Share via

Force Main Tenant MFA for our Main Tenant Users imported into our B2C Tenant

Buddy Newcomb 0 Reputation points
2023-06-12T16:05:48.1533333+00:00

We have a unique situation we are working through. We have two tenants. Our main Azure Tenant and a B2C tenant. In the B2C tenant, we host an application that both our main tenant users and our customers in our B2C tenant use. Our customers have a conditional access policy applied to them that forces them to complete MFA with our B2C tenant when logging in.

For our main tenant users, we have imported them into our B2C tenant so they can access the app. We have our main tenant setup as an identity provider in the B2C tenant so when our main tenant users attempt to login to the app, they are authenticated against our main tenant. All this is working well.

The problem arises with our main tenant users and MFA. We want our main tenant users to complete MFA for the main tenant when logging in to the app. I have tried the following:

  • Modifying the trust settings in the main tenant to not "Trust multifactor from Azure AD tenants" specifically for our guest tenant.
  • Setup a conditional access policy in the main tenant but because the app is not in the main tenant, I am not able to apply the policy to the app.
  • Setup a conditional access policy and applied it to the app registration in the main tenant that the B2C tenant uses to authenticate our main tenant users for the app.

It looks like what I want to do is possible if we purchase an Azure AD Premium license for our B2C tenant but we would like to avoid doing this if at all possible. Thank you in advance.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,301 Reputation points Microsoft Employee Moderator
    2023-06-13T08:32:35.5033333+00:00

    Hi @Buddy Newcomb ,

    Thanks for reaching out.

    I understood that you want to enforce MFA for both Azure AD users and B2C consumers accessing your application registered in Azure AD B2C tenant.

    To enforce MFA for Azure AD users, you can apply a conditional access policy to the B2C application registered in your Azure AD tenant. This policy will handle the authentication of Azure AD users and enforce MFA for them.

    For B2C consumers, you can apply another conditional access policy to the application registered in your B2C tenant to enforce MFA specifically for B2C users.

    If you are facing any issues when applying the conditional access policy to your B2C application in Azure AD tenant, please provide more details about the specific issues or errors you are encountering.

    If my understanding is not correct, then please let me know to help you further.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

  2. casper 0 Reputation points
    2024-08-27T08:16:12.3466667+00:00

    Hope you got this fixed already.

    MFA for the B2C application is set in the userflow not conditional acces.

    MFA for the B2C tenant is set in the conditional access rules.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.