Recently we gave a customer access to a team in our tenant, we conduct a lot of B2B collaboration.
As you know from my previous Guest account blog, this initially creates the individual in our tenant as an “Invited user” (Guest), then, once they accept the invitation, and accept that Nero Blanco can read their public profile, their account becomes an “External Azure Active directory”.
For this customer, a number of users were able to access the Team in our organisation perfectly fine. However, for one of the guests, Azure would not let them setup MFA. They received the following
“Your sign-in was blocked”
“We’ve detected something unusual about this sign-in. For example, you might be signing in from a new location, device, or app. Before you can continue, we need to verify your identity. Please contact your admin“
In our tenant we do mandate MFA for all accounts including Guests, however, this person did not get prompted for configuring MFA as a guest in our tenant. They did have multiple MFA methods setup in their own tenant.
If we look at Nero Blanco Azure Sign-in, its asking for MFA, however, the user doesn’t get the option to create any MFA for our tenant.
Sign-in error code:- 53004
Failure reason:- User needs to complete Multi-factor authentication registration process before accessing this content. User should register for multi-factor authentication.
In identity protection (within Security in AAD) there are no risky sign-ins, or risky users logged.
I must mention, at this juncture, we have seen the guest trying in Internet Explorer and did actually resolve this, however, in this case it didn’t.
We then manually added their mobile phone number into their guest account in our tenant.
Sign-in error code:- 50135
Failure reason:- Password change is required due to account risk.
Whilst this did change the behaviour, it resulted in a never ending loop of them being told their account is at risk “Your account is at risk” – “To help you – and only you – get back into xxxxx, we need to verify your identity”
Then being asked to change their password, they do not have a password in our tenant, nor do they have access to change it as a guest even if they did.
They did pass Conditional access at this juncture.
However, eventually received the following error also (Teams seems to wait quite a while before returning the error at the beginning of this blog)
Sign-in error code:- 50076
Failure reason:- User did not pass the MFA challenge (non interactive).
There were no other errors in our tenant or the customers.
In this article it gives us what is required to resolve.
Limitations of Identity Protection for B2B collaboration users
There are limitations in the implementation of Identity Protection for for B2B collaboration users in the resource tenant due to their identity tenancy being in the home tenant. The main limitations are as follows:
1. If a guest user tiggers the Identity Protection user risk policy to force password reset they will be blocked, due to the inability to reset passwords in the resource tenant.
2. Guest users do not appear in the risky users report due to the risk evaluation occurring in the home tenant.
3. Administrators cannot dismiss or remediate a risky B2B collaboration user in their resource tenant.
How do I prevent B2B collaboration users from being impacted by risk-based policies?
Excluding guest users from your risk-based policies will prevent guest users from being impacted or blocked due to their risk evaluation. To do this, create a group in Azure AD that contains all of your guest users. Then, add this group as an exclusion for your built-in Identity Protection user risk and sign-in risk policies, as well as any conditional access policies that user sign-in risk as a condition.
Once we excluded the guest user from the user risk policy, they were asked for their MFA details and could access the resource, in this case, the Team for the customer.
Home > AAD Tenant > Security > Identity Protection | User risk policy > Users > Excluded