Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (2024)

Table of Contents
In this article Prerequisites Create a test guest user in Microsoft Entra ID Test the sign-in experience before MFA setup Create a Conditional Access policy that requires MFA Use the What If option to simulate sign-in Test your Conditional Access policy Clean up resources Next step FAQs
  • Article

Applies to: Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (1) Workforce tenants Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (2) External tenants (learn more)

When collaborating with external B2B guest users, it’s a good idea to protect your apps with multifactor authentication policies. Then external users need more than just a user name and password to access your resources. In Microsoft Entra ID, you can accomplish this goal with a Conditional Access policy that requires MFA for access. MFA policies can be enforced at the tenant, app, or individual guest user level, the same way that they're enabled for members of your own organization. The resource tenant is always responsible for Microsoft Entra multifactor authentication for users, even if the guest user’s organization has multifactor authentication capabilities.

Example:

Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (3)

  1. An admin or employee at Company A invites a guest user to use a cloud or on-premises application that is configured to require MFA for access.
  2. The guest user signs in with their own work, school, or social identity.
  3. The user is asked to complete an MFA challenge.
  4. The user sets up MFA with Company A and chooses their MFA option. The user is allowed access to the application.

Note

Microsoft Entra multifactor authentication is done at resource tenancy to ensure predictability. When the guest user signs in, they'll see the resource tenant sign-in page displayed in the background, and their own home tenant sign-in page and company logo in the foreground.

In this tutorial, you will:

  • Test the sign-in experience before MFA setup.
  • Create a Conditional Access policy that requires MFA for access to a cloud app in your environment. In this tutorial, we’ll use the Windows Azure Service Management API app to illustrate the process.
  • Use the What If tool to simulate MFA sign-in.
  • Test your Conditional Access policy.
  • Clean up the test user and policy.

If you don’t have an Azure subscription, create a free account before you begin.

Prerequisites

To complete the scenario in this tutorial, you need:

  • Access to Microsoft Entra ID P1 or P2 edition, which includes Conditional Access policy capabilities. To enforce MFA, you need to create a Microsoft Entra Conditional Access policy. MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities.
  • A valid external email account that you can add to your tenant directory as a guest user and use to sign in. If you don't know how to create a guest account, see Add a B2B guest user in the Microsoft Entra admin center.

Create a test guest user in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.

  2. Browse to Identity > Users > All users.

  3. Select New user, and then select Invite external user.

  4. Under Identity on the Basics tab, enter the email address of the external user. Optionally, include a display name and welcome message.

    Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (5)

  5. Optionally, you can add further details to the user under the Properties and Assignments tabs.

  6. Select Review + invite to automatically send the invitation to the guest user. A Successfully invited user message appears.

  7. After you send the invitation, the user account is automatically added to the directory as a guest.

Test the sign-in experience before MFA setup

  1. Use your test user name and password to sign in to the Microsoft Entra admin center.
  2. You should be able to access the Microsoft Entra admin center using only your sign-in credentials. No other authentication is required.
  3. Sign out.

Create a Conditional Access policy that requires MFA

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

  2. Browse to Identity > Protection > Security Center.

  3. Under Protect, select Conditional Access.

  4. On the Conditional Access page, in the toolbar on the top, select Create new policy.

  5. On the New page, in the Name textbox, type Require MFA for B2B portal access.

    See Also
    How to configure an MFA-enabled service account | M365 Manager Plus

  6. In the Assignments section, choose the link under Users and groups.

  7. On the Users and groups page, choose Select users and groups, and then choose Guest or external users. You can assign the policy to different external user types, built-in directory roles, or users and groups.

    Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (6)

  8. In the Assignments section, choose the link under Cloud apps or actions.

  9. Choose Select apps, and then choose the link under Select.

  10. On the Select page, choose Windows Azure Service Management API, and then choose Select.

  11. On the New page, in the Access controls section, choose the link under Grant.

  12. On the Grant page, choose Grant access, select the Require multifactor authentication check box, and then choose Select.

    Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (8)

  13. Under Enable policy, select On.

    Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (9)

  14. Select Create.

Use the What If option to simulate sign-in

  1. On the Conditional Access | Policies page, select What If.

    Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (10)

  2. Select the link under User.

  3. In the search box, type the name of your test guest user. Choose the user in the search results, and then choose Select.

    Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (11)

  4. Select the link under Cloud apps, actions, or authentication content. Choose Select apps, and then choose the link under Select.

