I'm navigating the onboarding process for external users at my company, which primarily uses on-prem Active Directory and seeks to implement a synced Entra tenant for Multi-Factor Authentication (MFA). Currently, the onboarding for external users is quite complex and manual, requiring them to install an MFA app on their phones and then provide their business sponsor with their credential ID. This ID is then linked to their AD account by our support desk. I'm aware that Microsoft Authenticator requires users to register their devices themselves, which complicates things since our registration is location-based. Given that external users use their own devices, I want to explore secure options for onboarding them with MFA without compromising security. Any suggestions?
2 Answers
Check out the Temporary Access Pass (TAP) feature from Microsoft. It’s designed for situations like yours and can help external users authenticate without a lot of hassle. You can find more about it here: https://learn.microsoft.com/en-us/enetra/identity/authentication/howto-authentication-temporary-access-pass.
Have you considered using phone call MFA as a registration method? You could add the user’s phone number to the AD attribute and let them authenticate that way. Is your organization strictly enforcing the Authenticator app for these users?
Yeah, I solidly think architecture just tossed this migration over the fence thinking it was tick and flick. No scope for MSA or auth method analysis—just a lot of politics going on I’m not in the loop for.
Thanks, that was where I was ending up too.