question

SravanAkkaram-3221 avatar image
0 Votes"
SravanAkkaram-3221 asked MarileeTurscak-MSFT answered

How the MFA works for B2B Users?

Users are MFA Enabled in Home Tenant where they would be invited to collaborate to work in Guest Tenant and the Guest Tenant doesn't configure any MFA policies for this users.

When such users login to Azure Portal would they be prompted for MFA of Home Tenant to access the Guest Tenant or is there any chance that they can directly access Guest Tenant without any MFA prompt from Home Tenant?

If yes please let me know how they would be able to Login so that I can work on enforcing MFA for those users in Guest Tenant.

azure-ad-b2b
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered MarileeTurscak-MSFT commented

Hi @SravanAkkaram-3221,


Yes, the user will receive an MFA prompt from the home tenant. If MFA is then enforced on the guest tenant, they'll have two separate MFA prompts - one from the home tenant and one from the guest tenant. They are two separate MFA registrations.

The inviting organization is always ultimately responsible for multi-factor authentication, and there isn't a way right now to "trust" the multifactor authentication from the other tenant. This is documented in the FAQ and there are detailed discussions around this topic in the partner forum and on Github.

The ability to trust MFA from the home tenant has been requested for a while, and if you would like to bubble this up with the product team you can make a request in the newly revised Ideas forum. I will also surface this back to their attention.

Let me know if this helps at all.

· 7
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SravanAkkaram-3221 avatar image SravanAkkaram-3221 ·

Thanks @MarileeTurscak-MSFT for the confirmation.

It would be great if you can also clarify me the below points based on your answers.


Earlier the ability to trust MFA from Home Tenant has been confirmed by Microsoft but later now recommending to enforce MFA by the inviting Tenant as we can't trust MFA of Home Tenant so does this mean the Home Tenant MFA can be bypassed for the users who access the Guest Tenant or its just that to further enhance the security posture of the users?

Need to understand this as most of our clients still trust that Home Tenant MFA would be prompted for the invited users because users would always login to Azure portal and satisfy the MFA of Home Tenant then switch to Guest tenant directory. Is there any way that they can directly login to guest tenant directory so that MFA of Home Tenant would be bypassed? If it's so then I hope it should be considered a security issue?



0 Votes 0 ·
SravanAkkaram-3221 avatar image SravanAkkaram-3221 SravanAkkaram-3221 ·

@MarileeTurscak-MSFT Awaiting for your response on understanding this?

0 Votes 0 ·
MarileeTurscak-MSFT avatar image MarileeTurscak-MSFT SravanAkkaram-3221 ·

The MFA won't be bypassed. The user will just receive two separate MFA prompts (one for the home tenant and one for the guest tenant).

1 Vote 1 ·
Show more comments
MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Update:

I wanted to follow up on this thread and mention that Microsoft just rolled out "Cross Tenant Access Settings" for M365/AzureB2B. This means:

1) External guest users will no longer be double-prompted for Multi-factor Authentication for their home tenant and the destination tenant.
2) You can restrict which organizations your employees can authenticate against (previously this required a network proxy solution)

174243-image.png

Collaborate More Securely With New Cross-Tenant Access Settings



image.png (152.8 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.