Azure external user in 2FA loop when trying to access SharePoint

Axyrium 51 Reputation points
2023-09-13T21:09:09.1666667+00:00

When a SharePoint site is shared with an external user who is already has an active 'guest account', they click on the link and are then required to set up 2FA ('Your organization needs more information') before accessing the site, but get stuck in a loop.

They get redirected to set up the 2FA which is successful. However, when clicking 'done' to continue signing in, it takes them back to the 'Your organization needs more information' prompt and back into setting up 2FA'. Clicking next takes them to a screen where it says that MFA is already setup and to click 'Done to continue signing in'. However, clicking 'done' (there is no other option) takes them right back to the 'Your organization needs more information' screen.

Azure shows that their 2FA device registered successfully. I have tried revoking 2fa sessions and requiring 2fa re-registration, but that doesn't fix it.

We are using Azure security defaults, so there are no conditional access policies configured. Sign in logs show sign-in status as 'interrupted', authentication as 'succeeded' and Result detail= 'redirected to external provider for MFA', (provider was set up using MS Authenticator, but fails in the same way using alternative 2fa methods).

Users can skip the MFA requirement by selecting 'ask later', but for some users, they only have a few days left before setting up MFA is required. This is happening for multiple external accounts- both real accounts and test accounts that I have created.

Why is this happening?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,680 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,246 Reputation points
    2023-09-14T21:20:49.2966667+00:00

    Hello @Axyrium , in order to fix the "Your organization needs more information" message infinite prompt try disabling Azure AD Security Defaults and then revoking 2FA sessions, re-requiring 2FA registration for the affected users, and finally re-enabling Security Defaults.

    If the issue persists please Collect a network trace in the browser and send us the exported HAR file to azcommunity@microsoft.com with Subject Attn: Alfredo Revilla.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

  2. Axyrium 51 Reputation points
    2023-10-16T16:43:36.5866667+00:00

    Hi Alfredo,

    It turned out that we had both security defaults AND Multifactor Authentication Registration Policy (MARP) enabled, which should not be possible to have both enabled at the same time. (Multifactor Authentication Registration Policy is under Azure/Security/Identity Protection).

    You can't enable Security Defaults if MARP is enabled, but for some reason you can enable MARP if Security Defaults is enabled. Clearly a bug that MS should fix.

    Because we are using Security Defaults, I disabled Multifactor Authentication Registration Policy and it resolved the issue.

    Thank you