You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -24,7 +24,7 @@ Modern authentication is supported for the Microsoft Office 2013 clients and lat
24
24
This article shows you how to use app passwords for legacy applications that don't support multi-factor authentication prompts.
25
25
26
26
>[!NOTE]
27
-
>App passwords don't work with Conditional Access based multi-factor authentication policies and modern authentication. App passwords only work with legacy authentication protocols such as IMAP and SMTP.
27
+
>App passwords don't work for accounts that are required to use modern authentication.
# Customer intent: As a tenant administrator, I want to set up MFA requirement for B2B guest users to protect my apps and resources.
16
18
---
17
19
18
20
# Tutorial: Enforce multi-factor authentication for B2B guest users
19
21
20
-
When collaborating with external B2B guest users, it’s a good idea to protect your apps with multi-factor authentication (MFA) policies. Then external users will need more than just a user name and password to access your resources. In Azure Active Directory (Azure AD), you can accomplish this goal with a Conditional Access policy that requires MFA for access. MFA policies can be enforced at the tenant, app, or individual guest user level, the same way that they are enabled for members of your own organization. The resource tenant is always responsible for Azure AD Multi-Factor Authentication for users, even if the guest user’s organization has Multi-Factor Authentication capabilities.
22
+
When collaborating with external B2B guest users, it’s a good idea to protect your apps with multi-factor authentication (MFA) policies. Then external users will need more than just a user name and password to access your resources. In Azure Active Directory (Azure AD), you can accomplish this goal with a Conditional Access policy that requires MFA for access. MFA policies can be enforced at the tenant, app, or individual guest user level, the same way that they're enabled for members of your own organization. The resource tenant is always responsible for Azure AD Multi-Factor Authentication for users, even if the guest user’s organization has Multi-Factor Authentication capabilities.
21
23
22
24
Example:
23
25
24
-
26
+
:::image type="content" source="media/tutorial-mfa/aad-b2b-mfa-example.png" alt-text="Diagram showing a guest user signing into a company's apps.":::
27
+
25
28
26
29
1. An admin or employee at Company A invites a guest user to use a cloud or on-premises application that is configured to require MFA for access.
27
30
1. The guest user signs in with their own work, school, or social identity.
@@ -34,6 +37,7 @@ Example:
34
37
In this tutorial, you will:
35
38
36
39
> [!div class="checklist"]
40
+
>
37
41
> - Test the sign-in experience before MFA setup.
38
42
> - Create a Conditional Access policy that requires MFA for access to a cloud app in your environment. In this tutorial, we’ll use the Microsoft Azure Management app to illustrate the process.
39
43
> - Use the What If tool to simulate MFA sign-in.
@@ -46,29 +50,29 @@ If you don’t have an Azure subscription, create a [free account](https://azure
46
50
47
51
To complete the scenario in this tutorial, you need:
48
52
49
-
-**Access to Azure AD Premium edition**, which includes Conditional Access policy capabilities. To enforce MFA, you need to create an Azure AD Conditional Access policy. Note that MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities.
53
+
-**Access to Azure AD Premium edition**, which includes Conditional Access policy capabilities. To enforce MFA, you need to create an Azure AD Conditional Access policy. MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities.
50
54
-**A valid external email account** that you can add to your tenant directory as a guest user and use to sign in. If you don't know how to create a guest account, see [Add a B2B guest user in the Azure portal](add-users-administrator.md).
51
55
52
56
## Create a test guest user in Azure AD
53
57
54
58
1. Sign in to the [Azure portal](https://portal.azure.com/) as an Azure AD administrator.
55
59
1. In the Azure portal, select **Azure Active Directory**.
56
60
1. In the left menu, under **Manage**, select **Users**.
57
-
1. Select **New guest user**.
61
+
1. Select **New user**, and then select **Invite external user**.
58
62
59
-
63
+
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-new-user.png" alt-text="Screenshot showing where to select the new guest user option.":::
60
64
61
65
1. Under **Identity**, enter the email address of the external user. Optionally, include a name and welcome message.
62
66
63
-
67
+
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-new-user-identity.png" alt-text="Screenshot showing where to enter the guest email.":::
64
68
65
69
1. Select **Invite** to automatically send the invitation to the guest user. A **Successfully invited user** message appears.
66
70
1. After you send the invitation, the user account is automatically added to the directory as a guest.
67
71
68
72
## Test the sign-in experience before MFA setup
69
73
70
74
1. Use your test user name and password to sign in to your [Azure portal](https://portal.azure.com/).
71
-
1.Note that you’re able to access the Azure portal using just your sign-in credentials. No additional authentication is required.
75
+
1.You should be able to access the Azure portal using only your sign-in credentials. No other authentication is required.
