Guests with Global Admin can not login to Azure Portal with Security Defaults Enabled, endless loop "Help us protect your account" after MFA completed

askpatrickw 26

Guests with Global Admin can not login to Azure Portal tenants with Security Defaults Enabled. We see an endless loop "Help us protect your account" after MFA is completed via Microsoft Authenticator app successfully.

Guests who are not Global Admin can login to Azure Portal.

Since the MFA has completed, this "privileged access" should be allowed shouldn't it?

Till Rebenich 1 Reputation point

2022-08-02T07:53:58.05+00:00

We're seeing the exact same problem, any news on that?
Sandeep G-MSFT 14,486 Reputation points Microsoft Employee

2022-08-02T12:21:50.537+00:00

@askpatrickw

Can you check and confirm if you have configured any "cross-tenant access settings" under Azure active directory >> External Identities?
If you have configured it, please share the screenshot of the settings which are configured
askpatrickw 26 Reputation points

2022-08-02T18:44:29.227+00:00

Thanks for your assistance.

Unfortunately, the one person who can still login, has insufficient permissions to see the cross tenant access settings.

What would be the best next step?
Till Rebenich 1 Reputation point

2022-08-03T06:19:10.443+00:00

I can provide a screenshot from our tenant if that helps:

It seems that the source of the problem is conditional access in combination with trust settings on that page. Unfortunately, both features are only available on AD Premium and cannot be changed.

So the only solution we have identified so far is to completely disable Security Defaults (Azure AD > Properties > Manage Security Defaults), which is not ideal. MFA and guest accounts are a common scenario in our business. We consider these features standards and are not going to purchase AD Premium just to enable them.
Sandeep G-MSFT 14,486 Reputation points Microsoft Employee

2022-08-03T10:03:01.767+00:00

@Till Rebenich

Thank you for sharing the screenshots. I wanted to see if you have added any organizations under external identities.
Can you share the screen shot of the page which you access from Azure active directory >> External Identities >> Cross-tenant access settings >> Organizational settings

Go to the above location and capture a screenshot.

Note: This has to be checked on the resource tenant where you have added the guest user.
Till Rebenich 1 Reputation point

2022-08-03T10:46:06.673+00:00

The Organizational Settings pane is blank; we have not configured any organizations there. Is this a requirement? And why did it work without those settings before August?
askpatrickw 26 Reputation points

2022-08-04T00:07:12.05+00:00

@Sandeep G-MSFT same situation here.

Cross-Tenant Access Settings are set to defaults.
No Organizations added.
askpatrickw 26 Reputation points

2022-08-05T19:45:43.443+00:00

@Sandeep G-MSFT any next steps for us to try?
Sandeep G-MSFT 14,486 Reputation points Microsoft Employee

2022-08-08T03:48:01.357+00:00

@askpatrickw

I will have to work with our product team to check this change in behavior. I will work with them and will post an answer once I get the solution for this change.
askpatrickw 26 Reputation points

2022-08-09T02:52:40.86+00:00

Setting the backup phone number for that tenant was indeed the fix.
Sandeep G-MSFT 14,486 Reputation points Microsoft Employee

2022-08-10T04:39:06.353+00:00

@askpatrickw

I wanted to inform you that I had taken this issue to our product team, and they are already aware of this issue. They are currently working on this to fix this issue at backend.
Below is the summary of issue,

• Guest users who are global admins are now required to register 2MFA methods
• When redirected to the registration page the users are immediately redirected back to the login page
• The login page sends them back to the registration page and this continues in a loop

For now, you can use the workaround, which is mentioned below,
For guest global admin users, we can use require re-register MFA feature to force guest users to reregister their MFA methods which will take them out of this infinite loop.

How to perform require re-register MFA for guest global users
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings

Our engineering team is still investigating the issue to fix this ASAP.

Accepted answer

jtcr 76 Reputation points

2022-08-05T19:02:20.08+00:00

@askpatrickw @Sandeep G-MSFT @Till Rebenich

I am also experiencing this issue across a couple tenants. Not specifically for guests, but for tenants that do have security defaults enabled.

I believe this is due to the change notated here: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#authentication-methods

The only thing that has worked has been to manually add the cell phone number as an Authentication Method. Either through Azure AD or within the particular users Security Info at My Sign-Ins.

I hope this helps. I tried to force re-registration and all that, but wasn't able to resolve it without the manual add.

Hopefully Microsoft can implement a fix soon.
Please sign in to rate this answer.
askpatrickw 26 Reputation points

2022-08-05T19:44:51.947+00:00

Thank you for post, but this is not the answer.

Security Defaults enforces MFA.
In your answer, you are demonstrating one way to configure MFA.

In our scenario, MFA succeeds with the Authenticator app, but we're still not able to access the Tenant.

jtcr 76 Reputation points

2022-08-05T20:24:41.23+00:00

Yes - That was my experience as well. MFA succeeded with the Authenticator App, but then I was hit with the "Help us protect your account"

The only way I could then access the tenant was after I added the additional authentication method.

kiwi_cam 1 Reputation point

2022-08-09T02:19:40.14+00:00

For anyone else struggling to add a phone method, here's what I did:

Go to https://mysignins.microsoft.com/security-info

Sign in with the account you’re using – at this point we’re authenticating to its “home” tenant

Hit the network looking icon, top right. It’s actually ”Organizations”

Select the Tenant you’re attempting to access

Mash “Skip for now” until you can access your MFA settings – I had to do this twice. You will likely have to complete MFA verification

Add a Phone number as a backup authentication method

askpatrickw 26 Reputation points

2022-08-09T02:53:11.22+00:00

Setting the backup phone number for that tenant was indeed the fix.
Sign in to comment

1 additional answer

Sandeep G-MSFT 14,486 Reputation points Microsoft Employee

2022-08-11T06:29:58.877+00:00

@askpatrickw

We have got a solution for this now.
A code bug in the recent deployment at backend caused communication errors between two services that caused guest Global Admins to fail during additional auth method registration.

Impacted people were all global admin users who din't have phone method MFA registered. Our product team tried to add a additional requirement in security defaults, which requires atleast one phone method to be registered as MFA for all global admins.

There was some issue that happen during this code change at backend.
Currently our PG team has rolled back the changes and everything is back to normal for now.

Please confirm if your issue is also resolved.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
askpatrickw 26 Reputation points

2022-08-14T06:05:14.733+00:00

Hi @Sandeep G-MSFT , I'm glad we were able to help the team identify and fix the issue. I can't accept this answer (as well as the other workaround) as I can't test it. But I'm sure you and the team fixed.

Thanks again for you help!
Sign in to comment