Azure external guest users stuck in MFA loop

Axyrium 51 Reputation points
2023-09-13T21:17:35.0966667+00:00

Scenario:
Internal user shares a SharePoint file with an external guest user that is already in our directory.

User gets the link and when authenticating is then prompted to set up MFA ('Your organization needs more information').

They click on 'Next' and successfully set up their MFA method of choice. They click next to continue and are taken back to the 'Your organization needs more information' screen. Clicking next takes them to a web page that says "You have successfully set up you security info. Click 'Done' to continue signing in". However, clicking 'done' (there is no other option) takes them right back to the 'Your organization needs more information' screen.

Azure shows that the users have successfully registered their MFA device. I've tried re-requiring MFA and revoking MFA sessions, but this doesn't fix the issue. I have tried different MFA options including MS Authenticator. This is happening on both real guest accounts and test guest accounts that I've created.

We are using Azure security defaults; we don't have any conditional access policies.

Why is this happening?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,354 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2023-09-14T21:29:43.3933333+00:00

    Hello @Axyrium , in order to fix the "Your organization needs more information" message infinite prompt try disabling Azure AD Security Defaults and then revoking 2FA sessions, re-requiring 2FA registration for the affected users, and finally re-enabling Security Defaults.

    If the issue persists please Collect a network trace in the browser and send us the exported HAR file to azcommunity@microsoft.com with Subject Attn: Alfredo Revilla.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.


1 additional answer

Sort by: Most helpful
  1. 2023-10-19T23:33:51.8633333+00:00

    Hello @Axyrium and thanks for sharing your solution. Since accepting your own answer is not supported I'm reposting your solution here so that you can accept and rate it. It will ensure that others facing a similar issue can easily find a solution.

    It turned out that we had both security defaults AND Multifactor Authentication Registration Policy (MARP) enabled, which should not be possible to have both enabled at the same time. (Multifactor Authentication Registration Policy is under Azure/Security/Identity Protection). You can't enable Security Defaults if MARP is enabled, but for some reason you can enable MARP if Security Defaults is enabled. Clearly a bug that MS should fix. Because we are using Security Defaults, I disabled Multifactor Authentication Registration Policy and it resolved the issue.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.