EXT-02: Require MFA for Guest Users

Overview

Guest accounts often have weaker security than internal accounts. Requiring MFA for guests ensures external collaborators meet the same authentication standards as your employees.

This control ensures guest and external users are covered by a Conditional Access (CA) policy that enforces MFA on every sign-in, and that cross-tenant trust settings do not allow guests to bypass your MFA requirement by presenting a claim from their home tenant.

TrueConfig can enforce this control with one click. It ensures a CA policy is in place that includes all users (which includes guests) and requires MFA. You can also configure this manually using the steps below.

Severity: Medium | Minimum Level: 1 | Mode: Advisory (one-click enable, auto-remediation allowed)

Prerequisites

Required Roles

  • Global Administrator or Security Administrator - Can create and modify Conditional Access policies
  • Conditional Access Administrator - Can manage CA policies

Required Licenses

  • No specific license is required for this control itself. However, Conditional Access is an Entra ID P1 feature. You need Entra ID P1 (or a license bundle that includes it, such as Microsoft 365 Business Premium or E3/E5) to create or modify CA policies.

Time Estimate

  • Review existing CA policies: 10 minutes
  • Create or update CA policy: 15 minutes
  • Verify trust settings: 10 minutes

Step-by-Step Instructions

Step 1: Confirm That Guests Are Included in Your MFA Policy

Guest users have the user type Guest in Entra ID. A CA policy targeting "All users" already covers guests. A policy targeting only "All members" does not.

  1. Navigate to Microsoft Entra admin center (https://entra.microsoft.com)
  2. Go to ProtectionConditional AccessPolicies
  3. Open each policy that requires MFA
  4. Under UsersInclude, confirm the scope is set to All users (not "All member users" or a specific group that excludes guests)
  5. If any MFA policy excludes guests, proceed to Step 2 to fix it

PowerShell audit

Connect-MgGraph -Scopes "Policy.Read.All"

# List CA policies and their user include scope
$policies = Get-MgIdentityConditionalAccessPolicy

foreach ($policy in $policies) {
    $includeUsers = $policy.Conditions.Users.IncludeUsers
    $includeGroups = $policy.Conditions.Users.IncludeGroups
    $grantControls = $policy.GrantControls.BuiltInControls

    if ($grantControls -contains "mfa") {
        Write-Host "Policy: $($policy.DisplayName)"
        Write-Host "  Include users: $($includeUsers -join ', ')"
        Write-Host "  Include groups: $($includeGroups -join ', ')"
        Write-Host "  State: $($policy.State)"
        Write-Host ""
    }
}

A policy with IncludeUsers set to All covers guests. A value of GuestsOrExternalUsers explicitly targets guests only. Either is acceptable.

Step 2: Create or Update a CA Policy to Include Guests

If no MFA policy covers guests, create one or update an existing policy.

Option A: Update an existing MFA policy

  1. Open the policy in Conditional AccessPolicies
  2. Click Users
  3. Under Include, select All users
  4. Under Exclude, ensure guests are not listed
  5. Under Grant, confirm Require multifactor authentication is selected
  6. Set the policy to On
  7. Click Save

Option B: Create a dedicated guest MFA policy

  1. In Conditional AccessPolicies, click + New policy
  2. Name: "Require MFA for Guest Users"
  3. UsersInclude: Select All guest and external users
  4. Cloud appsInclude: All cloud apps
  5. Grant: Select Require multifactor authentication
  6. Session: Leave at defaults (do not configure sign-in frequency exceptions here)
  7. Set to On
  8. Click Create

PowerShell (create a new policy)

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

$params = @{
    displayName = "Require MFA for Guest Users"
    state = "enabled"
    conditions = @{
        users = @{
            includeGuestsOrExternalUsers = @{
                guestOrExternalUserTypes = "internalGuest,b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,otherExternalUser,serviceProvider"
                externalTenants = @{
                    membershipKind = "all"
                }
            }
        }
        applications = @{
            includeApplications = @("All")
        }
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("mfa")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Step 3: Ensure Guests Must Complete MFA on Every Sign-In

By default, Entra ID allows MFA claims to be satisfied once and reused across sessions (within the token lifetime). For guests, require MFA at every sign-in to prevent stale authentication sessions from being reused.

