You shared a file or folder in OneDrive with external guests, but some of them see an error saying multi-factor authentication is required. Other guests with the same link can access the content without any issue. This inconsistency happens because Microsoft 365 enforces conditional access policies that apply to specific guest accounts, not to the shared link itself. This article explains why MFA is triggered for certain guests and how to adjust your sharing settings and guest accounts to prevent this problem.
Key Takeaways: Managing MFA Requirements for OneDrive Shared Links
- Microsoft Entra ID > External Identities > Cross-tenant access settings: Controls which guest users from other tenants must comply with your MFA policies before accessing shared content.
- Azure AD > Conditional Access > Named locations: MFA prompts can be skipped for guests connecting from trusted IP ranges or specific geographic regions.
- OneDrive admin center > Sharing > External sharing: Setting “Allow only users in specific security groups” prevents guests from outside approved groups from receiving links at all.
Why MFA Is Required for Some Guest Users
When you share a OneDrive file or folder via a link, the recipient who is not part of your organization must authenticate through Microsoft Entra ID. The MFA requirement does not come from the link itself. It comes from conditional access policies that your tenant administrator has configured in Microsoft Entra ID.
There are three common causes for this behavior:
Cross-tenant access settings
Your organization may have set up inbound trust settings that require MFA from guest users coming from specific external Microsoft 365 tenants. If the guest belongs to a tenant that is not included in a trust policy, MFA will be enforced.
Conditional access policies targeting external users
Your administrator may have created a policy that applies to all external users or to a specific group of guest accounts. This policy can require MFA for any access to SharePoint Online or OneDrive, regardless of the link type.
Guest user account state
Each external guest who accepts an invitation in your tenant gets a guest user object in Microsoft Entra ID. If that guest object has been assigned a conditional access policy directly, or if the guest belongs to an affected group, MFA will be triggered.
Steps to Identify and Fix MFA Requirements for Shared Links
- Check the guest user object in Microsoft Entra ID
Go to the Microsoft Entra admin center > Identity > Users > All users. Locate the guest user who is being prompted for MFA. Open their profile and note the User type field. It should say Guest. If the user was accidentally converted to a member type, conditional access policies meant for guests may not apply correctly. - Review cross-tenant access settings
In the Microsoft Entra admin center, go to External Identities > Cross-tenant access settings. Select the Inbound access tab. Check if the guest’s home tenant is listed. If it is not listed, MFA policies from your tenant will be applied by default. Either add the tenant and configure trust settings, or adjust your default inbound policy to skip MFA for guest users. - Locate the conditional access policy affecting guests
In the Microsoft Entra admin center, go to Protection > Conditional Access > Policies. Look for any policy where Assignments > Users and groups includes All guests and external users or a specific guest group. If the policy requires MFA and targets All cloud apps or specifically Office 365 SharePoint Online, it will affect shared link access. - Modify the conditional access policy to exclude specific guest users
Open the policy that is enforcing MFA. Under Assignments > Users and groups, change the include setting to Select users and groups and remove All guests and external users. Then add only the guest users or groups that must comply. Alternatively, add an exclusion for guest users who should bypass MFA, such as users from trusted partner tenants. - Configure named locations to bypass MFA
If guests connect from a known office network or a trusted VPN range, you can add those IP ranges as a named location in Conditional Access. Under Conditional Access > Named locations, create a new location with the guest’s trusted IP ranges. Then in the policy, add a condition for Locations > Include any location or Exclude the trusted location. This allows guests from those IPs to access the link without MFA. - Verify the link type and sharing settings
Go to OneDrive admin center > Sharing > External sharing. Make sure the setting Allow sharing to all external users is selected if you want to allow guests from any tenant. If you have restricted sharing to Allow only users in specific security groups, ensure the guest is a member of an approved group. Also confirm the link type is set to People you choose or Specific people rather than Anyone, because Anyone links do not require authentication and MFA policies do not apply.
If Guests Still See MFA Prompts After Changes
Guest user has not accepted the invitation
If a guest opens a shared link without first accepting the tenant invitation, they may be treated as an unauthenticated user. Unauthenticated users are not subject to conditional access policies, but they also cannot access the content if the link requires sign-in. Instruct the guest to click Accept invitation in the email they received, or resend the invitation from the OneDrive share dialog.
MFA is required by the guest’s own tenant
The MFA prompt may originate from the guest’s home tenant, not from yours. For example, if the guest’s organization requires MFA for all external access, they will see a prompt even if your tenant allows guest access without MFA. The guest must contact their own IT administrator to check their conditional access policies for external identities.
Browser or device session expired
If the guest has already authenticated but their session token has expired, they will be prompted to sign in again. This is normal behavior. The MFA prompt will appear only if the conditional access policy requires a fresh authentication. Clearing browser cookies and signing in again can resolve this.
OneDrive Link Types and MFA Behavior: Comparison
| Item | Anyone link | Specific people link (guests) |
|---|---|---|
| Authentication required | No | Yes — guest must sign in with a Microsoft account or work/school account |
| MFA policy applies | No — no user identity is verified | Yes — conditional access policies for external users are enforced |
| Guest user object created | No | Yes — a guest user object is created in Microsoft Entra ID after first sign-in |
| Cross-tenant trust settings affect | No | Yes — inbound trust settings determine whether MFA is required |
| Best for | Anonymous file sharing, public documents | Controlled collaboration with known external partners |
You can now identify why MFA is required for some guests and adjust your tenant settings to allow access without unnecessary authentication. Start by reviewing the cross-tenant access settings and the conditional access policies that target external users. For frequent collaboration with partners, configure inbound trust settings in Microsoft Entra ID to skip MFA for their entire tenant. As an advanced step, use the Authentication context feature in Conditional Access to require MFA only for sensitive files, not for all shared links.