Share via

SharePoint Online - Guest - Multi-Factor Authentication

Anonymous
2019-09-23T19:14:44+00:00

Hi

We have invited guest user and want  to apply the MFA policy, which we did. However when they (the guest)  goes to setup the MFA, the only option seems to be  the mobile APP. (See screen shot below).

We understand MFA (SMS, phone) is included on the AAD  Office 365 Apps : Multi-Factor Authentication (phone & sms)

For our guest users we created setup the following:

A Guest User MFA group, no policy attached.

Enabled Baseline policy: End user protection

Guest user has an email address and phone number.

Microsoft 365 and Office | SharePoint | For business | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments
Answer accepted by question author
  1. Anonymous
    2019-10-01T08:14:13+00:00

    Hi Robert,

    Sorry for the late reply.

    I searched a lot to find a way to get the external users sign in with options other than Mobile app, but it seems like the only way to do this would be to create a Conditional Access Policy for SharePoint Online as mentioned in this article.  This will require Azure AD Premium license.

    Standalone Office 365 license does not allow managing customized Conditional Access policies, as it requires an Azure AD Premium license.

    According to this article, for Azure AD Free or standalone Office 365 licenses - Use pre-created Conditional Access baseline protection policies to require multi-factor authentication for your users and administrators.

    Regards,

    Neha

    1 person found this answer helpful.
    0 comments
Answer accepted by question author
  1. Anonymous
    2019-09-24T06:00:12+00:00

    Hi Robert-C-Work,

    Thanks for posting in our forum.

    When enabling Baseline policy: End user protection to****enforce multi-factor authentication**,** it requires all users to register for MFA using the Authenticator App. This is an expected behavior according to the support article.

    For detail information, please see Baseline policy: End user protection (preview)

    I tested further on my end and created a new Conditional Access Policy for SharePoint Online as mentioned in this article (see under the heading Create a Conditional Access Policy for SharePoint Online) and I was able to see both the options, Authentication Phone and Mobile app when tried accessing the shared site as guest user.

    If you wish, you can consider applying a new policy for SharePoint Online.

    Thanks,

    Neha

    1 person found this answer helpful.
    0 comments

8 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2019-09-25T11:43:53+00:00

    Neha:

    Thank-you. Just so I am clear , with the AAD that comes standard with 0365,  it does not allow for any other option , other than the  Authenticator App for registration /MFA - for external users - Correct?

    We use MFA for internal users have they have the option of the Authenticator App, SMS etc.

    If we want to provide for external users to with more options then we need to upgrade/purchase another level of Azure AD - correct?

    Robert

    0 comments
  2. Anonymous
    2019-09-25T06:23:02+00:00

    Hi Robert,

    I understand MFA option i.e. phone & sms is available in your AAD license, but please note, if we enable End user protection to enforce multi-factor authentication , it will require Authenticator App for registration. This is the behavior when Baseline policy: End user protection is enforced. Thanks for understanding.

    For internal users, you can setup MFA from admin center and once you enable your organization with 2-step verification ( aka multi-factor authentication), the users have to set up to use their account and they’ll get the option to use Mobile app or Authentication phone.

    Alternatively, you can test the method mentioned in this article to add guest users to the directory

    Regards,

    Neha

    0 comments
  3. Anonymous
    2019-09-24T12:26:15+00:00

    Neha:

    Thank-you for the reply, but we are unable to follow the instructions as : 

    In step #2 of the procedure given in the link below it says: “If you do not see this Membership type, it may be that you do not have AzureAD Premium licenses in your subscription.”

    We do not have an AzureAD Premium license, so we can’t use this procedure to enable MFA for guest users.

    We understood we could do this with the subscription we have    Office 365 App, base don the documentation/information form the Microsoft site:

     We understand MFA (SMS, phone) is included on the AAD:   Office 365 Apps :Multi-Factor Authentication (phone & sms)  Based on this link:

    https://azure.microsoft.com/en-ca/pricing/details/active-directory/

    Robert

    0 comments