EXT-02: Require MFA for Guest Users
Overview
Guest accounts often have weaker security than internal accounts. Requiring MFA for guests ensures external collaborators meet the same authentication standards as your employees.
This control ensures guest and external users are covered by a Conditional Access (CA) policy that enforces MFA on every sign-in, and that cross-tenant trust settings do not allow guests to bypass your MFA requirement by presenting a claim from their home tenant.
TrueConfig can enforce this control with one click. It ensures a CA policy is in place that includes all users (which includes guests) and requires MFA. You can also configure this manually using the steps below.
Severity: Medium | Minimum Level: 1 | Mode: Advisory (one-click enable, auto-remediation allowed)
Prerequisites
Required Roles
- Global Administrator or Security Administrator - Can create and modify Conditional Access policies
- Conditional Access Administrator - Can manage CA policies
Required Licenses
- No specific license is required for this control itself. However, Conditional Access is an Entra ID P1 feature. You need Entra ID P1 (or a license bundle that includes it, such as Microsoft 365 Business Premium or E3/E5) to create or modify CA policies.
Time Estimate
- Review existing CA policies: 10 minutes
- Create or update CA policy: 15 minutes
- Verify trust settings: 10 minutes
Step-by-Step Instructions
Step 1: Confirm That Guests Are Included in Your MFA Policy
Guest users have the user type Guest in Entra ID. A CA policy targeting "All users" already covers guests. A policy targeting only "All members" does not.
- Navigate to Microsoft Entra admin center (https://entra.microsoft.com)
- Go to Protection → Conditional Access → Policies
- Open each policy that requires MFA
- Under Users → Include, confirm the scope is set to All users (not "All member users" or a specific group that excludes guests)
- If any MFA policy excludes guests, proceed to Step 2 to fix it
PowerShell audit
Connect-MgGraph -Scopes "Policy.Read.All"
# List CA policies and their user include scope
$policies = Get-MgIdentityConditionalAccessPolicy
foreach ($policy in $policies) {
$includeUsers = $policy.Conditions.Users.IncludeUsers
$includeGroups = $policy.Conditions.Users.IncludeGroups
$grantControls = $policy.GrantControls.BuiltInControls
if ($grantControls -contains "mfa") {
Write-Host "Policy: $($policy.DisplayName)"
Write-Host " Include users: $($includeUsers -join ', ')"
Write-Host " Include groups: $($includeGroups -join ', ')"
Write-Host " State: $($policy.State)"
Write-Host ""
}
}
A policy with IncludeUsers set to All covers guests. A value of GuestsOrExternalUsers explicitly targets guests only. Either is acceptable.
Step 2: Create or Update a CA Policy to Include Guests
If no MFA policy covers guests, create one or update an existing policy.
Option A: Update an existing MFA policy
- Open the policy in Conditional Access → Policies
- Click Users
- Under Include, select All users
- Under Exclude, ensure guests are not listed
- Under Grant, confirm Require multifactor authentication is selected
- Set the policy to On
- Click Save
Option B: Create a dedicated guest MFA policy
- In Conditional Access → Policies, click + New policy
- Name: "Require MFA for Guest Users"
- Users → Include: Select All guest and external users
- Cloud apps → Include: All cloud apps
- Grant: Select Require multifactor authentication
- Session: Leave at defaults (do not configure sign-in frequency exceptions here)
- Set to On
- Click Create
PowerShell (create a new policy)
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$params = @{
displayName = "Require MFA for Guest Users"
state = "enabled"
conditions = @{
users = @{
includeGuestsOrExternalUsers = @{
guestOrExternalUserTypes = "internalGuest,b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,otherExternalUser,serviceProvider"
externalTenants = @{
membershipKind = "all"
}
}
}
applications = @{
includeApplications = @("All")
}
}
grantControls = @{
operator = "OR"
builtInControls = @("mfa")
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Step 3: Ensure Guests Must Complete MFA on Every Sign-In
By default, Entra ID allows MFA claims to be satisfied once and reused across sessions (within the token lifetime). For guests, require MFA at every sign-in to prevent stale authentication sessions from being reused.
