ExternalAzureAD user not being sent to primary tenant for MFA

[PsychoData]

"During authentication, Azure AD will check a user's credentials for a claim that the user has completed MFA. If not, an MFA challenge will be initiated in the user's home tenant" (My Emphasis)

I don't think this part is accurate. In the situation the External Access policy is set as Inbound Access > Defaults > Trust MFA: Disabled and an external user is not overridden under a more specific Organization entry.

Then what I am seeing right now is that the user is prompted for "Your Organization requires ExtUser@ExternalAzureADOrg has MFA Setup within ExternalAzureADOrg, and MFA'd into Teams client for @ExternalAzureADOrg tenant there In User@PrimaryTenant Teams > Invite external User > enter ExtUser@ExternalAzureADOrg > ExtUser receives invite > ExtUser accepts invite Then when ExtUser tries to access the Team, it only validated Single-Factor from @ExternalAzureADOrg, but CA Policies try to force registration, so The ExtUser's sign-in is interrupted and they are prompted with "More Information Required" But once the user hits the next/continue/register button, they are attempted to register for MFA in the PrimaryTenant under their #EXT# user, but this is denied in every configuration I could find.

Based off the documentation, the user should be sent to their home tenant/ExtAzureADOrg tenant to get MFA. but it seems like since this is not allowed under default it is resulting in a nonspecific error message preventing them from registering for any MFA in the "PrimaryTenant" with the Teams they are invited to access. The registration shows the ExternalAzureADOrg tenant, where I already have MFA registered

Oh hitting "Next", it redirects me through a few pages - AzureAD ProofUp, MySecurityInfo, and then eventually to the "Register for Microsoft Authenticator" but now I am within the "PrimaryTenant", confirmed by the logo shown in the top-left

And it attempts to register the MFA Method on the #EXT# user within the "PrimaryTenant" Separately, I had a lot of problems with this over the past week of troubleshooting, but I finally found I could enable the Trust MFA options and get it to pass the MFA Claims over with it.

I still have some other customer tenants sharing MFA Claims even as they are not explicitly configured to even in the "Default" or Org-Specific External Access policies, but I guess that is somehow grand-fathered in.

This highlighted area "If not, an MFA challenge will be initiated in the user's home tenant" seems like it has two things that I don't see as correct A) Not send back MFA Challenges to the user's Home tenant - above called "ExternalAzureADOrg" - (or it is silently attempting to and failing to get the claim it wants without giving me an error that I can find) and B) Possibly falling back to trying to force MFA Registration in the "Resource Tenant" - which above I have been calling the "PrimaryTenant" - because CA Policies are requiring MFA and there is not yet an MFA Claim available for it

Again, I had difficulty with part B) completing successfully before last week - though while writing this up, I cannot replicate it now with my test tenants - it is just letting me register for varieties of Authenticator App, where before it was throwing an error that it could not access the forms for registering for MS Auth, and only worked if I used Admin rights and manually added a Phone-Number Auth method on the #EXT# user through the Azure AD Portal. After which I could still not register for any MFA Methods within the "Home"/PrimaryTenant tenant

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 310a93ba-3200-57c9-dfc3-b2d93b4ccd96
• Version Independent ID: 23308221-2551-4bcf-8077-d9c2317c5170
• Content: Configure B2B direct connect cross-tenant access - Azure AD - Microsoft Entra
• Content Source: articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md
• Service: active-directory
• Sub-service: b2b
• GitHub Login: @msmimart
• Microsoft Alias: mimart

[Naveenommi-MSFT]

@PsychoData Thanks for your feedback! We will investigate and update as appropriate.

[AjayBathini-MSFT]

Hi @PsychoData Thank you for your feedback! I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request). Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds. [Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.html) for technical questions about the configuration and administration of Microsoft Teams on Windows.

Thank you for your time and patience throughout this issue.