  5. On the Cloud apps page, in the applications list, choose Windows Azure Service Management API, and then choose Select.

  6. Choose What If, and verify that your new policy appears under Evaluation results on the Policies that will apply tab.

    Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (13)

Test your Conditional Access policy

  1. Use your test user name and password to sign in to the Microsoft Entra admin center.

  2. You should see a request for more authentication methods. It can take some time for the policy to take effect.

    Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (14)

    Note

    You also can configure cross-tenant access settings to trust the MFA from the Microsoft Entra home tenant. This allows external Microsoft Entra users to use the MFA registered in their own tenant rather than register in the resource tenant.

  3. Sign out.

Clean up resources

When no longer needed, remove the test user and the test Conditional Access policy.

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.
  2. Browse to Identity > Users > All users.
  3. Select the test user, and then select Delete user.
  4. Browse to Identity > Protection > Security Center.
  5. Under Protect, select Conditional Access.
  6. In the Policy Name list, select the context menu (…) for your test policy, and then select Delete. Select Yes to confirm.

Next step

In this tutorial, you created a Conditional Access policy that requires guest users to use MFA when signing in to one of your cloud apps. To learn more about adding guest users for collaboration, see Add Microsoft Entra B2B collaboration users in the Microsoft Entra admin center.

Tutorial - multifactor authentication for B2B - Microsoft Entra External ID (2024)

FAQs

How to enable MFA in Entra ID? ›

Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. Browse to Protection > Multifactor authentication > Account lockout. You might need to click Show more to see Multifactor authentication. Enter the values for your environment, and then select Save.

Read On
How do you enforce MFA for B2B users? ›

To enforce MFA, you need to create a Microsoft Entra Conditional Access policy. MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities. A valid external email account that you can add to your tenant directory as a guest user and use to sign in.

Discover More Details
How to setup Entra ID B2B? ›

Sign in to the Microsoft Entra admin center as at least a Security Administrator. Then open the Identity service on the left hand side. Select External Identities > Cross-tenant access settings. Under Organizational settings select the link in the Inbound access column and the B2B collaboration tab.

Continue Reading
What is Entra external ID? ›

Microsoft Entra External ID is a flexible solution for both consumer-oriented app developers needing authentication and CIAM, and businesses seeking secure B2B collaboration.

See Details
How do I set up my MFA authentication? ›

  1. Step 1 - sign into Office 365 on your computer or laptop. ...
  2. Step 2 - installing the authenticator app on your mobile phone. ...
  3. Step 3 - return to your personal or.
  4. Step 4 - using your mobile.
  5. Step 5 - testing the authentication is working on your computer.

Find Out More
How to turn on two factor authentication for business manager? ›

How to turn on turn on two-factor authentication in Business Manager.
  1. Go to Business Settings.
  2. Go to Business Info and click Edit.
  3. Below Two-Factor Authentication, choose Required for everyone or Required for Admins only. To turn off two-factor authentication, choose Not required.
  4. Click Save.
Jul 30, 2024

Tell Me More
How do I enable MFA for a specific user? ›

Sign in to the Microsoft Entra admin center as at least an Authentication Administrator. Browse to Identity > Users > All users. Select a user account, and click Enable MFA. Enabled users are automatically switched to Enforced when they register for Microsoft Entra multifactor authentication.

Show Me More
How do I know if my MFA is enforced? ›

Sign-in to the Microsoft Entra admin center. Go to All Users residing under Identity»Users and select Per-user MFA. Now, you'd be redirected to the multi-factor authentication page. In the list of users, view the multi-factor authentication status field to see the current MFA status for each user.

Explore More
What is the entra verifiable id? ›

Microsoft Entra Verified ID capabilities

Confidently issue and verify identity claims, credentials, and certifications for trustworthy, secure, and efficient interactions between people and organizations.

Continue Reading
How to create a user in Microsoft Entra ID? ›

Create a new external user
  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.
  2. Make sure you're signed in to your external tenant. ...
  3. Browse to Identity > Users > All users.
  4. Select New user > Create new external user.
Apr 15, 2024

Show Me More

What is ExternalAzureAD? ›

ExternalAzureAD. This user is homed in an external organization and authenticates by using a Microsoft Entra account that belongs to the other organization. Microsoft account. This user is homed in a Microsoft account and authenticates by using a Microsoft account.

