Azure AD guest invite seems to accept user without the first-time consent process?

Question

Azure AD guest invite seems to accept user without the first-time consent process?

Anonymous

My application invites external users as guest to our tenant. I have test this with a couple of external users and it works fine. Once the user clicks on the invite link, they are prompted to the Accept/Cancel window. Through that process they are also able to add the guest account to their Authenticator App via Scan QR. However, for our main client once we send the invite link, the Accept/Cancel window does not come up. Rather, it appears it just accepts user and redirects to our App. Hence, the guest user does not have a chance to add the guest AD account to their Authenticator App. Do you know what is the issue and how it can be resolved? I have checked for ways to manually add the Guest AD Account to the authenticator app with no luck. The password of the original account does not work with the Guest AD Account and also I did not find a way on how the QR Scan code can be generated.

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Moderator

Hello @Anonymous , Accept/Cancel prompt should always appear unless the invitation has previously been accepted. Depending on the MFA configuration for your tenant some users may be required to enroll or not. The simplest way to enforce it is to Enabling security defaults. Another option, a more robust one, is to create a Conditional Access Policy that requires all external and guest users to do MFA.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Anonymous

2022-05-20T01:00:23.52+00:00

Thanks Alfred. I also was surprised that why the Accept/Cancel prompt did not appear as the external user should consent to the privacy terms in our company. The only explanation came to my mind was that he was somehow already in our system. I have asked our Global Admins to reset MFA on the client's account as this seemed the only practical way to resolve it. I did not find any solution enabling a manual addition of the guest account to the authenticator app. Anyway, once we reset MFA for our user, on the next Sign In, he had the chance to set up MFA on his phone. I am wondering if someone resets his phone or remove the guest account from the authenticator app, then how they can re-add the account. It seems only resetting MFA through the Admins is the solution which it does not look very friendly.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2022-05-20T03:39:22.327+00:00

You're welcome @Anonymous ! Users can register a 2nd authentication app and also (enabled by default) SMS and email sign-in methods in Security Info. Now if none of those options are available to the user then it makes sense for an admin to be the only one allowed to reset their MFA settings.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2022-06-02T16:52:15.647+00:00

Hello @Anonymous , do you need additional assistance? If the answer was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Share via

Azure AD guest invite seems to accept user without the first-time consent process?

0 additional answers

Your answer