Conditional Access and multi-tenancy can be tough on anyone used to "the old ways." As a consultant spending admin time in other tenants, taking my identity with me via Azure AD external user invites is extremely useful.

Azure AD makes this easy by allowing customers to on-board me as an external user through a simple invite, granting permissions, and I'm good to go.

If your customers require external users to authenticate with MFA (and they should), you'll be prompted to provide extra MFA details for the external user identity.

The experience can be confusing because you see your own tenant's branding during initial logon, making it seem like you're feeding data into your own tenant. On smartphones it's especially hard to distinguish.

REMEMBER: Conditional Access can be evaluated in both tenants simultaneously, and you must pass both.

The real pain comes when you change your smartphone or lose it. If you set up the Authenticator app in another organization, you might need them to activate "Require re-register MFA" to get back in. Not cool.

The solution is simple:

There's also the option of excluding Guests and External users from Conditional Access, but that's NOT RECOMMENDED for obvious security reasons.

Reference: Microsoft identity access policies for guest access (https://docs.microsoft.com/en-us/microsoft-365/enterprise/identity-access-policies-guest-access)

If you're using Microsoft Teams on mobile, linking the Authenticator app during the enhanced registration process (preview) can be hit-or-miss - sometimes it works, sometimes it doesn't.

These are real-world experiences shared for your own evaluation. The multi-tenant external user experience with MFA is an area that still needs improvement.