Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 4 Contributor

Guest accounts require MFA?

I understand that ALL accounts in a tenant require MFA, but I want to confirm that guest accounts will reqire it too.  I enabled the Baseline Admin and End User policies in my test tenant (we'll call it TestTenant.com).  I added a user (Alex) from my production tenant (all it ProdTenant.com) to a MS Teams Team in TestTenant.com.  That created a guest account in TestTenant.com.  Alex @ ProdTenant.com has MFA enabled and enforced in ProdTenant.com.  Now when I try to access the Team in TestTenant.com using  Alex @ ProdTenant.com, I'm getting a message that I have 14 days to enable MFA.  But the really strange thing is that the logos on the screen are all for ProdTenant.com where MFA is already configured.

 

Has anyone else tested Guest access to a tenant with the policies enabled?  Are you seeing similar behavior?

 

If this is expected behavior, it'll make it extremly unplesant/impossible for customers to interact with us (Joinin our teams, sharing OneDrive documents with them, granting access to SharePoint sites, etc.).

23 REPLIES 23
Microsoft

Re: Guest accounts require MFA?

Yes, this is the expected behavior. The reason behind this is that the End user protection baseline policy covers all users including guest and service accounts. It is a change in experience, which might cause confusion initially but overall it will improve the security posture for users accessing resources provided through your tenant.  

 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 4 Contributor

Re: Guest accounts require MFA?

Wow, that's very dissappointing.  I know that our sales people will have a problem with this.  When they share something to a prospect using OneDrive, people will have to have a phone and enable MFA before they can view the document.  That'll be disruptive to the sales process.

Visitor 1

Re: Guest accounts require MFA?

I understand that using the Baseline policies will require MFA across all users, but if we are using Azure AD premium and not the baseline policies, will we be in compliance if we exclude Guest users from the MFA requirement or is the requirement not just for licensed users/employees, but for guest users to use MFA as well?

Level 3 Contributor

Re: Guest accounts require MFA?

Requirements as written say that all user accounts must have MFA enabled. I'm not a fan of this language as it includes Guest accounts which have have a user in the Partner's Azure ActiveDirectory.

 

https://docs.microsoft.com/en-us/partner-center/partner-security-requirements

 

Should everyone in the world have MFA enabled? Yes

Does everyone have it enabled now? Nope

Is there a better way to get everyone in the world to enable MFA? Yes!

 

Hey Microsoft, have every user created in O365 come with MFA enabled, and don't allow anyone to create user accounts that do not have MFA enabled. Then require it for all users in the CSP partner tenant Smiley Happy.

 

If that strategy doesn't sit well with you, figure out why and then re-evaulate the position you are putting partners in.

 

Thanks!

-jon

Level 3 Contributor

Re: Guest accounts require MFA?


@Jinseng wrote:

Wow, that's very dissappointing.  I know that our sales people will have a problem with this.  When they share something to a prospect using OneDrive, people will have to have a phone and enable MFA before they can view the document.  That'll be disruptive to the sales process.


It's not "disruptive" to the sales process - its completely idiotic. If someone trying to send me some sales literature required me to sign up and then enable MFA just to interact with them then using OneDrive/SharePoint etc to collaborate with external parties is dead in the water.





Level 4 Contributor

Re: Guest accounts require MFA?

@simonharvey I agree with you.  I spoke with our VP of sales, and he flat out said this is unacceptable.

 

I'm worried about employees starting to use Shadow IT to communicate with outside users because of this.  If that happens, it makes us totally re-think using MSFT products (Teams, SharePoint, OneDrive).  As partners, if we don't use the products for the entire Customer lifecycle (From Prospect to project delivery), how can we show confidence in the products and sell them for Microsoft.

 

It also worries me that the baseline policies don't allow for SMS or phone call second factor.  I understand that the app may be more secure, but forcing prospects to complete an MFA setup AND forcing them to download an app to do it is terrible.  What if they don't have a compatble smart phone, or they have personal or corporate policies against using mobile phones for work?  Now we can't communicate with them.

 

This is clearly not well thought out.  The policy needs to be changed to exclude guest accounts.

 

I agree with everything @JonW  said above.

