Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
duncanjanderson
Level 1 Contributor

Staff member receiving an MFA challenge when accessing an external Teams as a Guest user.

Hello,

 

I believe I have some idea of what is going on but I'd like confirmation and guidance on how to proceed.

 

  • UserA has an account on our Tenancy, we enforce MFA and they have registered Authentication Methods.
  • UserA is invited to an external teams site, which they try to access from the drop down menu in the top right of the teams app.
  • As soon as they do this, they are presented with an MFA challenge, which is with our company branding.
  • The Authenticator App does not receive the notification, and the code within the app does not work.  Outside of this situation UserA is able to perform MFA with these methods fine.

My guess is that the external company is enforcing MFA on Guest Accounts.  What I don't quite understand is why our company branding is appearing on the authentication, and why UserA apparently has registered Authentications with them (they claim that they haven't.)

 

How exactly can they configure MFA for this external company, if this is indeed the issue?

 

Many thanks

 

 

1 ACCEPTED SOLUTION
JanoschUlmer
Microsoft

It is expected that if in the resource tenant (external site) MFA is configured for external users, the external user will need to go through another MFA registration in this resource tenant. So the admin of the external/resource tenant should reset the MFA registration status for the guest user so that users can do the MFA registration with their own app again. In the authenticator app you can also see that for MFA registration in external tenants the user name appears with an "EXT#" user name ("user@sourcetenant.com#EXT#@resourcetenant.com"

Your logo is displayed because authentication is still happening in home tenant. Authorization is happening in resource tenant, but this is handled through your own AzureAD

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices

View solution in original post

3 REPLIES 3
JanoschUlmer
Microsoft

It is expected that if in the resource tenant (external site) MFA is configured for external users, the external user will need to go through another MFA registration in this resource tenant. So the admin of the external/resource tenant should reset the MFA registration status for the guest user so that users can do the MFA registration with their own app again. In the authenticator app you can also see that for MFA registration in external tenants the user name appears with an "EXT#" user name ("user@sourcetenant.com#EXT#@resourcetenant.com"

Your logo is displayed because authentication is still happening in home tenant. Authorization is happening in resource tenant, but this is handled through your own AzureAD

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices

View solution in original post

duncanjanderson
Level 1 Contributor

Thank you Janosch.

 

Typically to register authentication methods our staff are directed to the aka.ms/mfasetup shortened URL.  Is there a similar way that they can do this for an external tenancy?  I ask as I am unclear where they can register.

 

If her MFA is reset for the external tenancy, would she be prompted to register when she next tries to access the external teams site?

 

Best regards

Duncan

JanoschUlmer
Microsoft

You can direct the users to myapps.microsoft.com/resourcetenant.onmicrosoft.com - then they need to go to their profile information and then they reach the MFA registration.

If the resource tenant admin reset the registration info (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings#manage-user-authentication-options) they will be automatically asked the next time they access this info (and then they might be able to see what options they used before, because this will not delete the old registration info)

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices