question

knopper avatar image
0 Votes"
knopper asked CS-1643 published

Exempt guest users from MFA registration

Is it possible to exclude guest users invited into the tenant from the MFA registration policy? According to this documentation:

"Microsoft accounts that have been granted guest access to your Azure AD tenant, such as those from Hotmail.com, Outlook.com, or other personal email addresses, are not able to use Azure AD SSPR. They need to reset their password by using the information found in the When you can't sign in to your Microsoft account article."

This means that guest users should not be prompted to register for MFA/SSPR since they can't benefit from this functionality in the resource tenant. Is this something that has not been taken into consideration?

azure-ad-multi-factor-authenticationazure-ad-sspr
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@knopper Could you please update this documentation link in your question with correct URL. Also, the question is under azure-ad-b2c tag, could you please confirm if you are talking about B2C tenant or standard Azure AD tenant?


0 Votes 0 ·

Hi

I am trying to achieve the same goal here (allow guests to be excluded from enforced MFA registration)

Did you have any luck? I could make an "all MFA users" group and apply the policy just to that but I'd rather not do it that way if possible.

thanks!

0 Votes 0 ·
amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered

@knopper Users with Hotmail.com, Outlook.com, or other personal email addresses can use Azure MFA even if they don't want to use SSPR.

For example, if guest users with Microsoft Account (MSA) want to access their sign-ins using Security-Info endpoint, they have to register for MFA. They won't be able to use SSPR on that portal to change their passwords but they can leverage Azure MFA to access other features on that portal.

Another case where we might need MFA but not SSPR would be in case of Risky Sign-in by a malicious user. Similarly there may be other scenarios where MFA registration for guests with MSA can help.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

knopper avatar image
0 Votes"
knopper answered

Hello, sorry for the wrong link. Unfortunately, I can't find the correct one anymore. It doesn't show up in search engines too, don't know why. However, the issue is nevertheless applicable. And it is for standard Azure AD tenant, I'll correct this.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.