Read The Full Story
What is the difference between Active Directory and Entra ID? ›

Credentials in Active Directory are based on passwords, certificate authentication, and smart card authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity. Microsoft Entra ID uses intelligent password protection for cloud and on-premises.

See Details
What are the two features that Microsoft Entra ID provides? ›

Azure AD, now known as Microsoft Entra ID, has a free edition that provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.

Get More Info Here
What is an example of an external ID? ›

For example, if a driver has the external ID maintenance:1234 , no other drivers or vehicles or addresses or any other object may use the value 1234 for the maintenance External ID.

Continue Reading
How do I enable MFA for enterprise application? ›

Enable email one-time passcode as an MFA method
  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.
  2. Browse to Protection > Authentication methods.
  3. In the Method list, select Email OTP.
  4. Under Enable and Target, turn the Enable toggle on.
  5. Under Include, next to Target, select All users.
Aug 20, 2024

View More
How do I enable MFA on my Apple ID? ›

Turn on two-factor authentication

On your iPhone go to Settings > [your name] > Sign-In & Security. Tap Turn On Two-Factor Authentication, then tap Continue. Enter a trusted phone number (the number you'll use to receive verification codes), then tap Next. A verification code is sent to your trusted phone number.

View Details
How do I enable Multi-Factor Authentication on ID me? ›

Sign in to your ID.me account. Select Code Generator for MFA. When you are prompted to enter your six-digit code, open your ID.me Authenticator app and enter the code that displays. A new code is generated every 30 seconds.

See More
How do I enable permission set in MFA? ›

Option 1: Enable MFA via a Permission Set
  1. Navigate to Setup and search for Permission Sets.
  2. Click the New button.
  3. Enter a Label, such as Multi-Factor Authentication.
  4. Save your changes.
  5. Click System Permissions.
  6. Check the boxes for:
Jan 16, 2024

Learn More
Top Articles
How and where to Buy Tron (TRX) | Cryptimi
Tips for Improving Credit: Credit History | Credit.com
Design215 Word Pattern Finder
Ets Lake Fork Fishing Report
Santa Clara College Confidential
Toyota gebraucht kaufen in tacoma_ - AutoScout24
Craigslist Dog Sitter
Oppenheimer & Co. Inc. Buys Shares of 798,472 AST SpaceMobile, Inc. (NASDAQ:ASTS)
biBERK Business Insurance Provides Essential Insights on Liquor Store Risk Management and Insurance Considerations
3656 Curlew St
Conduent Connect Feps Login
Enterprise Car Sales Jacksonville Used Cars
Vistatech Quadcopter Drone With Camera Reviews
Pay Boot Barn Credit Card
Energy Healing Conference Utah
Satisfactory: How to Make Efficient Factories (Tips, Tricks, & Strategies)
Robert Deshawn Swonger Net Worth
Sullivan County Image Mate
2013 Ford Fusion Serpentine Belt Diagram
Routing Number For Radiant Credit Union
Atlases, Cartography, Asia (Collection Dr. Dupuis), Arch…
Craigslist Maryland Trucks - By Owner
MyCase Pricing | Start Your 10-Day Free Trial Today
Jayah And Kimora Phone Number
Target Minute Clinic Hours
Powerschool Mcvsd
Vht Shortener
Studentvue Calexico
Cvs Sport Physicals
Graphic Look Inside Jeffrey Dresser
Weekly Math Review Q4 3
Bridger Park Community Garden
Western Gold Gateway
How to Destroy Rule 34
Marie Peppers Chronic Care Management
2024 Ford Bronco Sport for sale - McDonough, GA - craigslist
Kgirls Seattle
Best Restaurants In Blacksburg
Ticketmaster Lion King Chicago
The Syracuse Journal-Democrat from Syracuse, Nebraska
Snohomish Hairmasters
Luvsquad-Links
Senior Houses For Sale Near Me
2294141287
Ouhsc Qualtrics
Fine Taladorian Cheese Platter
2000 Ford F-150 for sale - Scottsdale, AZ - craigslist
Jigidi Jigsaw Puzzles Free
Karen Kripas Obituary
Cool Math Games Bucketball
Latest Posts
Secured alternative for JWT
How do I check if I’m blacklisted in South Africa?
Article information

Author: Melvina Ondricka

Last Updated:

Views: 6628

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.