Trusting MFA and device state for Azure AD external users

Azure Active Directory offers the ability to trust MFA and device compliance claims from other Azure AD tenants.

Enabling MFA trust with another tenant streamlines the sign-in process for B2B collaboration users and enables access for B2B direct connect users.

If you want to allow B2B direct connect with an external organization and your Conditional Access policies require MFA, you must configure your inbound trust settings so your Conditional Access policies will accept MFA claims from the external organization. This configuration ensures that B2B direct connect users from the external organization are compliant with your Conditional Access policies, and can provide a more seamless user experience.

How to configure trust settings in Azure AD:

  • Open the Azure portal, and select Azure Active Directory
  • In the Manage section, select External Identities
  • Now select Cross-tenant access settings
  • Under the Organizational settings blade click +Add organization
  • Enter the tenant FQDN og tenant ID of the external partner (example: and click Add
  • Next to the added organization, click on the Inherited from default link below Inbound access
  • Select the Trust settings blade
  • Select the Customize settings option

Configuring MFA trust settings:

  • Trust multi-factor authentication from Azure AD tenants:
    Allow Conditional Access policies to trust MFA claims from external organizations. During authentication, Azure AD will check a user’s credentials for a claim that the user has completed MFA. If not, an MFA challenge will be initiated in the user’s home tenant.

  • Trust compliant devices:
    Allows Conditional Access policies to trust compliant device claims from an external organization when their users access your resources.

  • Trust hybrid Azure AD joined devices:
    Allows Conditional Access policies to trust hybrid Azure AD joined device claims from an external organization when their users access resources in your tenant.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.