Does having multi-factor authentication (MFA) enabled on my Azure Tenant force users of my multitenant Azure AD app to use MFA too?
My Azure AD tenant has multi-factor authentication (MFA) enabled. I have create an app with an Azure AD App Registration configured as multitenant using the option "Accounts in any organizational directory (Any Azure AD directory - Multitenant)".
The question is, when a user from another tenant logs into to my app to provide consents etc., are they forced to use MFA even if their Azure AD tenant does not require MFA?
In other words, for an Azure AD app registration configured as a multitenant app, which tenant's MFA policies are applied, the tenant where the app exists or the tenant of the user using the app.
Also, related to this SHOULD I have a separate tenant for my multitenant Azure AD apps anyway?
I created an Azure Active Directory Multi-Tenant Application in the TenantA:
In the TenantA, I enabled the Multi Factor Authentication:
I used the below endpoint to authorize the users:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
I tried to authorize the TenantA user and got the multi-Factor prompt:
Now, I tried to authorize the TenantB user, the user got the consent like below:
The TenantB user dint get the MFA prompt and got signed-in successfully like below:
Note that: The MFA policies are based on the tenant of the user not the tenant where the Azure AD App registration exists.
- The MFA policy of the tenant where the user exists is applied.
- If the
TenantBhas MFA enabled, then the user will get MFA prompt. - Hence, when a user from another tenant logs into to the app to provide consents, they are not forced to use MFA if their Azure AD tenant does not require MFA.
Also, related to this SHOULD I have a separate tenant for my multitenant Azure AD apps anyway?
Normally, it is not required to have a separate tenant to create Multi-Tenant Azure AD Applications. It is based on your requirement to create a new tenant or not. By creating a new tenant for multi-Tenant apps allows to do detail management of the app's permissions and applications.
- What is the behaviour when publishing a single-tenant Open ID Connect application to the EntraID Gallery?
- Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue
- b2c tenant - automate custom policy under identity experience framework
- Azure B2C access & refresh token costing
- Connect-ExchangeOnline UnAuthorized
- Software development start-up: Signing into Microsoft services
- How to configure the VMs in two different zones using Availability Sets and install the Active Directory Domain services
- How to create an authentication token for Dynamics CRM
- BrowserAuthError: interaction_in_progress: Interaction is currently in progress with azure/msal-browser@2.11.2
- Why is "Application permissions" disabled in Azure AD's "Request API permissions"?
- EntraID: how to pass application roles downstream
- Provide SSL certificate for internal Website
- How to log in to Azure service principal
- Spring boot oauth2 client with Azure AD, but common tenantID
- How To Add Query Params in ADB2C to ADB2C Federated Authentication Using OIDC protocol
- how to Get token from URL?
- Microsoft Identity Web: Change Redirect Uri
- How to create a new user in multi tenant App registration?
- Azure AD token endpoint API call timing out when deployed to IIS
- Can't make Azure Conditional Access working
- Exchange 2016 Error assigning TlsCertificateName to Receive Connector
- Retrieving the last or most recent SignInLogs in a specific Azure AD B2C using Get-MgAuditLogSignIn -All throws error Stream does not support reading
- How to get Name of Authenticated user in ASP.NET Core application using Azure Active Directory
- How can I sign a JWT to exchange an access token from azure active directory?
- Azure Web App EasyAuth callback throws error
- "AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'PowerBI'. Send an interactive authorization request
- Azure Correlation Id and Request ID
- PowerShell Graph SDK to retrieve Azure AD / Entra B2C Resource Group Name
- Users and Shared mailboxes within one Excel file using powershell
- Questions on microsoft azure portal app registration