 

@idwilliams I hope you're seeing this feedback.  Is Microsoft going to enforce this for everyone at MSFT and all people that Microsoft interacts with?  I think this is a good oportunity to "drink your own champagne" :-)

Level 3 Contributor

Re: Guest accounts require MFA?

It also worries me that the baseline policies don't allow for SMS or phone call second factor.  I understand that the app may be more secure, but forcing prospects to complete an MFA setup AND forcing them to download an app to do it is terrible.  What if they don't have a compatble smart phone, or they have personal or corporate policies against using mobile phones for work?  Now we can't communicate with them.

You're being forced to use AADP1 or AADP2, which costs extra to have those features. Honestly though, why anyone would choose a solution that does not provide PUSH notifications is beyond me. I setup the Microsoft Authenticator immedately becaues push notification is way better than typing in a code.

Level 2 Contributor

Re: Guest accounts require MFA?

@idwilliams - Can you please confirm what is the "expected behavior" of using the baseline policy, vs. what is the contractual requirement here?  I.E., if a partner requires MFA for all users excluding guests, is this within or outside of the required compliance?

Level 1 Contributor

Re: Guest accounts require MFA?

HI Isaiah Williams

 

We  enabled the Baseline Admin and End User policies in test  but guest accounts dont request token,

Only users in partner center.

 

Did I do something wrong?

 

thanks.

 

Keven.

Highlighted
Microsoft

Re: Guest accounts require MFA?

I would like to add some clarity here if a guest user is added to a partner tenant they will have to authenticate using MFA. However, if the home tenant for that user is not a partner tenant and they do not have MFA enforced, then they will not be prompted for MFA when accessing resources normally. That only happens when they are accessing resources for the partner that are dependent on the guest user. As an example partner A add user@company.com as a guest user to their tenant, and then provides them permissions over an Azure subscription. Then MFA will be required when user@compamy.com changes from any tenant to the partner's so they can access resources in the Azure subscription associated with the partner's Azure AD tenant. 

 

@kevensantos you have not done anything wrong. Currently this is the expected behavior. The baseline policies will continue to evolve over time. Part of this evolution will change the behavior you are encountering today. 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 1 Contributor

Re: Guest accounts require MFA?

@idwilliams Can you please clarify a bit more?
If I understand your comment a Guest will NOT need MFA when invited to a Team, OneDrive, SharePoint to get access to documents or other information?

Only if that Guest needs to access "things" from the portal or Azure resources, MFA registration will be required, even if Guest does not have this requirement in his own tenant?
I will need this very clear and precise to understand all implications of enabling MFA for all users in our tenant. Give us plenty of examples :-)!

 

Thanks

Mats

Microsoft

Re: Guest accounts require MFA?

OK, an example:

 

contoso.com is the CSP tenant where MFA is enforced.

adventureworks.com is a separate customer tenant where no MFA is enforced.

 

If user@adventureworks.com is invited as guest to contoso.com, they will need to go through MFA for accessing Teams, Sharepoint, Azure Portal etc. in contoso.com.

If user@adventureworks.com is accessing Teams, Sharepoint, Azure Portal on adventureworks.com there will be no MFA for this user (=normal access to resources).

 

So the general message is that guest users are impacted - they need to have MFA, but only for accessing resources in the Partner tenant. They will not be impacted in their home tenant.

Level 1 Contributor

Re: Guest accounts require MFA?

ok thanks

but what about external guests that do not have a tenant account (ie Microsoft account) when invited to a document in OneDrive or Teams?

 

/Mats

Microsoft

Re: Guest accounts require MFA?

Same procedure if the sharing was done for authenticated users that have Microsoft account - so they also have to register for MFA similar to a AzureAD B2B guest user.

 

Of course, if document was shared anonymously with a sharing link no MFA will be triggered for those users since they are not authenticated.

Visitor 1

internal and guest user MFA registration without corporate issued mobile issue

first one is specific around guest user. according to document, guest user must also have MFA enabled.

  • what if a customer who collaborate with us, e.g. using MS teams created under partner tenant
  • but the guest
    • doesn’t have any business, company issued, mobile device
    • doesn’t want to use personal mobile device for any business-related activity
  • the Azure AD end-user baseline policy only allows free MFA based on mobile authenticator app

in this scenario, how can guest collaborate with us? Are you suggesting we terminate modern collaboration, and use email and phone only?

