Share via

External Guest user Sign-in with Require Multifactor authentication Policy

Dao, Ngan 20 Reputation points
2026-02-17T13:25:37.5933333+00:00

We are running an Entra Workforce tenant that invites external guests from multiple identity types for B2B collaboration. Our inbound cross-tenant access settings are configured to trust MFA from Microsoft Entra tenants. We have encountered a significant gap in how Conditional Access authentication strength policies interact with external identities.

Our guest population includes:

  • Users from other Microsoft Entra tenants with MFA registered in their home tenant
  • Users from Microsoft Entra tenants where MFA has NOT been set up in the home tenant
  • Users with personal Microsoft accounts (MSA)
  • Users with no Microsoft account (email OTP / one-time passcode)

Observed behavior with 'Require multifactor authentication' Conditional Access Policy:

  • Entra corporate users with MFA: sign-in works correctly
  • Entra corporate users WITHOUT MFA in home tenant: blocked with 'An authentication policy cannot be fulfilled'
  • Personal MSA users: sign-in works with password + email OTP
  • Email OTP users: sign-in works with email OTP + SMS OTP

We understand from the documentation that authentication strength is only supported for Entra-to-Entra B2B flows and so the only workable policy for mixed guest populations is 'Require multifactor authentication', which Microsoft has indicated may eventually be deprecated in favor of authentication strength. If that deprecation happens, we would lose MFA enforcement for personal MSA and email OTP guests entirely.

Our questions:

  1. Is there a supported configuration that allows 'Require authentication strength' to work across ALL external identity types (Entra, MSA, email OTP)?
  2. Is there a way for "Require multifactor authentication" to work for corporate Microsoft accounts that dont yet have MFA set up? Since in this page: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strength-external-users

there is an indication that external guests can have Text message as second factor. Meanwhile in our case, after password input, user is blocked without any other options to sign in.

Thank you for you advice!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shubham Sharma 10,725 Reputation points Microsoft External Staff Moderator
    2026-02-18T01:57:36.7733333+00:00

    Hey Ngan,

    It sounds like you're navigating some complex scenarios with external guest user sign-ins and Conditional Access policies in your Microsoft Entra tenant. Let's dive into your questions!

    1. Is there a supported configuration that allows 'Require authentication strength' to work across ALL external identity types (Entra, MSA, email OTP)? Currently, authentication strength policies primarily support Entra-to-Entra B2B flows. There's no supported configuration that allows for 'Require authentication strength' to uniformly apply to all external identity types. The current feasible alternative for mixed guest populations is to stick with the 'Require multifactor authentication' policy. However, it's understood that this may be deprecated in the future, which could impact how personal MSA and email OTP guests authenticate.
    2. Is there a way for "Require multifactor authentication" to work for corporate Microsoft accounts that don't yet have MFA set up? Based on the documentation, the conditional access policy for 'Require multifactor authentication' will indeed block users who don't have MFA enabled on their home tenant. While the documentation suggests that text message can be used as a second factor, it seems that in your case, it may not be working due to the lack of MFA configuration in the home tenant of those corporate accounts. This could lead to users being blocked without alternative authentication options.

    Here are some steps you might consider:

    • For the users without MFA in their home tenant, check their MFA settings directly in their tenant.
    • Make sure that you have correctly set up your Conditional Access policies as outlined in the detailed documentation.

    Follow-up Questions:

    • Are all the external users experiencing blocks related to the same home tenant configuration, or is it isolated to certain tenants?
    • Have you tested the MFA login process for guest users from their home tenants to see what exact options they are presented with?
    • Are you open to reviewing your current Conditional Access policy settings for potential adjustments?

    I hope this helps clarify things! If you have further details or need more assistance, feel free to reach out.

    References:

    Let me know how it goes!

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.