Azure AD tenant guests not prompted to register for MFA during invitation acceptance.

Question

I have an Azure AD tenant, using an Azure AD Free license. The tenant has Security Defaults enabled and has been in that state from the initial creation of the tenant. All users in the tenant, other than the tenant creator, are Guests.

The invitees come from different sources. Some are from a separate AD tenant within the same subscription, others are from external Microsoft accounts that are outside of my control.

During the registration process, some users are prompted to configure MFA authentication methods; others are not.

There appears to be a connection between the source tenant of the invitee and whether the MFA prompts occur. Invitees from the AD tenant within the same subscription are prompted. The invitees from unknown sources are not.

Based on my reading of the documentation regarding MFA and Security Defaults, I believe everyone should be required to register MFA in some supported form within 14 days of the initial sign-in. My experience so far has not borne this out.

Is this a misunderstanding or Security Defaults, or a misconfiguration? How does one ensure that all users within an tenant use MFA within the Azure AD Free license?

Answer 1

If you are using a new tenant, it can sometimes take a while for these settings to kick in. Usually it's instant but I have observed rare cases where it takes a week or two.

Since you are using the free version with security defaults enabled, you only use a subset of the MFA features and the users can only authenticate using the Authenticator app.

This may require a support case to further diagnose, so I have included the support information in a private comment.

Answer 2

Thank you for the response.

The tenant in question is many months old and a subset of the tenant members are being prompted.

My experience with this Q&A forums is exceptionally limited, where would I find the private comment that you referenced?