 

second one is specific around internal staff, like guest user scenario above,

  • the user/staff
    • doesn’t have any business, company issued, mobile device
    • doesn’t want to use personal mobile device for any business-related activity
  • doesn’t want to use any personal accounts for any business-related activity
    • this itself is generally even recommended in various spaces, where keep personal stuff personal.

in this scenario, how can user/staff even register MFA?

 

please note that this is real world scenario and we do have existing customers, who can’t enable MFA even in their own tenant because of reasons outline above.

Microsoft

Re: internal and guest user MFA registration without corporate issued mobile issue

@Xiyuan : Thank you for providing those examples. The solutions available will not solve all the issues in our scenario.

Alternative 2nd factor authentication solutions that could be used:

 - Virtual Android device running on a workstation PC where MS Authenticator app is used (Not user friendly for collaboration, but maybe for some internal users). Microsoft offers such an emulated device as part of Visual Studio, but there are 3rd party solutions which might be easier to deploy.

 - Phone, SMS, OATH Hardware tokens - these all require that you obtain AzureAD Premium Plan1, baseline policies can not be used if you need thse authentication options. For guest users there is a 1:5 licensing rule, for each paid AAD license 5 guest users can use those features. OATH hardware tokens are certainly not suitable for guest users, but maybe an alternative option for the internal users.

 - 3rd party MFA services and their authentication methods when using e.g. custom controls - This is also requires to have AAD Premium Plan1 like above, and of course a 3rd party MFA service.

 

So, if none of the above solution work there are little remaining options. As a last resort you could evaluate splitting tenants and e.g. move production to another tenant not subject to the MFA requirements. This has further implication though and is certainly a complex project.

Level 2 Contributor

Re: Guest accounts require MFA?

What happens if we use the MFA functionality that comes with AAD P1 and not the baseline policies? Do we comply with the requirement despite not requiring guest users to authenticate with MFA?

Level 2 Contributor

Re: Guest accounts require MFA?

In many ways even worse.  With Skype for Business being replaced by Teams we will need to force third party companies to register MFA, even if they have policies against installing apps on phones etc, just to have an online conversation.

So let's examine from first principles?  What risk does an invited, unlicenced guest pose to taking over my tenant/access the partner portal, whether MFA is implemented or not?

If there is a risk, then it is, in fact, irrelevant whether the guest has been validated by MFA as they are invited in - they are semi-trusted, even a "prospect" rather than a client.  If there is a hack that gives privilege escalation, then it is irrelevant once they are in.  

If there is such a risk of a hack, then no access is safe.  If there is not, MFA is irrelevant.

Level 2 Contributor

Re: Guest accounts require MFA?

Good post - sums up the idiocy of the current policy nicely.  That said - why does a simple email user with NO admin right need MFA if strong passwords are enforced?  Whilst I agree it is good practice it is a policy that is way over the top....

Level 2 Contributor

Re: Guest accounts require MFA?

"I would like to add some clarity here if a guest user is added to a partner tenant they will have to authenticate using MFA."

So in removing Skype for Business and replacing with teams will require sales prospects to implement MFA.  Ridiculous!  

Please explain the risk of an unlicenced guest accessing the tenant and or partner portal.  How is that any different depending on whether they are authenticated via an invite or invite and MFA.  There is only an issue if there is a risk of privilege escalation in which case it makes zero difference whether authentication uses MFA or not- guests are either in or not breaking out is either an issue or not.

This policy makes no business sense

Level 2 Contributor

Re: Guest accounts require MFA?

Not how I read it.  To me, it says if the guest has their own tenant, where MFA is not turned on, then MFA is not enforced on their home tenant, just as a guest on a partner portal.

Level 2 Contributor

Re: Guest accounts require MFA?

This is mad - as Skype for Business is replaced by teams, MFA will be required for ad hoc conversations!  Sheer madness!

Level 2 Contributor

Re: internal and guest user MFA registration without corporate issued mobile issue

Thank you for confirming that the MFA requirement for guests is ridiculous!

Will just have to migrate away from Teams and OneDrive - and tell clients:

"No, I don't use the licences I get as part of my partner fee as they do not allow me to work in the way I recommend you work"