Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 5 Contributor

Guest accounts require MFA?

I understand that ALL accounts in a tenant require MFA, but I want to confirm that guest accounts will reqire it too.  I enabled the Baseline Admin and End User policies in my test tenant (we'll call it TestTenant.com).  I added a user (Alex) from my production tenant (all it ProdTenant.com) to a MS Teams Team in TestTenant.com.  That created a guest account in TestTenant.com.  Alex @ ProdTenant.com has MFA enabled and enforced in ProdTenant.com.  Now when I try to access the Team in TestTenant.com using  Alex @ ProdTenant.com, I'm getting a message that I have 14 days to enable MFA.  But the really strange thing is that the logos on the screen are all for ProdTenant.com where MFA is already configured.

 

Has anyone else tested Guest access to a tenant with the policies enabled?  Are you seeing similar behavior?

 

If this is expected behavior, it'll make it extremly unplesant/impossible for customers to interact with us (Joinin our teams, sharing OneDrive documents with them, granting access to SharePoint sites, etc.).

54 REPLIES 54
Level 1 Contributor

An admin or employee at Company A invites a guest user to use a cloud or on-premises application that is configured to require MFA for access. The guest user signs in with their own work, school, or social identity.

Visitor 1

Hi,

 

I have guest access to another company's Teams site.  I recently changed MFA apps and don't know how to resync the new app to work with the other company's Teams site.  BTW, I have already gotten my new app on my new phone working with our company and that works fine.

 

Thanks

Tan

Microsoft

@takhtar : You will likely to re-register for MFA. You can ask the admin of the other company to reset your MFA registration information. 

Also going to https://myapps.microsoft.com/othercompanytenant.onmicrosoft.com would work - in their click on your user badge and choose "Profile" - this should allow you to register you MFA info for this other company. You need to be able to use the old MFA app though to get to there - if this is not available only option is that admin does a reset.

Kind regards,
Janosch
Visitor 1

I have to ask, why can a guest's home tenant not send some kind of attestation that MFA is in place on the home user account?

 

We have lots of our customers in our tenant as guests for Teams channels because we invite the customer primary contact(s) into a channel that has their support engineers present. When we switched on conditional access to enforce MFA on all users the guests got prompted to setup MFA even though they already have MFA on their home account.

 

For the time being I've added an exclusion on our conditional access policy to exclude guests and the dashboard is still saying we're 100% compliant after a few days, but what I'm reading here is that potentially these guest accounts are going to become useless unless all the guests wrestle with adding MFA on every instance they're a guest (which is totally mad).

 

We're not creating another tenant and shoving all our CSP stuff in there, it just adds so much friction and if anything reduces security because right now when someone joins or leaves our organisation their Azure AD account sets up and cuts off their access to everything. If we begin having separate accounts in another tenant for CSP you can bet someone is going to forget to cut that off when someone leaves and access carries on until someone notices.

 

We are 100% on board with MFA being required, and I understand requiring MFA on a guest that doesn't reside in another Azure AD tenant (like a random @gmail.com user should be made to setup MFA), but where the user originates from Azure AD and has MFA on their home account, can it be that hard for MSFT to pass some kind of trusted flag across to the guest login that skips MFA if the home account has it?

Microsoft

I think this is good suggestion, unfortunately I do not know of any plans to do that (and you are correct that technically this might be possible). 

Just checked on uervoice, for a similar idea only two votes are added: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37590304-b2b-scenario-the-b2b-guest-user-should-use-the-m

So please vote! 🙂

 

I can understand your concern reg. the additional admin effort on having two tenants, I don't agree though that it would lower security. For an on-/offboarding scenario there should be a good, formal process set up anyway that covers all the aspects - from account deletion in all separate systems to removing physical access and device/data deletion & retention, it would be easy to add the deletion of the other account in this process as additional step. And in AzureAD there are also some service integrated to help with the access reviews that can make this easier, and Automation can be used to automate deletion in multiple environments. 

 

The main concern I personally have with a single tenant - think about an admin that should only care about internal production, e.g. somebody that has permissions to change group membership in the tenant. This admin could elevate his permissions to become admin in all customer tenants when he puts himself in the Admin Agents group. Might not apply to your scenario, but this is the reason I'm thining of mostly when talking about this.

