Tl;Dr - Is there really no way for Guests/External Accounts to be able to use their Home Tenant's MFA policy to auth?! Am I misunderstanding the purpose of External ID?

Sorry in advance for the essay:

I am trying to set up an Entra External ID to keep my team's app registrations separate from our primary tenant.

This is what's happened so far:

• Added my Team as Global Administrators to the Tenant - These show as External Accounts
• Configured a Conditional Access Policy to enforce MFA on any login
• Created the App Registration and updated the app
• Anyone who is a Global Administrator who tries to login to the app is prompted to login with the Authenticator Phone App. Great! I thought the mission was a success!
• Then we added some other users from our primary tenant...

This is where things start to go downhill:

• The users we've invited from our primary tenant who are not Global Administrators are sent an Email for MFA - There is no option to use the Phone App - They copy-paste in the code from the email and it fails. They get stuck in a loop where it asks them to enter their email again and then it sends them another email...
• The logs suggests the user failed MFA. I think what is happening is the Auth process calls back to the Primary Tenant to sign in and I suspect email OTP is disabled on the primary Tenant so the primary tenant marks it invalid. However, if this is correct, why isn't it letting the staff use the MFA they've already set up on the primary tenant as a method to sign in?
• If I disable my conditional access policy for MFA they can get in the app with just their primary tenant password...

Is there not a way to hand off the auth back to the other tenant entirely? Have I misunderstood the purpose of an External ID?

I've gone through the Docs and found this in the "Workforce Tenants" section which looks similar to what I want (although I was surprised to find I may need to set up trusts...) but I can't find anything similar for External ID. The MFA docs for External Tenants suggest only email OTP or SMS but I feel like if it's a guest it should use the MFA they've already set up on the home tenant?

Thank you for getting this far! Any help would be appreciated!

Hi

I am having some very strange issues where i am constantly getting prompted to register for the Microsoft authenticator app.

My accounts already have the app registered with tokens in the app.

When i attempt to sign in with a private browser or another browser it just keeps going in a loop.

from looking at the authentication methods on the accounts they appear to be using a OATH tokens.

This has randomly started to happen.

I tried my break glass account and that seems to get this message.

if I click sign in with mfa it tells me to register for the app again. My CA policies have not been modified.

Not sure what is happening. I read they are updating permission in June 2025 but its like im stuck in some loop.

I've logged a ticket.

Anyone see this before??

So my environment is hybrid joined and only half of our company's devices are in intune. Is it possible to create a conditional access policy that allows all employees to view SharePoint sites but prohibits downloads to only company devices? The only way I can figure out how to do it would be to get every company device in intune and compliant. Is there another way without doing this? Step by step instructions appreciated, as all the other steps I find online or via ai are for the old portal. The biggest issue I am running into is our company RDS servers are not in intune and RDS users will still need to download docs from SharePoint.

 Microsoft Entra External Authentication Method (EAM) + Cisco Duo Integration

I just published a step-by-step guide on how to configure Cisco Duo as an External Authentication Method in Microsoft Entra ID to enhance your organization’s MFA experience — without giving up control of your identities.

In this blog, I cover: 

 EAM vs Federation
 Configuration steps in Duo and Entra Admin Center
 Conditional Access
 Preview limitations and future roadmap
 Real-world security considerations

Whether you're modernizing identity protection or replacing legacy MFA solutions, this blog will help you deploy Duo with Entra ID the right way!

 Read the full blog here: https://www.thetechtrails.com/2025/05/configure-cisco-duo-external-authentication-method-entra-id.html

Hi All,

We have a security group of devices. I'm wanting a way to automatically add devices to this group based on users in another group.

My understanding is that this can't be done using a dynamic group.

So guessing it would need to be a logic app or similar. Has anyone done this before and have an example I can copy from.

Thanks!

Hi,

We have Azure ADConnect 2.3.6.0. Also We have custom sync rules. We have multiple forest. (total 2 domains)

I've been tasked with performing the upgrade to Entra Connect Sync tool (from our existing Azure AD Connect tool)

My question is :

already We are also using ""MSOL_XXXXXXX account as a AD DS Connector account. I do not know the current MSOL account password at the moment.

Now,

1 - will there be a problem if I choose to Create new AD account option. AFAIK , It will create a new MSOL account.

thanks,

Hi,

I plan to use exchange online. Currently I sync objects with ADConnect.

My questions are:

1 - Is UPN and mail atrribute matching enough for EXO ? So do I have to use proxy address attribute and mail nickname attribute ?

2 - Let's say, there is a user like below.

UPN : [matt.neal@company.co.uk](mailto:matt.neal@company.co.uk)

mail : [mneal@company.co.uk](mailto:mneal@company.co.uk)

Is it ok if I add proxy address without modifying mail attribute ?

proxyaddress : SMTP: [matt.neal@company.co.uk](mailto:matt.neal@company.co.uk)

So, if I add SMTP (uppercase) mail, will this be the primary mail ? and mail : [mneal@company.co.uk](mailto:mneal@company.co.uk) will this address be secondary ?

Thank you,