We have two Azure Tenancies -- FrontOffice and BackOffice. The Frontoffice tenancy EntraID contains all the identities, and has Conditional Access rules mandating the used of MFA. So far so good. The Backoffice tenancy EntraID has Guest accounts (from the Frontoffice) for the technical staff. We have Security Defaults disabled and, in theory, MFA disabled for all Front Office Guest users.

However, occasionally, when logging in to the Back Office tenancy in the portal, Microsoft will prompt not only for the FrontOffice MFA, but will also do an MFA challenge for the Backoffice (which can be confusing if you have TOTP for both). If you have no MFA methods defined for Backoffice it will prompt you to set one up.

Since we trust the FrontOffice tenancy, and have MFA mandated there, we don't really want a second MFA on the Backoffice when using a frontoffice guest account.

Question is, how do we stop this? I can see settings in CA to force another MFA, but no way to stop one, or to fully trust another tenancy. Is this even possible? It seems you can specify a subnet to exclude from MFA but it wont let you specify 0.0.0.0/0. This is also a bad option because it stops MFA for all accounts, not just the FrontOffice guests.