Microsoft Entra External ID no wizard for external guests

Alvin Strandberg 5 Reputation points
2024-05-30T14:23:38.9133333+00:00

Hello,

I am setting up Entra External ID with an external tenant. Self-sign up is disabled, but invitation through the application is enabled. When someone comes from an identity provider such as Microsoft Entra ID, I want to enforce MFA (Multi-Factor Authentication) when they return to my application.

I have enabled conditional access to require MFA, but whenever users log in, they encounter the following error message: "Could not log you in. An additional verification method is required to access this website or app." (Translated from Google Translate).

There is no MFA wizard shown for the users—they just get blocked and can't proceed further.

Here are some additional details:

  • Conditional Access policies are configured to require MFA for all external users.
  • The error message appears immediately upon login, with no prompt for additional verification.
  • This issue occurs for all users coming from external identity providers.
  • EDIT: I have disabled the sign-up flow only login flow is enabled and this is with the B2B invitation from Graph API.
  • EDIT: This is my config:
    "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",

"Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",

"ClientId": "bc...2c",

"TenantId": "7f...bb",

"CallbackPath": "/signin-oidc" },

I do not use the "Authority"

Has anyone else experienced this issue, or does anyone have insights on how to resolve it? Any help would be greatly appreciated.

Thank you!

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,856 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,715 questions
{count} vote