Require multifactor authentication strength for external users
Authentication strength is a Conditional Access control that lets you define a specific combination of multifactor authentication (MFA) methods that an external user must complete to access your resources. This control is especially useful for restricting external access to sensitive apps in your organization. For example, you can create a Conditional Access policy, require a phishing-resistant authentication strength in the policy, and assign it to guests and external users.
Microsoft Entra ID provides three built-in authentication strengths:
- Multifactor authentication strength (less restrictive) recommended in this article
- Passwordless MFA strength
- Phishing-resistant MFA strength (most restrictive)
You can use one of the built-in strengths or create a custom authentication strength based on the authentication methods you want to require.
In external user scenarios, the MFA authentication methods that a resource tenant can accept vary depending on whether the user is completing MFA in their home tenant or in the resource tenant. For details, see Authentication strength for external users.
Note
Currently, you can only apply authentication strength policies to external users who authenticate with Microsoft Entra ID. For email one-time passcode, SAML/WS-Fed, and Google federation users, use the MFA grant control to require MFA.
Authentication strength policies work together with MFA trust settings in your cross-tenant access settings to determine where and how the external user must perform MFA. A Microsoft Entra user first authenticates with their own account in their home tenant. Then when this user tries to access your resource, Microsoft Entra ID applies the authentication strength Conditional Access policy and checks to see if you enabled MFA trust.
- If MFA trust is enabled, Microsoft Entra ID checks the user's authentication session for a claim indicating that MFA was fulfilled in the user's home tenant.
- If MFA trust is disabled, the resource tenant presents the user with a challenge to complete MFA in the resource tenant using an acceptable authentication method.
The authentication methods that external users can use to satisfy MFA requirements are different depending on whether the user is completing MFA in their home tenant or the resource tenant. See the table in Conditional Access authentication strength.
Important
Before you create the Conditional Access policy, check your cross-tenant access settings to make sure your inbound MFA trust settings are configured as intended.
Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:
- Emergency access or break-glass accounts to prevent lockout due to policy misconfiguration. In the unlikely scenario all administrators are locked out, your emergency-access administrative account can be used to log in and take steps to recover access.
- More information can be found in the article, Manage emergency access accounts in Microsoft Entra ID.
- Service accounts and Service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
- If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.
Use the following steps to create a Conditional Access policy that applies an authentication strength to external users.
Warning
If you use external authentication methods, these are currently incompatable with authentication strength and you should use the Require multifactor authentication grant control.
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Protection > Conditional Access > Policies.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, choose Select users and groups, and then select Guest or external users.
- Select the types of guest or external users you want to apply the policy to.
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Under Include, choose Select users and groups, and then select Guest or external users.
- Under Target resources > Resources (formerly cloud apps), under Include or Exclude, select any applications you want to include in or exclude from the authentication strength requirements.
- Under Access controls > Grant, select Grant access.
- Select Require authentication strength, then select the appropriate built-in or custom authentication strength from the list.
- Select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
After you confirm your settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.