This is a walkthrough on how to get External users working via Federated applications and the cavets and pitfalls you can get along the way.
If you have guest users and you wish them to use your Federated Applications then this can be completed with the "guest account" option in Entra, so first lets get the user invited:
We then need to create the user, as below, notice the option for "Send invite Link" this is important later on:
What if you do not accept the invite?
This does not work as there is no Microsoft account for that user, which means for this to work you also need a Microsoft account to authenticate with, its not magic.
Accepting the Invite
When we use the correct link if that account is not link to a Microsoft you will then need to signup for one as below, in this case this is a "personal" account:
You will then need to complete a MFA to prevent fraud:
Then we need some more details:
Then we need to prove we are human by pressing and hold a button, weird one Microsoft?
The we need to do MFA, and no I do not skip this, it should be standard in 2025 to always have MFA, plus I have a policy that requires this, so this will fail later on:
This is where my MFA policy kicks in and requires you have have MFA from my tenant options, this is not optional:
However we then get this, which is a problem indeed, this says my tenant is not allowing any authentication methods - but why?
They are enabled as you can see here, and this tenant has completed the migration to "Conditional Access" based policies:
Diagnosing “ No authentication methods”
Therefore I will update that settings to not the most restrictive:
This seemed to make no difference to my MFA options missing, there is some logic about this being Tenant restrictions set to "All Blocked" - but this makes no sense from a technical point of view, this is set from the External Identities > Cross-tenant access settings but this was also not the problem:
This is the problem I seem to have no Conditional Access license and "complete" options requires a P2 license:
If you try to edit a conditional access policy you get can error about not having a Entra ID P2 license:
This means I need to get this changed from "complete" to "in progress" as below:
After this is changed I now get the option to use Authenticator:
The however is not the cause of the problem, this setting will automatically change in November 2025, so leaving it like that is a bad idea, the more technical cause of the problem stems from the fact, I have conditional access policies, but I’m not licensed to use them - so in this particular scenario we have a couple of options:
- You already have an Entra ID P1/P2 license
- Purchase Entra ID P1/P2 license
- Reject the Entra ID P1/P2 license (which will require mandatory use of security defaults)
1. Create the Conditional Access Policy
Navigate to Entra ID > Security > Conditional Access > New Policy
Basic Settings:
- Name: "External Users - Authentication Requirements"
- State: Enabled
2. Configure User Assignments
Users and Groups:
- Include: Select "Guest or external users" → "B2B collaboration guest users"
- Exclude: None
Cloud Apps:
- Include: All cloud apps (or specific applications as needed)
Conditions:
- Device platforms: Not configured (allows all platforms)
- Locations: Not configured or exclude trusted locations
- Client apps: Modern authentication clients
3. Set Access Controls
Grant Controls:
- Grant access
- Require multifactor authentication
- For multiple controls: Require one of the selected controls
Session Controls:
- Sign-in frequency: 1 day (optional - forces periodic re-authentication)
- Persistent browser session: Never persistent
4. Configure Cross-Tenant Access Settings
This is the crucial step that many administrators miss!
Navigate to Entra ID > External Identities > Cross-tenant access settings > Default settings
Inbound Access Settings:
- B2B collaboration:
- Users and groups: Allow all
- Applications: Allow all
Trust Settings:
- Trust multifactor authentication from Azure AD tenants
Authentication Methods: Allow external users to use:
- Microsoft Authenticator
- FIDO2 security keys
Then if you navigate to Entra > Properties you will notice that the security default is now available to update:
Then when you manage the security defaults update it from being disabled to enabled, the default is disabled after this update.
You will then get an error to say "Identity Protection" is enabled so you cannot use security defaults, so you now need to go to to Entra > Security > Identity Protection and disable each one of these options:
You need to set these to "Disabled" as these also require a Entra ID P1/P2 license and wait a moment for Entra to catch up:
Then when you now try to update the security defaults you will now be allowed to the update the setting:
Finally we are now on the correct security defaults:
After looking at this a little more it would appear you actually need a Entra ID P1 licenses to allow these settings to work, without these settings after the migration end date Azure AD Premium licenses are required to configure the cross-tenant trust settings that are essential for external user authentication to work properly.
Microsoft have forced people with labs and test environments to acquire a Entra P1/P2 license, none negotiable!
Back on Track : Continue the account setup
I have decided to use for this test a SMS version of this:
We can now confirm the guest account we created earlier now has a Microsoft account and we now have that account active in the target tenant as below in the green box:
Using the Guest Account with the Federated Application