Kind regards,
Janosch
Visitor 1

We've been working with two tenants for some time and have been told by our PDM and distribution partner that we need to consolidate down to a single tenant so that we can properly take advantage of incentives and back-end rebates. Are you saying that we should stick with two tenants and that we can still get all of the other back-end pieces correctly?

Microsoft

@hughc70 : I do not see why having two tenants would prevent you from receiving incentives and rebates.

Only if you would have to distinct MPN organizations in two tenants, this might become a problem - maybe the contacts you have spoken with refer to this?

 

Two tenants in regards to this discussion means, that you have one tenant where Partner Center is used for MPN management. There you create a location in the MPN organizational structure, the 2nd tenant which you use for CSP is linked to the MPN org via this location ID. This way all CSP revenue is reported back to your MPN org, and in the incentive management in the "MPN tenant" you will see that you can manage incentives for respective location also. 

So it is still one MPN organization.

 

Global Partners that have CSP business in different regions need to have such a setup, and they can also get rebates and incentives.

Kind regards,
Janosch
Level 1 Contributor

hold on. im not clear.

do we have to enable MFA for all user accounts for OUR CLIENTS? meaning every company we work with has to enable mfa for all users.

OR

do we have to enable MFA on for all users in OUR partner admin account that has access to all the clients.

 

Microsoft

No, all user accounts in the tenant you use as Partner for CSP business, not mandatory in end customer tenants.

See also https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#are-my-customers-subject-to-the-partner-security-requirements

 

Are my customers subject to the partner security requirements?

No, it is not required that you enforce MFA for each user in your customer's Azure AD tenants. However, it is recommended that you work with each customer to determine how best to protect their users.

Kind regards,
Janosch
Visitor 3

I was suprised to learn months ago that also non-admin users are required to enable MFA. But I understand and accept the security risk explained in this thread.

For guests I cannot follow that security risk. Is the risk that I send critical informations or credentials or MFA tokens to a guest and the guest is not the guest but an hacker/intruder? Why the hell should I anyway do this to a regular guest? 

Finally Office 365 is with teams a perfect colaboration tool and coworkers understand and accept to be onboarded as a guest. It works and it prooves to our customers that Office 365 is a great tool. Now we are forced to go one step back. 

My practical experience:

  • Baseline Policy is deprecated, ignore them.
  • Enable modern authentication for the tenant with power shell (do this without MFA) otherwise Outlook will not work any more.  
  • We started to enforce MFA by enabling Security Defaults in Azure AD (Properties). I did a test with my own guest account and at least the process to enable MFA for a non tenant (a plain microsoft user) guest works fine, they are treated however by the Authenticator as a business user which is clearly stated in the instructions. 

But lets see if I will be alone in my next teams meeting with my business partners.

 

My wish and my questions: 

1) I have to try: Can you please do one step after the other and do not enforce guests to use MFA for the time being (maybe in one year MFA is much more accepted?)? Enforce a guest policies instead which will avoid or adress the guest risks whatever that might be (RED BIG LETTERS when a guest writes in a team channel?)

2) Can you give instructions of how to divorce our tenant from the partner world to continue our business and setup another tenant for the partner world with one dummy license do maintain the customers.

 

Microsoft

I can understand the feedback about guest users, I had the same discussion internally - however, guest users now can get some access to Partner Center and generally they may be a venue for an attacker to get information (--> social attacks) or to "infiltrate" a tenant (e.g. phishing email from "trusted" guest).  So the decision was made not to allow any exclusions.

 

Reg. your ask:

 - Well, those decisions were made several layers above me, so I have little influence on this. However, it is currently not planned to enforce MFA for guest users, unless they access Partner Center. This does not mean they are excluded from the policy - it just means that if you don't enable MFA for guest users there will not be technical problems in the forseeable future. Still the Partner agreements demad this and it is recommended. See also https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa

 - Splitting tenants: This is difficult, two options:

1. Move CSP Business to new tenant - create new tenant, do the enrollment as CSP again for this new tenant, reinvite all customers, then - if you are Direct CSP - reprovision all licenses for existing customers. Finally contact support and ask to offboard the old tenant from CSP. Final result will be that old tenant is used for production and MPN Management in Partner Center, and the other tenant is for CSP management. Dummy licenses are not required, a tenant can be created for free. For Indirect Resellers this is more easy since the licenses do not need to be replaced for all customers.

