Exempt guest users from MFA registration

Question

Is it possible to exclude guest users invited into the tenant from the MFA registration policy? According to this documentation:

"Microsoft accounts that have been granted guest access to your Azure AD tenant, such as those from Hotmail.com, Outlook.com, or other personal email addresses, are not able to use Azure AD SSPR. They need to reset their password by using the information found in the When you can't sign in to your Microsoft account article."

This means that guest users should not be prompted to register for MFA/SSPR since they can't benefit from this functionality in the resource tenant. Is this something that has not been taken into consideration?

Answer 1

@Yordan Yordanov Users with Hotmail.com, Outlook.com, or other personal email addresses can use Azure MFA even if they don't want to use SSPR.

For example, if guest users with Microsoft Account (MSA) want to access their sign-ins using Security-Info endpoint, they have to register for MFA. They won't be able to use SSPR on that portal to change their passwords but they can leverage Azure MFA to access other features on that portal.

Another case where we might need MFA but not SSPR would be in case of Risky Sign-in by a malicious user. Similarly there may be other scenarios where MFA registration for guests with MSA can help.

-----------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Answer 2

Hello, sorry for the wrong link. Unfortunately, I can't find the correct one anymore. It doesn't show up in search engines too, don't know why. However, the issue is nevertheless applicable. And it is for standard Azure AD tenant, I'll correct this.