How the MFA works for B2B Users?

Sravan Akkaram 21 Reputation points
2022-01-13T19:37:44.73+00:00

Users are MFA Enabled in Home Tenant where they would be invited to collaborate to work in Guest Tenant and the Guest Tenant doesn't configure any MFA policies for this users.

When such users login to Azure Portal would they be prompted for MFA of Home Tenant to access the Guest Tenant or is there any chance that they can directly access Guest Tenant without any MFA prompt from Home Tenant?

If yes please let me know how they would be able to Login so that I can work on enforcing MFA for those users in Guest Tenant.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,843 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,821 Reputation points Microsoft Employee
    2022-01-13T22:58:47.36+00:00

    Hi @Sravan Akkaram ,

    Yes, the user will receive an MFA prompt from the home tenant. If MFA is then enforced on the guest tenant, they'll have two separate MFA prompts - one from the home tenant and one from the guest tenant. They are two separate MFA registrations.

    The inviting organization is always ultimately responsible for multi-factor authentication, and there isn't a way right now to "trust" the multifactor authentication from the other tenant. This is documented in the FAQ and there are detailed discussions around this topic in the partner forum and on Github.

    The ability to trust MFA from the home tenant has been requested for a while, and if you would like to bubble this up with the product team you can make a request in the newly revised Ideas forum. I will also surface this back to their attention.

    Let me know if this helps at all.


1 additional answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,821 Reputation points Microsoft Employee
    2022-02-14T19:52:26.67+00:00

    Update:

    I wanted to follow up on this thread and mention that Microsoft just rolled out "Cross Tenant Access Settings" for M365/AzureB2B. This means:

    1) External guest users will no longer be double-prompted for Multi-factor Authentication for their home tenant and the destination tenant.
    2) You can restrict which organizations your employees can authenticate against (previously this required a network proxy solution)

    174243-image.png

    Collaborate More Securely With New Cross-Tenant Access Settings

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.