Azure AD guest 用户多重身份验证

Question

我管理我的 Azure Active Directory - MyProjectAAD。 我已从另一个 Azure Active Directory - MyCompanyAAD 添加外部用户作为 guest

使用时[email protected]想要登录到在 MyCompanyAAD 中注册的应用程序，则强制执行两因素身份验证。 注意:用户被重定向到自定义企业登录页面和自定义第二个身份验证页面

但是，当相同的用户想要登录到他作为访客的 MyProjectAAD 中注册的应用程序时，不会强制执行两因素身份验证，而我想强制执行。 用户仅被重定向到与之前情况相同的自定义企业登录，但没有第二因素身份验证页面

如何在 Azure Active Directory 中为 guest 用户启用两步身份验证？

Answer 1

您可以使用 Azure 条件访问来实现此目的。

注意:此功能需要 AAD Premium 来为您的场景创建自己的策略。

1. Create a Dynamic Access Group of "External User" accounts

• Login to AzureAD Portal, and navigate to Azure Active Directory -> Users and Groups -> All groups and click on New Group

• Give your group a friendly name, description, and select Membership type of Dynamic User. If you do not see this Membership type, it may be that you do not have AzureAD Premium licenses in your subscription. (See licensing requirements below)

• Select Add dynamic query, and create a Simple Rule in which you add users where userType Equals Guest

• Click Add query -> Create in order to make the dynamic group

NOTE: It will take some time for the group to populate.

2. Create a Conditional Access Policy for the specific Enterprise App.

• Login to AzureAD Portal, and navigate to Enterprise applications >Select the specific app> Conditional access to show all Conditional access policies, and then click on New Policy
• On the New blade, in the name text box, type a friendly name for the policy
• On the Users and Groups blade, select Include -> Select users and group -> Select
• Search for the External Users group you created in the previous step and select that group
• On the Conditions blade, select Locations. Select Yes for Configure. Include Any Location.
• Apply these by selecting the Done buttons
• On the Grant Blade, select Grant Access and Require Multi-Factor Authentication. Click Select to apply the Grant restrictions. -Finally, toggle the Enable policy button to On, and then Create the policy

这里是a blog由 Kevin Kirkpatrick 编写，您可以引用它在特定应用上对外部用户实现多重身份验证。