Disable “More information required” MFA Prompt for Guests

2 Comments / Azure Active Directory, Microsoft 365, SharePoint / By / / 2 minutes of reading

Last Updated on February 17, 2024

If you’ve seen this image before then you may feel my pain.

All employees and guests in my client’s Microsoft 365 tenant were getting this prompt. The client wanted to leave this on for employees but keep it disabled for guests.

If this is something you want to do too, let me show you how to do it.

Create A Dynamic Distribution Group

The first step is to create a dynamic distribution list called “All Users Except Guests” (or something similar).

To start, log in to Azure as a Global Admin. Then, search for “Azure Active Directory” and click on it.

Access the Azure Active Directory

Scroll down a little bit and create a group.

Create a group in Azure

Then, follow these settings:

  • Group type: Security
  • Group name: All Users Except Guests
  • Membership type: Dynamic User

For the dynamic user members, click on “Add Dynamic Query”.

Configure the settings for the new group

For the properties, choose the following:

  • Property: UserType
  • Operator: Not Equals
  • Value: guest

After that, click “Save”.

Setup for the dynamic membership rules

Sign up for exclusive updates, tips, and strategies

    Disable Security Defaults

    If you disable security defaults, then you can add similar security defaults by using Azure Conditional Access Policies (more details). For this step, you will also need Azure AD Premium P2 or above.

    To start, navigate to Azure Active Directory Home and click on “Properties”.

    Azure directory properties

    Scroll down and click the “Manage Security Defaults” link below and set it to “No” (which will enable security defaults).

    Manage Security Defaults on Azure

    Now, I thought doing this would fix the issue — unfortunately, it didn’t.

    After spending about five hours trying to see how to resolve this, I stumbled across the MFA registration policy. I saw that this was set to “All users”. This was the problem!

    Here’s how to resolve it:

    Configure MFA Registration Policy

    Navigate back to Azure Active Directory Home and click on “Identity Protection”.

    Azure Identity Protection

    Then, click on “MFA registration policy”.

    MFA registration policy

    Under “Assignments” click on “Users”. On the Include tab, if “All Users” is selected, deselect it and click the “Select individuals and groups”.

    Change the MFA registration policy

    After you click the other option, a sidebar will appear on the right. Click “All Users Except Guests” and click on the “Select” button.

    Select users for the MFA registration policy

    Before clicking “Save”, make sure that the “Enforce policy” is set to “On”.

    Enforce MFA registration policy

    Next time a guest gets a sharing invitation from SharePoint, that guest will no longer get the “More Information Required” prompt!

    About Ryan Clark

    As the Modern Workplace Architect at Mr. SharePoint, I help companies of all sizes better leverage Modern Workplace and Digital Process Automation investments. I am also a Microsoft Most Valued Professional (MVP) for M365 Apps & Services.

    View all posts by Ryan Clark | Website

    Subscribe
    Notify of
    guest
    2 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments

    Ivan Nemet
    Ivan Nemet
    1 year ago

    Hi,
    this is my way too 🙂
    But I created All_Guests dynamic group and put them in Exclude.

    picture.png
    0
    Reply
    Ryan Clark
    Ryan Clark
    Author
    Active Member
    Reply to  Ivan Nemet
    1 year ago

    Thanks for sharing! This works too.

    0
    Reply
    2
    0
    Would love your thoughts, please comment.x
    ()
    x
    Scroll to Top