If you’ve seen this image before then you may feel my pain.
All employees and guests in my client’s Microsoft 365 tenant were getting this prompt. The client wanted to leave this on for employees but keep it disabled for guests.
If this is something you want to do too, let me show you how to do it.
Create A Dynamic Distribution Group
The first step is to create a dynamic distribution list called “All Users Except Guests” (or something similar).
To start, log in to Azure as a Global Admin. Then, search for “Azure Active Directory” and click on it.
Scroll down a little bit and create a group.
Then, follow these settings:
- Group type: Security
- Group name: All Users Except Guests
- Membership type: Dynamic User
For the dynamic user members, click on “Add Dynamic Query”.
For the properties, choose the following:
- Property: UserType
- Operator: Not Equals
- Value: guest
After that, click “Save”.
Disable Security Defaults
If you disable security defaults, then you can add similar security defaults by using Azure Conditional Access Policies (more details). For this step, you will also need Azure AD Premium P2 or above.
To start, navigate to Azure Active Directory Home and click on “Properties”.
Scroll down and click the “Manage Security Defaults” link below and set it to “No” (which will enable security defaults).
Now, I thought doing this would fix the issue — unfortunately, it didn’t.
After spending about five hours trying to see how to resolve this, I stumbled across the MFA registration policy. I saw that this was set to “All users”. This was the problem!
Here’s how to resolve it:
Configure MFA Registration Policy
Navigate back to Azure Active Directory Home and click on “Identity Protection”.
Then, click on “MFA registration policy”.
Under “Assignments” click on “Users”. On the Include tab, if “All Users” is selected, deselect it and click the “Select individuals and groups”.
After you click the other option, a sidebar will appear on the right. Click “All Users Except Guests” and click on the “Select” button.
Before clicking “Save”, make sure that the “Enforce policy” is set to “On”.
Next time a guest gets a sharing invitation from SharePoint, that guest will no longer get the “More Information Required” prompt!