1
votes

I have AAD with custom enteprise sign on page and multi factor authentication enabled. When logging to any of the application registered in this AAD, MFA is enfornced. Now, I want to enforce MFA even when somebody adds accounts from this AAD as guests to some external AAD.

However, when I create new AAD and add guests user from previous AAD (with MFA enabled), MFA is not enforced. For example, I create VSTS connected to this newly created AAD, log in with my company account (which is guest here), I go to our custom ESO, but I'm logged in without MFA.

Now, where is the problem? In the parent AAD or in the newly created AAD?

1

1 Answers

1
votes

The best way to ensure that the guest users require MFA is to create a group policy for conditional access and check the box "Require MFA" for all members of that group.

Please see if this blog post helps. It outlines in detail how to enable/require MFA for external users.

enter image description here