- In the guest MFA CA policy, click Session
- Enable Sign-in frequency
- Set the value to Every time (or use a short interval such as 1 hour for sensitive apps)
- Click Save
Step 4: Verify That Trust Settings Do Not Exempt Guests from MFA
Cross-tenant trust settings can be configured to trust MFA claims from a guest's home tenant. If enabled, a guest who satisfied MFA at their home organization is not prompted again at yours. This bypasses your MFA control and must be reviewed.
- Navigate to Microsoft Entra admin center → External Identities → Cross-tenant access settings
- Open the Default settings tab
- Click Edit inbound defaults → Trust settings
- Review the Trust multifactor authentication from Microsoft Entra tenants setting
- If this is enabled in default settings, guests from any tenant may bypass your MFA
- For EXT-02 compliance, this should be disabled in default settings
- Click Save
- Also review any Organizational settings (partner-specific entries) for the same trust option
Note: Disabling MFA trust means guests will always be prompted for MFA at your tenant, even if they already completed it at home. This is the required behavior for EXT-02.
PowerShell audit for trust settings
Connect-MgGraph -Scopes "Policy.Read.All"
$default = Get-MgPolicyCrossTenantAccessPolicyDefault
Write-Host "Trust MFA from external tenants (default):"
$default.B2BCollaborationInbound.TrustSettings | Format-List
# Also check partner-specific overrides
$partners = Get-MgPolicyCrossTenantAccessPolicyPartner
foreach ($p in $partners) {
Write-Host "Partner: $($p.TenantId)"
$p.B2BCollaborationInbound.TrustSettings | Format-List
}
Verification Checklist
After configuring guest MFA:
- At least one CA policy requiring MFA includes all users or explicitly includes guests/external users
- The MFA policy is set to On (not report-only)
- Guests are not excluded from any MFA policy
- Sign-in frequency is configured to require MFA on every sign-in (or at a short interval)
- Cross-tenant trust settings (default) do not trust MFA from external tenants
- Partner-specific organizational settings have been reviewed for MFA trust overrides
- A test guest account can sign in and is successfully prompted for MFA
Troubleshooting
Issue: Guest users are not prompted for MFA
Cause: The MFA CA policy may target only member users, or the guest is covered by an MFA trust exemption.
Solution:
- Open the CA policy and confirm the user scope includes "All users" or "All guest and external users"
- Check cross-tenant trust settings for the guest's home tenant
- Check sign-in logs for the guest: navigate to Entra ID → Monitoring → Sign-in logs, filter by user, and look at the CA evaluation details
Issue: Guest is blocked entirely, not prompted for MFA
Cause: A separate CA policy may block all guests, or the guest has no valid Entra ID account in your tenant.
Solution:
- Review all CA policies for blocks applied to guests
- Verify the guest account exists in Entra ID → Users (filter by user type = Guest)
- Check the sign-in log for the specific error code
Issue: Guest says MFA prompt does not appear on subsequent sign-ins
Cause: Sign-in frequency is not set, so Entra ID reuses the existing MFA claim.
Solution:
- In the CA policy, enable Sign-in frequency under Session and set it to Every time
- Ask the guest to sign out and sign back in to trigger a fresh evaluation
Issue: Cannot create a CA policy (option is greyed out)
Cause: The account does not have Conditional Access Administrator, Security Administrator, or Global Administrator role, or the tenant does not have Entra ID P1.
Solution:
- Confirm the role assignment in Entra ID → Roles and administrators
- Confirm the tenant license includes Entra ID P1
Related Resources
- Conditional Access: Require MFA for all users
- External Identities: B2B collaboration overview
- Cross-tenant access settings and trust
- Sign-in frequency controls
- Related Controls: EXT-03 (Restrict Guest Access to Allowlisted Domains), PA-04 (Require PIM for All Privileged Roles)
Last updated: January 2025