2. Move production to new tenant - create new tenant, talk to a 3rd party about how to move data & configuration between tenants. Migration between tenants is not really documented by Microsoft, nor does Microsoft deliver any tools for doing this. Depending on how you use the cloud services this might be a lot of work.

I personally recommend Option 1, if any. But it really depends.

Kind regards,
Janosch
Level 2 Contributor

We are considering splitting our tenant because of these requirements and honestly the confusion about what is and is not required (if you look you will find documentation edited as late as 11/11/19 stating only accounts that access the customer portal are required to have MFA.)

 

I would really like to do option 1 but i've got about 300 customers on our account. What i'm not sure of is how do I know if we are a direct or indirect reseller? If we sell through Synnex for example is that indirect? Also if we select option one does that affect/change our partner ID and partner of record ID? (does the POR even matter anymore for CSP? Seems it was mostly used for customer self pay for the kickback). 

 

Right now is the ideal time for us to make this decision because we have very few production resources in O365 but are literally in the middle of prepping to move all our email to 365 and to start using teams. If option 2 proves to be more feasible/easier I would rather do it now than after all my users are migrated. OTOH I would rather keep the current tenant as our production tenant since any decent other variations of our name for production use are gone and a decent one still exists for that side of the business.

 

I don't like having to split the tenant but management won't approve of the MFA for all especially when it affects customers/prospects. It unfortunately means its a separate thing to manage and we have to be vigilant about manually disabling a second set of accounts since we can't tie it to our AD and disable via SSO like we currently do. MFA won't help here since most of our techs have to use their personal devices for MFA as it is.

Microsoft

@CM42 

the confusion about what is and is not required (if you look you will find documentation edited as late as 11/11/19 stating only accounts that access the customer portal are required to have MFA.)

There is a difference between what is required from an agreement perspective (all account need to have MFA) and what is technically enforced (Delegated customer management since Nov. 11, Partner Center access in H1 2020...). So even though it is technically not enforced for every scenario this does not change the overall requirements.

 

If we sell through Synnex for example is that indirect? 

Yes, that is indirect.

 

Also if we select option one does that affect/change our partner ID

A new, additional Partner ID will be created when going for Option 1 (Split of CSP to a new tenant), I can not tell if Synnex would need to update their records though since the MPN ID for the organization would stay the same. 

I have summarized steps for Option 1 here: https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/Requirements-clarification-please/m-p/15516/highlight/true#M734

 

and partner of record ID? (does the POR even matter anymore for CSP? Seems it was mostly used for customer self pay for the kickback). 

If you have CSP relationships with all of your customers, POR does not matter. You are correct that is used for customer which buy via other channels. If in Partner Center you see customers with a relation type of "Advisor", those are the ones which are using Partner of Record. When you split of the CSP business to a new tenant, you should also update existiong POR to the new Partner ID you create when going through this process, otherwise those customer will still be shown as managed customers in the old tenant, and thus the MFA requirements would still apply.

 

 

Overall, in your scenario I would recommend going for option 2, because of the work when migrating 300 customer relationships to a new tenant. The .onmicrosoft.com domain name is invisible most of the times for the users, only in the Sharepoint & OneDrive URL this can be seen - maybe you find some suitable naming convention/tenant name for this. 

Kind regards,
Janosch
Level 2 Contributor

Well we also have a whole bunch of licenses in that tenant that we are using in production that i'm not sure we can get moved? They are a mix of licenses we earn as a partner and ones we bought from our vendor (also under CSP) and a Azure VM we use for dev. I've spoken to the managed services managers and they seem ok with reassigning all 300 accounts if its as simple as sending out a blanket delegation request and then following up with those that have not accepted after a few days. One question that did come up and I believe the answer is yes is can a customer have delegated admin access under 2 different tenants? Once we are done with adding them under the new tenant does asking Microsoft to remove the old tenant from CSP disconnect all of those customers? Also I think you said we can still manage the partner relationship from the original (I guess parent?) account? I'm pretty sure this is happening just which way is the best is the question now. There are some certification (nist, etc) reasons behind it now also.