  1. In the guest MFA CA policy, click Session
  2. Enable Sign-in frequency
  3. Set the value to Every time (or use a short interval such as 1 hour for sensitive apps)
  4. Click Save

Step 4: Verify That Trust Settings Do Not Exempt Guests from MFA

Cross-tenant trust settings can be configured to trust MFA claims from a guest's home tenant. If enabled, a guest who satisfied MFA at their home organization is not prompted again at yours. This bypasses your MFA control and must be reviewed.

  1. Navigate to Microsoft Entra admin centerExternal IdentitiesCross-tenant access settings
  2. Open the Default settings tab
  3. Click Edit inbound defaultsTrust settings
  4. Review the Trust multifactor authentication from Microsoft Entra tenants setting
    • If this is enabled in default settings, guests from any tenant may bypass your MFA
    • For EXT-02 compliance, this should be disabled in default settings
  5. Click Save
  6. Also review any Organizational settings (partner-specific entries) for the same trust option

Note: Disabling MFA trust means guests will always be prompted for MFA at your tenant, even if they already completed it at home. This is the required behavior for EXT-02.

PowerShell audit for trust settings

Connect-MgGraph -Scopes "Policy.Read.All"

$default = Get-MgPolicyCrossTenantAccessPolicyDefault
Write-Host "Trust MFA from external tenants (default):"
$default.B2BCollaborationInbound.TrustSettings | Format-List

# Also check partner-specific overrides
$partners = Get-MgPolicyCrossTenantAccessPolicyPartner
foreach ($p in $partners) {
    Write-Host "Partner: $($p.TenantId)"
    $p.B2BCollaborationInbound.TrustSettings | Format-List
}

Verification Checklist

After configuring guest MFA:

  • At least one CA policy requiring MFA includes all users or explicitly includes guests/external users
  • The MFA policy is set to On (not report-only)
  • Guests are not excluded from any MFA policy
  • Sign-in frequency is configured to require MFA on every sign-in (or at a short interval)
  • Cross-tenant trust settings (default) do not trust MFA from external tenants
  • Partner-specific organizational settings have been reviewed for MFA trust overrides
  • A test guest account can sign in and is successfully prompted for MFA

Troubleshooting

Issue: Guest users are not prompted for MFA

Cause: The MFA CA policy may target only member users, or the guest is covered by an MFA trust exemption.

Solution:

  1. Open the CA policy and confirm the user scope includes "All users" or "All guest and external users"
  2. Check cross-tenant trust settings for the guest's home tenant
  3. Check sign-in logs for the guest: navigate to Entra IDMonitoringSign-in logs, filter by user, and look at the CA evaluation details

Issue: Guest is blocked entirely, not prompted for MFA

Cause: A separate CA policy may block all guests, or the guest has no valid Entra ID account in your tenant.

Solution:

  1. Review all CA policies for blocks applied to guests
  2. Verify the guest account exists in Entra IDUsers (filter by user type = Guest)
  3. Check the sign-in log for the specific error code

Issue: Guest says MFA prompt does not appear on subsequent sign-ins

Cause: Sign-in frequency is not set, so Entra ID reuses the existing MFA claim.

Solution:

  1. In the CA policy, enable Sign-in frequency under Session and set it to Every time
  2. Ask the guest to sign out and sign back in to trigger a fresh evaluation

Issue: Cannot create a CA policy (option is greyed out)

Cause: The account does not have Conditional Access Administrator, Security Administrator, or Global Administrator role, or the tenant does not have Entra ID P1.

Solution:

  1. Confirm the role assignment in Entra IDRoles and administrators
  2. Confirm the tenant license includes Entra ID P1

Related Resources


Last updated: January 2025