Disable “More information required” MFA Prompt for Guests

If you’ve seen this image before then you may feel my pain.

All employees and guests in my client’s Microsoft 365 tenant were getting this prompt. The client wanted to leave this on for employees but keep it disabled for guests.

If this is something you want to do too, let me show you how to do it.

Create A Dynamic Distribution Group

The first step is to create a dynamic distribution list called “All Users Except Guests” (or something similar).

To start, log in to Azure as a Global Admin. Then, search for “Azure Active Directory” and click on it.

Access the Azure Active Directory

Scroll down a little bit and create a group.

Create a group in Azure

Then, follow these settings:

  • Group type: Security
  • Group name: All Users Except Guests
  • Membership type: Dynamic User

For the dynamic user members, click on “Add Dynamic Query”.

Configure the settings for the new group

For the properties, choose the following:

  • Property: UserType
  • Operator: Not Equals
  • Value: guest

After that, click “Save”.

Setup for the dynamic membership rules

Disable Security Defaults

If you disable security defaults, then you can add similar security defaults by using Azure Conditional Access Policies (more details). For this step, you will also need Azure AD Premium P2 or above.

To start, navigate to Azure Active Directory Home and click on “Properties”.

Azure directory properties

Scroll down and click the “Manage Security Defaults” link below and set it to “No” (which will enable security defaults).

Manage Security Defaults on Azure

Now, I thought doing this would fix the issue — unfortunately, it didn’t.

After spending about five hours trying to see how to resolve this, I stumbled across the MFA registration policy. I saw that this was set to “All users”. This was the problem!

Here’s how to resolve it:

Configure MFA Registration Policy

Navigate back to Azure Active Directory Home and click on “Identity Protection”.

Azure Identity Protection

Then, click on “MFA registration policy”.

MFA registration policy

Under “Assignments” click on “Users”. On the Include tab, if “All Users” is selected, deselect it and click the “Select individuals and groups”.

Change the MFA registration policy

After you click the other option, a sidebar will appear on the right. Click “All Users Except Guests” and click on the “Select” button.

Select users for the MFA registration policy

Before clicking “Save”, make sure that the “Enforce policy” is set to “On”.

Enforce MFA registration policy

Next time a guest gets a sharing invitation from SharePoint, that guest will no longer get the “More Information Required” prompt!

About Ryan

As the Principal Solutions Architect at Mr. SharePoint, I help companies of all sizes better leverage the Modern Workplace and Digital Process Automation investments.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top