This blog is about an issue, I experienced when I was invited as Guest to a tenant, where cross-tenant access configurations existed – due to partner relationships had been configured for my tenant.
Background
I was invited to join a Documentation group in Teams with one of my customers using my normal mail address (tenant-account in my own environment).
I received the invitation to join the tenant as Guest. When I started the onboarding process, it failed the MFA onboarding steps and threw this error.
I did lots of troubleshooting, and finally I stumbled of the cause inside Entra External Identies – Cross-tenant access settings.
Long time ago, my company 2LINKIT was added as partner (partner relationship).
I noticed that all companies that were having partner relationships were mentioned in cross-tenant access settings, including my company. The customer hadn’t actively configured cross-tenant access, so I guess it was done from Microsoft.
All were having ‘inherited from default’
Solution
I clicked on the Inbound access for my company (2LinkIT). Then I adjusted the ‘trust settings’ allowing to ‘trust multifactor authentication from Microsoft Entra Tenants’.
After saving this setting, I could now access the Teams site with no problems.
Note: You can finetune the other settings to your needs.
More information
Microsoft as released more information covering the settings in this article from March 18, 2024.
Below text is copied from the article.
Administrative overhead for IT and users
Both the guest user and the resource tenant’s IT team face additional administrative tasks. For the guest user, navigating a new MFA setup and maintaining an additional MFA registration can be annoying. For the tenant administrator and the support team, managing these additional MFA registrations can increase overhead significantly.
In cases where a guest user loses access to their device or does not have a backup for a new device, regaining access to their account involves additional administrative tasks for both the guest user and the resource tenant’s IT team. The guest user may need to perform a new MFA setup, while the tenant support team need to manage the additional MFA registrations.
Are you wondering why guest users must register an additional authentication method per resource tenant when they already have one in their home tenant? Well, let’s talk about the trust settings in cross-tenant access settings.
Simplifying the authentication process
A more efficient approach to managing MFA in cross-tenant B2B collaborations is to trust the MFA from a guest’s home tenant. Doing so eliminates the need for additional MFA registration and maintenance in the resource tenant. This means that the user can continue to use his usual strong authentication method that he uses in his home tenant and does not have to register another method in the resource tenant. This is a considerable relief for the user and the support team of the resource tenant no longer has to deal with the MFA registrations of the guests.
The MFA default trust settings are configured in the Microsoft Entra admin center (https://entra.microsoft.com). In the default configuration, a Microsoft Entra ID tenant does not trust any incoming MFA from other tenants. To change the behavior, the inbound defaults must be edited.