Azure AD guest user multi factor authentication

1
votes

I manage my Azure Active Directory - MyProjectAAD. I've added external users as guest from another Azure Active Directory - MyCompanyAAD

When [email protected] wants to login to app, that is registered in MyCompanyAAD, two factor authentication is enforced. Note: User is redirected to custom Enterprise Sign On Page and custom second authentication page

However, when the same users wants to login to app, that is registered in MyProjectAAD where he is guest, two factor authentication is not enforced and I want to enfornce it. User is only redirected to the same custom Enterprise Sign on as in previous case, but no second factor authentication page

How do I enable two factor authentication for guest users in my Azure Active Directory?

1
azureazure-active-directoryopenid-connectmulti-factor-authentication

1 Answers

0
votes

You can use Azure Conditional access to achieve that.

NOTE: This feature needs AAD Premium to create your own policies for your scenario.

1. Create a Dynamic Access Group of "External User" accounts

  • Login to AzureAD Portal, and navigate to Azure Active Directory -> Users and Groups -> All groups and click on New Group

  • Give your group a friendly name, description, and select Membership type of Dynamic User. If you do not see this Membership type, it may be that you do not have AzureAD Premium licenses in your subscription. (See licensing requirements below)

  • Select Add dynamic query, and create a Simple Rule in which you add users where userType Equals Guest

  • Click Add query -> Create in order to make the dynamic group

NOTE: It will take some time for the group to populate.

2. Create a Conditional Access Policy for the specific Enterprise App.

  • Login to AzureAD Portal, and navigate to Enterprise applications >Select the specific app> Conditional access to show all Conditional access policies, and then click on New Policy
  • On the New blade, in the name text box, type a friendly name for the policy
  • On the Users and Groups blade, select Include -> Select users and group -> Select
  • Search for the External Users group you created in the previous step and select that group
  • On the Conditions blade, select Locations. Select Yes for Configure. Include Any Location.
  • Apply these by selecting the Done buttons
  • On the Grant Blade, select Grant Access and Require Multi-Factor Authentication. Click Select to apply the Grant restrictions. -Finally, toggle the Enable policy button to On, and then Create the policy

Here is a blog is written by Kevin Kirkpatrick, You can refer to it to enforce Multi-Factor Authentication for External Users on a specific app.