I'm currently evaluating some security auditing platforms, and I've noticed that around 50% of our users lack registered Multi-Factor Authentication (MFA). However, this group consists entirely of external guest users who were invited to meetings or Teams. Is it considered best practice to have these external guests register for MFA as well?
5 Answers
You might want to consider why external Teams invitees need accounts in your tenant at all. Typically, inviting guests creates a guest account in your system, meaning they should follow the same compliance rules as regular users.
Yes, any external user signing into your system should be covered by MFA just like regular users. It's crucial to maintain security protocols, and external guests shouldn't get a pass on this. Security is just as important for them, if not more so!
If someone needs an account, they should use MFA, except for actual guests visiting just for the day. They usually just access guest Wi-Fi and have no access to company resources. But anyone with a full account should definitely have MFA.
Even if they’re just guests, these accounts can be major entry points into your environment. If a guest's email is compromised and there’s no MFA, it could lead to serious security breaches. It might be a hassle, but MFA should be enforced where possible.
The reason these guests aren’t showing up as having MFA is probably due to the cross-tenant trust settings. If your tenant trusts MFA from another tenant, you may not see them needing to register for MFA here. But double-check those settings!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures