A mission critical app registers only a single Tenant ID and all users (paid and volunteer) must be under that tenant (I work in a nonprofit organisation).
A new board directive requires us to maintain existing Conditional Access for staff and change to enforce MFA for volunteers. We cannot afford to license volunteers with AAD premium to enable MFA under conditional access.
Security Defaults can enable MFA on free tier accounts but cannot be enabled while Conditional Access is in place for any users.
Simplest is to accept the security provided by security defaults and apply to all users. However, that has been rejected.
I only have limited access so I cannot test.
My thought is to use a new directory with Security Defaults and invite users from the original directory who are secured by Conditional Access:
1 Start by creating a new directory
2 Enable Security Defaults on the new directory
3 Add all Volunteers to the new directory
4 Invite all Staff from the original directory
5 Delete all non-staff from the original directory
Then we have two directories: the original is a subset with Staff secured by existing conditional access, and the new is a superset with Volunteers secured by MFA under Security Defaults and as guests Staff (secured by conditional access in the original directory).
If we register the Tenant ID of the new directory with the app, then we meet all criteria albeit with an ugly split in the management for the admin, but at least under a single tenancy.
Can anyone suggest a better method either via B2C or another method? is there a flaw with my plan?