Exempt guest users from MFA registration

Yordan Yordanov 466 Reputation points

Is it possible to exclude guest users invited into the tenant from the MFA registration policy? According to this documentation:

"Microsoft accounts that have been granted guest access to your Azure AD tenant, such as those from Hotmail.com, Outlook.com, or other personal email addresses, are not able to use Azure AD SSPR. They need to reset their password by using the information found in the When you can't sign in to your Microsoft account article."

This means that guest users should not be prompted to register for MFA/SSPR since they can't benefit from this functionality in the resource tenant. Is this something that has not been taken into consideration?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,576 questions
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,506 Reputation points

    @Yordan Yordanov Users with Hotmail.com, Outlook.com, or other personal email addresses can use Azure MFA even if they don't want to use SSPR.

    For example, if guest users with Microsoft Account (MSA) want to access their sign-ins using Security-Info endpoint, they have to register for MFA. They won't be able to use SSPR on that portal to change their passwords but they can leverage Azure MFA to access other features on that portal.

    Another case where we might need MFA but not SSPR would be in case of Risky Sign-in by a malicious user. Similarly there may be other scenarios where MFA registration for guests with MSA can help.


    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Yordan Yordanov 466 Reputation points

    Hello, sorry for the wrong link. Unfortunately, I can't find the correct one anymore. It doesn't show up in search engines too, don't know why. However, the issue is nevertheless applicable. And it is for standard Azure AD tenant, I'll correct this.

    0 comments No comments