Disabling MFA method - Guest accounts

Christoffer Liberg 21 Reputation points
2022-02-11T13:35:20.377+00:00

Hi,

In my organisation we currently support the Authenticator app, hardware security key and SMS as MFA methods. We enforce MFA using a conditional access policy for all users.

We have decided to disable support for SMS in favor for the other two methods. Guest accounts came up during this discussion and we are not able to answer the question how our guest accounts are affected by this.

I've tried to read up on this and what from I've gathered:

  • a guest account is authenticating in their home tenant meaning that a change in our tenant won't affect the users as long as the user has used any MFA method when authenticating
  • if the guest account has not used MFA it has to be setup after the authentication when landing at our tenant.

Is this correct?

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,496 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruno Lopes 21 Reputation points
    2022-02-11T18:31:52.33+00:00
    • a guest account is authenticating in their home tenant meaning that a change in our tenant won't affect the users as long as the user has used any MFA method when authenticating

    External users are invited to sign in to your Azure AD organization using their own credentials. So you are correct.

    • if the guest account has not used MFA it has to be setup after the authentication when landing at our tenant.

    You can use conditional access to ensure that all guest users must use MFA to authenticate on your tenant.

    0 comments