need to go through MFA for accessing Teams, Sharepoint, Azure Portal etc. in contoso.com.

If user@adventureworks.com is accessing Teams, Sharepoint, Azure Portal on adventureworks.com there will be no MFA for this user (=normal access to resources).

 

So the general message is that guest users are impacted - they need to have MFA, but only for accessing resources in the Partner tenant. They will not be impacted in their home tenant.

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
matgus
Level 1 Contributor

ok thanks

but what about external guests that do not have a tenant account (ie Microsoft account) when invited to a document in OneDrive or Teams?

 

/Mats

JanoschUlmer
Microsoft

Same procedure if the sharing was done for authenticated users that have Microsoft account - so they also have to register for MFA similar to a AzureAD B2B guest user.

 

Of course, if document was shared anonymously with a sharing link no MFA will be triggered for those users since they are not authenticated.

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
HammerofPompey
Level 3 Contributor

This is mad - as Skype for Business is replaced by teams, MFA will be required for ad hoc conversations!  Sheer madness!

ziesemer
Level 4 Contributor

@idwilliams - Can you please confirm what is the "expected behavior" of using the baseline policy, vs. what is the contractual requirement here?  I.E., if a partner requires MFA for all users excluding guests, is this within or outside of the required compliance?

Jinseng
Level 5 Contributor

Wow, that's very dissappointing.  I know that our sales people will have a problem with this.  When they share something to a prospect using OneDrive, people will have to have a phone and enable MFA before they can view the document.  That'll be disruptive to the sales process.

simonharvey
Level 3 Contributor


@Jinseng wrote:

Wow, that's very dissappointing.  I know that our sales people will have a problem with this.  When they share something to a prospect using OneDrive, people will have to have a phone and enable MFA before they can view the document.  That'll be disruptive to the sales process.


It's not "disruptive" to the sales process - its completely idiotic. If someone trying to send me some sales literature required me to sign up and then enable MFA just to interact with them then using OneDrive/SharePoint etc to collaborate with external parties is dead in the water.





HammerofPompey
Level 3 Contributor

In many ways even worse.  With Skype for Business being replaced by Teams we will need to force third party companies to register MFA, even if they have policies against installing apps on phones etc, just to have an online conversation.

So let's examine from first principles?  What risk does an invited, unlicenced guest pose to taking over my tenant/access the partner portal, whether MFA is implemented or not?

If there is a risk, then it is, in fact, irrelevant whether the guest has been validated by MFA as they are invited in - they are semi-trusted, even a "prospect" rather than a client.  If there is a hack that gives privilege escalation, then it is irrelevant once they are in.  

If there is such a risk of a hack, then no access is safe.  If there is not, MFA is irrelevant.

Jinseng
Level 5 Contributor

@simonharvey I agree with you.  I spoke with our VP of sales, and he flat out said this is unacceptable.

 

I'm worried about employees starting to use Shadow IT to communicate with outside users because of this.  If that happens, it makes us totally re-think using MSFT products (Teams, SharePoint, OneDrive).  As partners, if we don't use the products for the entire Customer lifecycle (From Prospect to project delivery), how can we show confidence in the products and sell them for Microsoft.

 

It also worries me that the baseline policies don't allow for SMS or phone call second factor.  I understand that the app may be more secure, but forcing prospects to complete an MFA setup AND forcing them to download an app to do it is terrible.  What if they don't have a compatble smart phone, or they have personal or corporate policies against using mobile phones for work?  Now we can't communicate with them.

 

This is clearly not well thought out.  The policy needs to be changed to exclude guest accounts.

 

I agree with everything @JonW  said above.

 

@idwilliams I hope you're seeing this feedback.  Is Microsoft going to enforce this for everyone at MSFT and all people that Microsoft interacts with?  I think this is a good oportunity to "drink your own champagne" 🙂

HammerofPompey
Level 3 Contributor

Good post - sums up the idiocy of the current policy nicely.  That said - why does a simple email user with NO admin right need MFA if strong passwords are enforced?  Whilst I agree it is good practice it is a policy that is way over the top....

JonW
Level 4 Contributor

It also worries me that the baseline policies don't allow for SMS or phone call second factor.  I understand that the app may be more secure, but forcing prospects to complete an MFA setup AND forcing them to download an app to do it is terrible.  What if they don't have a compatble smart phone, or they have personal or corporate policies against using mobile phones for work?  Now we can't communicate with them.

You're being forced to use AADP1 or AADP2, which costs extra to have those features. Honestly though, why anyone would choose a solution that does not provide PUSH notifications is beyond me. I setup the Microsoft Authenticator immedately becaues push notification is way better than typing in a code.