Microsoft

Partner Internal use right licenses can not be moved to another tenant, you can activate a new token  you get  during next renewal in a different tenant though.

CSP licenses can be reassigned (actually those are provisioned again in the new tenant and suspended/cancelled in the old one by the CSP partner that sold them).

Azure subscription can also be moved to a different tenant, though the Azure VM itself probably has no dependency on the tenant anyway. 

 

Yes, customer can have reseller relationships and delegated access with multiple Partner tenants. Reseller relationship and delegated access are two different things - you can send the CSP invite with or without delegated access, the customer can remove delegated access permissions without impacting the reseller relationship.

 

Once we are done with adding them under the new tenant does asking Microsoft to remove the old tenant from CSP disconnect all of those customers?

If you are indirect you should discuss this with the CSP provider you are working with - usually they can update their records and map the sold licenses to the new CSP account/Partner ID, then you can remove the reseller relationship on your end: https://docs.microsoft.com/en-us/partner-center/remove-a-relationship 

If you are direct, you can remove the reseller relationship after you have suspended all the licenses in the old CSP account.

 

Also I think you said we can still manage the partner relationship from the original (I guess parent?) account?

As long as you did not remove the reseller relationship, yes. There is no "parent" CSP account though - when you split out the CSP to a new tenant there is just an old CSP enrollment and a new CSP enrollment, both are even. Only in this scenario you likely have Partner Center for MPN management still in the old tenant, so from an MPN org perspective the old tenant is the MPN "parent" and the new CSP tenant is  linked to a location ID in the MPN org structure. 

 

 

Kind regards,
Janosch
Level 2 Contributor

Thanks this information has been very helpful. It would be nice if my Microsoft Partner team/reps would reach out ocassionally like they used to years ago. I'm not even sure who they are anymore and who I can address additional questions to.

Microsoft

Only a few Patners have dedicated account teams, I guess only around ~1%. So if you haven't been contacted, it might be just due to the fact there is nobody assigned.

 

As Partner with Action Pack, Silver or Gold level you can raise a technical advisory request via askpts@microsoft.com to get technical guidance, also on CSP topics.

For any programmatic question on MPN and CSP, the Partner Center Dashboard includes a support option.

 

For Partners that have Premier (aka Unified support) or ASfP support, there is dedicated services/technical account manager.

Kind regards,
Janosch
Visitor 1

Hi,

 

we are using our accounts in our tenant with delegated admin rights for our customers.

for this I clearly accept that we have to use MFA.

We use the accounts name@contoso.com for this.

 

But... as we have several more licenses than users in the company, we also have our relatives as users in this tenant. Their users are like mom@myfamily.com, dad@hisfamily.com, son@... you get the idea. These are simple user accounts for using a mailbox, outlook, word and the like, they have no admin rights whatsoever and are not involved in our business at all.
Do they also have to use MFA? 

Microsoft

@Rohling As stated before, every user account. Because an attack can & will spread lateral, so an affected non-admin user will be a venue for an attacker to gain more permissions - e.g. attacker sends internal phishing emails from one of those compromised internal accounts to other users in this tenant etc...

Clearly stated in the FAQs: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#what-are-the-key-actions-i-need-to-take-to-meet-the-requirements 

 

In my opinion having non-business user in a tenant that is used for business purposes - like the mentioned relatives - is a clear no-go. Not just because of MFA requirements, it is just good business & recommended security practice.  And since those non-business users would need to get their own licenses anyway (usage of internal use rights licenses from Partner Agreement is not allowed for non-employees -  you can check the MPN agreement on this yourself), building a seperate tenant from them would be the recommended option.

Kind regards,
Janosch
Level 1 Contributor

As I understand it, yes. EVERY user in the 'parnter admin' tenant requires the use of MFA, regardless of their actual access rights.

For example, we use a number of service mailboxes (admin@, support@) - all of these now require MFA enabled even though they're just shared mailboxes with no as admin rights whatsoever.