72
76
1. Sign out.
73
77
74
78
## Create a Conditional Access policy that requires MFA
@@ -80,56 +84,55 @@ To complete the scenario in this tutorial, you need:
80
84
1. On the **Conditional Access** page, in the toolbar on the top, select **New policy**.
81
85
1. On the **New** page, in the **Name** textbox, type **Require MFA for B2B portal access**.
82
86
1. In the **Assignments** section, choose the link under **Users and groups**.
83
-
1. On the **Users and groups** page, choose **Select users and groups**, and then choose **All guest and external users**.
87
+
1. On the **Users and groups** page, choose **Select users and groups**, and then choose **Guest or external users**. You can assign the policy to different [external user types](authentication-conditional-access.md#assigning-conditional-access-policies-to-external-user-types-preview), built-in [directory roles](../conditional-access/concept-conditional-access-users-groups.md#include-users), or users and groups.
88
+
89
+
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-user-access.png" alt-text="Screenshot showing selecting all guest users.":::
84
90
85
-
86
91
1. In the **Assignments** section, choose the link under **Cloud apps or actions**.
87
92
1. Choose **Select apps**, and then choose the link under **Select**.
88
93
89
-
94
+
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-app-access.png" alt-text="Screenshot showing the Cloud apps page and the Select option." lightbox="media/tutorial-mfa/tutorial-mfa-app-access.png":::
90
95
91
-
1.On the **Select** page, choose **Microsoft Azure Management**, and then choose **Select**.
96
+
1.On the **Select** page, choose **Microsoft Azure Management**, and then choose **Select**.
92
97
93
-
98
+
1. On the **New** page, in the **Access controls** section, choose the link under **Grant**.
99
+
1. On the **Grant** page, choose **Grant access**, select the **Require multi-factor authentication** check box, and then choose **Select**.
94
100
95
-
1. On the **New** page, in the **Access controls** section, choose the link under **Grant**.
96
-
1. On the **Grant** page, choose **Grant access**, select the **Require multi-factor authentication** check box, and then choose **Select**.
101
+
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-grant-access.png" alt-text="Screenshot showing the Require multi-factor authentication option.":::
97
102
98
-
99
103
100
-
1.Under **Enable policy**, select **On**.
104
+
1.Under **Enable policy**, select **On**.
101
105
102
-
106
+
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-enable-policy.png" alt-text="Screenshot showing the Enable policy option set to On.":::
103
107
104
-
1.Select **Create**.
108
+
1.Select **Create**.
105
109
106
110
## Use the What If option to simulate sign-in
107
111
108
112
1. On the **Conditional Access | Policies** page, select **What If**.
109
113
110
-
114
+
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if.png" alt-text="Screenshot that highlights where to select the What if option on the Conditional Access - Policies page.":::
111
115
112
116
1. Select the link under **User**.
113
117
1. In the search box, type the name of your test guest user. Choose the user in the search results, and then choose **Select**.
114
118
115
-
119
+
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if-user.png" alt-text="Screenshot showing a guest user selected.":::
116
120
117
-
1. Select the link under **Cloud apps, actions, or authentication content**.
118
-
. Choose **Select apps**, and then choose the link under **Select**.
121
+
1. Select the link under **Cloud apps, actions, or authentication content**. Choose **Select apps**, and then choose the link under **Select**.
119
122
120
-
123
+
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if-app.png" alt-text="Screenshot showing the Microsoft Azure Management app selected." lightbox="media/tutorial-mfa/tutorial-mfa-what-if-app.png":::
121
124
122
125
1. On the **Cloud apps** page, in the applications list, choose **Microsoft Azure Management**, and then choose **Select**.
123
126
1. Choose **What If**, and verify that your new policy appears under **Evaluation results** on the **Policies that will apply** tab.
124
127
125
-
128
+
:::image type="content" source="media/tutorial-mfa/tutorial-mfa-whatif-4.png" alt-text="Screenshot showing the results of the What If evaluation.":::
126
129
127
130
## Test your Conditional Access policy
128
131
129
132
1. Use your test user name and password to sign in to your [Azure portal](https://portal.azure.com/).
130
-
1. You should see a request for additional authentication methods. Note that it could take some time for the policy to take effect.
133
+
1. You should see a request for additional authentication methods. It can take some time for the policy to take effect.
131
134
132
-
135
+
:::image type="content" source="media/tutorial-mfa/mfa-required.PNG" alt-text="Screenshot showing the More information required message.":::
133
136
134
137
> [!NOTE]
135
138
> You also can configure [cross-tenant access settings](cross-tenant-access-overview.md) to trust the MFA from the Azure AD home tenant. This allows external Azure AD users to use the MFA registered in their own tenant rather than register in the resource tenant.
0 commit comments