I manage a customer setup that involves two different tenants. All users are in the 'main' tenant, but they have guest accounts in the second tenant to access specific store-related data. We've enforced multi-factor authentication (MFA) for all users on both tenants. However, I came across an issue where syncing a SharePoint library to OneDrive isn't possible when MFA is enforced for guest accounts, as noted in a Microsoft forum post. We don't want to disable MFA but need a way to sync the SharePoint sites. Has anyone figured out a solution using conditional access policies?
A few additional notes:
1. Users can fully access and edit files in the guest tenant's SharePoint libraries.
2. They work on laptops and sometimes from home, so establishing a trusted location isn't feasible.
3. Attempts to sync with MFA enabled fail, and non-interactive sign-in logs show MFA failures.
4. When we disable MFA for guest users, syncing works, but then users aren't prompted for MFA during sign-in, which is a significant security concern. Any help would be much appreciated; I'm feeling stumped!
4 Answers
Just a heads up, syncing libraries with guest ID can turn into a bit of a nightmare. We've faced issues where random files stop syncing altogether. Support told us they don't officially support these situations anymore, so it could be rough going.
Have you considered using B2B - Cross Tenant Relationship? It might be a solid option to explore. Just a thought!
This did help, actually! I appreciate the nudge in the right direction!
No kidding, syncing libraries with guest accounts is notoriously flaky. We had our share of struggles too, unexpected glitches popping up left and right.
Could you trust the MFA claims from your main tenant, considering you're already granting guest users access to files? It seems counterproductive to require them to MFA twice.
That was the initial plan, but we found out that excluding guests from MFA in our access policy meant they didn't get prompted for authentication at all during sign-ins.
Thanks for the suggestion! I haven't delved into this yet, but I'll definitely check it out.