A really good questions that I came across was whether enabling security defaults on a tenant will enforce MFA for external guest users.
Here is the documentation for security defaults:
and when enabled one of the things it will do is:
Require all users to register for Azure AD Multi Factor
All users in your tenant must register for multi-factor authentication (MFA) in the form of the Azure AD Multi-Factor Authentication. Users have 14 days to register for Azure AD Multi-Factor Authentication by using the Microsoft Authenticator app. After the 14 days have passed, the user can’t sign in until registration is completed. A user’s 14-day period begins after their first successful interactive sign-in after enabling security defaults.
The question is does “all users” include external guest users who have been invite into a tenant for collaboration on Microsoft Teams say? This is important because Microsoft is starting to enforce security defaults on all tenants.
Interestingly, none of the documentation seems to call out specifically whether “all users” does in fact include external guest users. After some digging I came across this post:
All users should be changed to all “member” users · Issue #78194 · MicrosoftDocs/azure-docs (github.com)
which has a response from someone at Microsoft and it says:
“Follow up from the product group… Security defaults should apply to guest users as well.”
So it looks as though it does indeed appear that security defaults applies to external guest users but I wanted to be sure.
I took a generic Gmail account I use and invited that user into a demo tenant that didn’t have security defaults enabled.
That user went through the expected process of connecting to the tenant.
using the email code verification process.
until they could access the tenant.
I also verified that they appeared in the Azure AD for that tenant.
So everything as expected so far.
Next, I invited that same user to a Microsoft Team inside that tenant.
and they could access that Team using the normal email code authentication process. I tried this a few times to ensure they could access the Team without needing anything but the usual email code. So far, so good still.
I then went in an enabled security defaults for the tenant.
After a few minutes wait to let the policies kick in I tried to login as the external guest user again to Microsoft Teams directly, and after providing a login and getting an email code I was prompted to enable MFA for the user as seen above.
Selecting Next will take you through the standard MFA registration process as you see above.
It is therefore the case that if you enable security defaults for a tenant, all users, INCLUDING any external guest users, will be REQUIRED to enable MFA to access resources inside that tenant.
Why this is important is because Microsoft will be enabling security defaults on ALL tenants as detailed here:
Raising the Baseline Security of all organizations in the World
“Based on usage patterns, we’ll start with organizations that are a good fit for security defaults. Specifically, we will start with customers who aren’t using Conditional Access, haven’t used security defaults before, and aren’t actively using legacy authentication clients.
Global admins of eligible tenants will be notified through email and the Microsoft 365 Message Center. Then, starting in late June , they’ll receive [a] following prompt during sign-in”
Being it is now June 2022, this process has commenced. You can disable security defaults if you wish, even after they have been enabled, if desired per the details in the above link.
Given that I couldn’t find a specific answer about global external users being impact by security defaults, hopefully this now provides a reference for other looking for the same information.
2 thoughts on “Enabling security defaults will enforce MFA on external users”
Hi Robert, we are starting to see external users being prompted to set up MFA before they can access a shared link. This is even if they are already set up for MFA in their tenant. MS Authenticator will create a separate #EXT# entry that they need to use to log in.
Yes, MS has changed the approach with security defaults and external users.