Azure AD sign-in failed with AADSTS90071: inbound MFA not accepted
An admin from <organization> must update their access settings to accept inbound multifactor authentication.
The resource tenant's Microsoft Entra ID (Azure AD) is configured to require MFA, but it does not trust the MFA already completed by the user in their home (external) tenant. Because the resource tenant won't accept the inbound MFA claim, authentication cannot proceed. This error surfaces most commonly during B2B direct connect scenarios — for example, when an external user tries to access a Teams shared channel hosted by another organisation — but can also appear in B2B collaboration and Conditional Access flows where the resource tenant's trust settings for inbound MFA have not been enabled.
An admin from <organization> must update their access settings to accept inbound multifactor authentication.
Why it happens
The resource tenant's cross-tenant access settings do not include 'Trust multifactor authentication from Microsoft Entra tenants' under inbound trust settings, so MFA completed in the user's home tenant is not accepted.
The resource tenant is using a Conditional Access policy that requires MFA, but has not configured inbound MFA trust for external users, forcing them to register and complete a separate MFA challenge in the resource tenant — which fails if that registration is not present.
B2B direct connect has not been fully configured between the two tenants: the resource tenant requires mutual trust for shared channel access in Microsoft Teams, and the trust settings have not been set up on the resource tenant side.
An organisation-specific cross-tenant access override has been configured that blocks or does not enable inbound MFA trust for the specific partner organisation, even if the default policy is more permissive.
The feature was recently enabled or changed in the partner tenant and the policy change has not yet fully propagated.
How to fix it
Sign in to the Microsoft Entra admin center (https://entra.microsoft.com) as at least a Security Administrator in the resource tenant (the organisation the external user is trying to access).
To update the default inbound trust for all external organisations: navigate to External Identities > Cross-tenant access settings > Default settings tab > Inbound access settings > Edit inbound defaults > Trust settings tab. Enable 'Trust multifactor authentication from Microsoft Entra tenants' and save.
To update trust for a specific partner organisation only: go to Cross-tenant access settings > Organizational settings, add the partner tenant if not already listed, then click the Inbound access link for that organisation > Trust settings > enable 'Trust multifactor authentication from Microsoft Entra tenants' and save.
For B2B direct connect (Teams shared channels): both the resource tenant and the external user's home tenant must configure mutual B2B direct connect settings. In the resource tenant, go to Cross-tenant access settings > Organizational settings > add the partner organisation > Inbound access > B2B direct connect tab > Allow. Repeat outbound settings in the partner tenant pointing back to the resource tenant.
If a Conditional Access policy in the resource tenant is requiring MFA for external users, consider excluding external users from the Microsoft Entra ID Protection MFA registration policy to avoid conflicting requirements once inbound MFA trust is enabled.
After saving the trust settings, ask the affected user to clear their browser session or use a private/incognito window and attempt sign-in again, as cached authentication state may persist briefly.
If the error persists after enabling the trust setting, verify there are no organisation-specific overrides in Organizational settings that contradict the default trust policy for the specific partner tenant.
